Microsoft, Adobe Exploits Top List of Crooks' Wish List

2021-05-18T12:32:46

Description

A year-long study into the underground market for exploits in cybercriminal forums shows that crooks are salivating for Microsoft bugs, which are far and away the most requested and most sold exploits. According to researchers (see chart below) Microsoft products made up a whopping 47 percent of the requests, compared with, say, internet of things (IoT) exploits, which only accounted for 5 percent. The exploit market is accommodating cybercrooks’ hunger for puncturing Microsoft products, according to Trend Micro. A second data point (see chart below) shows that 61 percent of sold exploits targeted Microsoft products, including Office, Windows, Internet Explorer and Microsoft Remote Desktop Protocol (RDP). [![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) No surprise there. Flashpoint researchers also reported in December, prices for RDP server access [ has been surging](<https://threatpost.com/rdp-server-access-payment-card-data-in-high-cybercrime-demand/162476/>). [![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225827/Sold-Market-300x245.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225827/Sold-Market-e1621306842218.png>) What gets sold on the exploits market. Source: Trend Micro [Click Image to Enlarge] [![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225807/Most-Requested-Exploits-300x203.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225807/Most-Requested-Exploits-e1621306882137.png>) Most-requested exploits. Source: Trend Micro [Click Image to Enlarge] The research was presented on Monday at the all-virtual RSA Conference 2021, by Trend Micro Senior Researcher Mayra Rosario Fuentes. In her session, titled [Tales from the Underground: The Vulnerability Weaponization Lifecycle](<https://www.rsaconference.com/Library/presentation/USA/2021/live-deeper-dive-tales-from-the-underground-the-vulnerability-weaponization-lifecycle>), Fuentes said that the study tracked the exploits that were sold and requested on more than 600 underground forums over a year. Researchers found that the average price for exploits that threat actors were willing to pay was $2,000. The crooks are going after fresh, tender new vulnerabilities, with 52 percent of exploits on their wish list being less than 2 years old: an age bracket that also accounts for 54 percent of exploits being sold. ## Oldies But Goodies Are Still Hot-Hot-Hot Older vulnerabilities are still in demand, though: 22 percent of the exploits sold in the underground were 3+ years old, according to Fuentes. The oldest vulnerability was downright arthritic, dating back to 1999. Of the “outdated” exploits being sold, 45 percent were Microsoft-flavored, with the second crook crowd-pleaser being Adobe exploits. Fuentes pointed out that the average time to patch an internet-facing system is 71 days: a whole lot of time for attackers to do some damage. [![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225814/Outdated-Exploits-Sold-300x244.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225814/Outdated-Exploits-Sold-e1621307096104.png>) Outdated exploits being sold on underground forums. Source: Trend Micro [Click Image to Enlarge] You can see one example of an exploit request below, where the potential purchaser was looking for an exploit of [CVE-2019-1151](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1151>) – a remote code execution (RCE) of a Microsoft Graphics vulnerability. Another request, posted on Dec. 23, 2020, was looking for “a potential 1-day RCE vulnerability” in Apache Web Server: not a surprising find, given that the RiskSense Spotlight [Report ](<https://risksense.com/press_release/risksense-spotlight-report-finds-wordpress-and-apache-are-most-weaponized-web-and-application-frameworks/>)found that the WordPress and Apache Struts web frameworks were the [ most-targeted by cybercriminals ](<https://threatpost.com/wordpress-apache-struts-most-bug-exploits/153927/>)in 2019. Trend Micro researchers found that Office and Adobe exploits were most common in English-speaking forums. As of last week, Adobe Acrobat, the world’s leading PDF reader, was [ under active attack](<https://threatpost.com/adobe-zero-day-bug-acrobat-reader/166044/>) after a vulnerability that could lead to RCE was exploited. That one affected both Windows – one of attackers’ preferred sweet spots – and macOS systems. [![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225731/Example-Exploit-Request-2-e1621307347702.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225731/Example-Exploit-Request-2-e1621307347702.png>) Request for “a potential 1-day RCE vulnerability” in Apache Web Server. Source: Trend Micro ## Lifecycle of an Exploit Like most markets, the exploit market has listings for both buyers and sellers. In one such “for sale” pitch, the seller offered two CVEs with a severity rating of 7.5, for the price of $1,000. Another ad offered four CVEs for $30,000 USD, including a loader script, with the added “benefit” of rechecking antivirus detection to make sure that the executable malware hasn’t yet been detected and won’t be blocked, among other services. After criminals develop an exploit, the next step is to sell it. After it’s in the wild, a vulnerability moves into the stage of public disclosure. Next, the vendor patches the vulnerability. Finally, that vulnerability goes down two paths: if it’s patched that’s it, end of life. If not, the exploit’s still there, waiting to be purchased and set free on whatever unlucky victims haven’t yet patched. Fuentes gave a few case studies that illustrate the lifecycle. Below is a timeline depicting one of them: the eight-month lifecycle of CVE-2020-9054: an exploit sold on the XSS cybercriminal forum for $20,000 in February 2020, got written about by cybersecurity journalist Brian Krebs, was publicly disclosed and patched by Microsoft in March 2020, and wound up being [ exploited by a botnet a month later](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>). That botnet, a variant of the [ Mirai botnet](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) named Mukashi that targeted Zyxel network-attached storage (NAS) devices, allowed threat actors to remotely compromise and control devices. ![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225820/Sample-Botnet-1-e1621307468331.png) The lifecycle of CVE-2020-9054, the vulnerability that got exploited by the Mukashi botnet. Source: Trend Micro Five months after it was patched, in August 2020, another forum post requested an exploit, offering the bargain basement payment of $2,000: a tenth of the original exploit. ## Where to Start When You Can’t Patch ‘Em All “You can’t possibly patch all the CVEs each year,” Fuentes said. So how do you prioritize? She recommended factoring in the desirability of an exploit when making patching plans. Don’t just pick your battles based on vulnerability severity. Rather, factor in what crooks want to use and what they can buy. Keep in mind that Microsoft and Adobe exploits are hot-ticket items: “It’s simply unrealistic to think you can patch everything,” Fuentes noted. “Focus on what hackers like to focus on: Microsoft and Adobe.” Also bear in mind that [ virtual patching](<https://owasp.org/www-community/Virtual_Patching_Best_Practices>) – a security policy enforcement layer that prevents the exploitation of a known vulnerability by analyzing transactions and by intercepting attacks in transit to keep malicious traffic from reaching the web application, all without having to take the time to modify the actual source code of an app itself – can buy additional time, she recommended. Another factor in the “what to patch first” equation is the fact that vulnerability prices drop over time, but valuable exploits still stay valuable “longer than most expect,” Fuentes pointed out. “Patching yesterday’s popular vulnerability can be more important than today’s critical one,” she said. **Download our exclusive FREE Threatpost Insider eBook, ****_“_**[**_2021: The Evolution of Ransomware_**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)**_,”_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and **[**DOWNLOAD**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)** the eBook now – on us!**

{"id": "THREATPOST:DB7BD60F80FF5F9AB79B234F36DA9114", "vendorId": null, "type": "threatpost", "bulletinFamily": "info", "title": "Microsoft, Adobe Exploits Top List of Crooks' Wish List", "description": "A year-long study into the underground market for exploits in cybercriminal forums shows that crooks are salivating for Microsoft bugs, which are far and away the most requested and most sold exploits.\n\nAccording to researchers (see chart below) Microsoft products made up a whopping 47 percent of the requests, compared with, say, internet of things (IoT) exploits, which only accounted for 5 percent.\n\nThe exploit market is accommodating cybercrooks\u2019 hunger for puncturing Microsoft products, according to Trend Micro. A second data point (see chart below) shows that 61 percent of sold exploits targeted Microsoft products, including Office, Windows, Internet Explorer and Microsoft Remote Desktop Protocol (RDP).\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nNo surprise there. Flashpoint researchers also reported in December, prices for RDP server access [ has been surging](<https://threatpost.com/rdp-server-access-payment-card-data-in-high-cybercrime-demand/162476/>).\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225827/Sold-Market-300x245.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225827/Sold-Market-e1621306842218.png>)\n\nWhat gets sold on the exploits market. Source: Trend Micro [Click Image to Enlarge]\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225807/Most-Requested-Exploits-300x203.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225807/Most-Requested-Exploits-e1621306882137.png>)\n\nMost-requested exploits. Source: Trend Micro [Click Image to Enlarge]\n\nThe research was presented on Monday at the all-virtual RSA Conference 2021, by Trend Micro Senior Researcher Mayra Rosario Fuentes. In her session, titled [Tales from the Underground: The Vulnerability Weaponization Lifecycle](<https://www.rsaconference.com/Library/presentation/USA/2021/live-deeper-dive-tales-from-the-underground-the-vulnerability-weaponization-lifecycle>), Fuentes said that the study tracked the exploits that were sold and requested on more than 600 underground forums over a year. \n\nResearchers found that the average price for exploits that threat actors were willing to pay was $2,000. The crooks are going after fresh, tender new vulnerabilities, with 52 percent of exploits on their wish list being less than 2 years old: an age bracket that also accounts for 54 percent of exploits being sold.\n\n## Oldies But Goodies Are Still Hot-Hot-Hot\n\nOlder vulnerabilities are still in demand, though: 22 percent of the exploits sold in the underground were 3+ years old, according to Fuentes. The oldest vulnerability was downright arthritic, dating back to 1999.\n\nOf the \u201coutdated\u201d exploits being sold, 45 percent were Microsoft-flavored, with the second crook crowd-pleaser being Adobe exploits. Fuentes pointed out that the average time to patch an internet-facing system is 71 days: a whole lot of time for attackers to do some damage.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225814/Outdated-Exploits-Sold-300x244.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225814/Outdated-Exploits-Sold-e1621307096104.png>)\n\nOutdated exploits being sold on underground forums. Source: Trend Micro [Click Image to Enlarge]\n\nYou can see one example of an exploit request below, where the potential purchaser was looking for an exploit of [CVE-2019-1151](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1151>) \u2013 a remote code execution (RCE) of a Microsoft Graphics vulnerability. \n\nAnother request, posted on Dec. 23, 2020, was looking for \u201ca potential 1-day RCE vulnerability\u201d in Apache Web Server: not a surprising find, given that the RiskSense Spotlight [Report ](<https://risksense.com/press_release/risksense-spotlight-report-finds-wordpress-and-apache-are-most-weaponized-web-and-application-frameworks/>)found that the WordPress and Apache Struts web frameworks were the [ most-targeted by cybercriminals ](<https://threatpost.com/wordpress-apache-struts-most-bug-exploits/153927/>)in 2019.\n\nTrend Micro researchers found that Office and Adobe exploits were most common in English-speaking forums. As of last week, Adobe Acrobat, the world\u2019s leading PDF reader, was [ under active attack](<https://threatpost.com/adobe-zero-day-bug-acrobat-reader/166044/>) after a vulnerability that could lead to RCE was exploited. That one affected both Windows \u2013 one of attackers\u2019 preferred sweet spots \u2013 and macOS systems.\n\n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225731/Example-Exploit-Request-2-e1621307347702.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225731/Example-Exploit-Request-2-e1621307347702.png>)\n\nRequest for \u201ca potential 1-day RCE vulnerability\u201d in Apache Web Server. Source: Trend Micro\n\n## Lifecycle of an Exploit\n\nLike most markets, the exploit market has listings for both buyers and sellers. In one such \u201cfor sale\u201d pitch, the seller offered two CVEs with a severity rating of 7.5, for the price of $1,000. Another ad offered four CVEs for $30,000 USD, including a loader script, with the added \u201cbenefit\u201d of rechecking antivirus detection to make sure that the executable malware hasn\u2019t yet been detected and won\u2019t be blocked, among other services.\n\nAfter criminals develop an exploit, the next step is to sell it. After it\u2019s in the wild, a vulnerability moves into the stage of public disclosure. Next, the vendor patches the vulnerability. Finally, that vulnerability goes down two paths: if it\u2019s patched that\u2019s it, end of life. If not, the exploit\u2019s still there, waiting to be purchased and set free on whatever unlucky victims haven\u2019t yet patched.\n\nFuentes gave a few case studies that illustrate the lifecycle. Below is a timeline depicting one of them: the eight-month lifecycle of CVE-2020-9054: an exploit sold on the XSS cybercriminal forum for $20,000 in February 2020, got written about by cybersecurity journalist Brian Krebs, was publicly disclosed and patched by Microsoft in March 2020, and wound up being [ exploited by a botnet a month later](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>). That botnet, a variant of the [ Mirai botnet](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) named Mukashi that targeted Zyxel network-attached storage (NAS) devices, allowed threat actors to remotely compromise and control devices.\n\n![](https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225820/Sample-Botnet-1-e1621307468331.png)\n\nThe lifecycle of CVE-2020-9054, the vulnerability that got exploited by the Mukashi botnet. Source: Trend Micro\n\nFive months after it was patched, in August 2020, another forum post requested an exploit, offering the bargain basement payment of $2,000: a tenth of the original exploit.\n\n## Where to Start When You Can\u2019t Patch \u2018Em All\n\n\u201cYou can\u2019t possibly patch all the CVEs each year,\u201d Fuentes said. So how do you prioritize?\n\nShe recommended factoring in the desirability of an exploit when making patching plans. Don\u2019t just pick your battles based on vulnerability severity. Rather, factor in what crooks want to use and what they can buy. Keep in mind that Microsoft and Adobe exploits are hot-ticket items: \u201cIt\u2019s simply unrealistic to think you can patch everything,\u201d Fuentes noted. \u201cFocus on what hackers like to focus on: Microsoft and Adobe.\u201d\n\nAlso bear in mind that [ virtual patching](<https://owasp.org/www-community/Virtual_Patching_Best_Practices>) \u2013 a security policy enforcement layer that prevents the exploitation of a known vulnerability by analyzing transactions and by intercepting attacks in transit to keep malicious traffic from reaching the web application, all without having to take the time to modify the actual source code of an app itself \u2013 can buy additional time, she recommended.\n\nAnother factor in the \u201cwhat to patch first\u201d equation is the fact that vulnerability prices drop over time, but valuable exploits still stay valuable \u201clonger than most expect,\u201d Fuentes pointed out. \u201cPatching yesterday\u2019s popular vulnerability can be more important than today\u2019s critical one,\u201d she said.\n\n**Download our exclusive FREE Threatpost Insider eBook, ****_\u201c_**[**_2021: The Evolution of Ransomware_**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)**_,\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and **[**DOWNLOAD**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)** the eBook now \u2013 on us!**\n", "published": "2021-05-18T12:32:46", "modified": "2021-05-18T12:32:46", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://threatpost.com/top-microsoft-adobe-exploits-list/166241/", "reporter": "Lisa Vaas", "references": ["https://threatpost.com/newsletter-sign/", "https://threatpost.com/rdp-server-access-payment-card-data-in-high-cybercrime-demand/162476/", "https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225827/Sold-Market-e1621306842218.png", "https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225807/Most-Requested-Exploits-e1621306882137.png", "https://www.rsaconference.com/Library/presentation/USA/2021/live-deeper-dive-tales-from-the-underground-the-vulnerability-weaponization-lifecycle", "https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225814/Outdated-Exploits-Sold-e1621307096104.png", "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1151", "https://risksense.com/press_release/risksense-spotlight-report-finds-wordpress-and-apache-are-most-weaponized-web-and-application-frameworks/", "https://threatpost.com/wordpress-apache-struts-most-bug-exploits/153927/", "https://threatpost.com/adobe-zero-day-bug-acrobat-reader/166044/", "https://media.threatpost.com/wp-content/uploads/sites/103/2021/05/17225731/Example-Exploit-Request-2-e1621307347702.png", "https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/", "https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/", "https://owasp.org/www-community/Virtual_Patching_Best_Practices", "https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART", "https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART"], "cvelist": ["CVE-2019-1151", "CVE-2020-9054"], "immutableFields": [], "lastseen": "2021-05-19T21:10:40", "viewCount": 29, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:6B3D1206-72DB-4BEA-A98F-4117E0936C39", "AKB:CEA62072-99B0-4C2B-B293-6AC558930860"]}, {"type": "cert", "idList": ["VU:498544"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0088"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2020-9054"]}, {"type": "cve", "idList": ["CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152", "CVE-2020-9054"]}, {"type": "kaspersky", "idList": ["KLA11534", "KLA11536", "KLA11989"]}, {"type": "krebs", "idList": ["KREBS:39654A032B4386114B09583F15D4E8D2", "KREBS:D13D787B059B46E5005F07248EA46F0E"]}, {"type": "mscve", "idList": ["MS:CVE-2019-1151"]}, {"type": "nessus", "idList": ["MACOS_MS19_AUG_OFFICE.NASL", "SMB_NT_MS19_AUG_4511553.NASL", "SMB_NT_MS19_AUG_4512476.NASL", "SMB_NT_MS19_AUG_4512488.NASL", "SMB_NT_MS19_AUG_4512497.NASL", "SMB_NT_MS19_AUG_4512501.NASL", "SMB_NT_MS19_AUG_4512506.NASL", "SMB_NT_MS19_AUG_4512507.NASL", "SMB_NT_MS19_AUG_4512508.NASL", "SMB_NT_MS19_AUG_4512516.NASL", "SMB_NT_MS19_AUG_4512517.NASL", "SMB_NT_MS19_AUG_4512518.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815197", "OPENVAS:1361412562310815431", "OPENVAS:1361412562310815432", "OPENVAS:1361412562310815433", "OPENVAS:1361412562310815434", "OPENVAS:1361412562310815435", "OPENVAS:1361412562310815436", "OPENVAS:1361412562310815437", "OPENVAS:1361412562310815438", "OPENVAS:1361412562310815439"]}, {"type": "symantec", "idList": ["SMNTC-109519"]}, {"type": "talosblog", "idList": ["TALOSBLOG:F543D5FEAB2BB1C90B9699F8AE8757F4"]}, {"type": "thn", "idList": ["THN:FDE349ED29A8A84B3E71D0DBD64A4574"]}, {"type": "threatpost", "idList": ["THREATPOST:17E3FCD38AE400EE2E294AFDDAD88C3C", "THREATPOST:6126F6585A2D722C27E3DFA390E481C2", "THREATPOST:738DE8A2593073CC7FCE24DA250F4DA2", "THREATPOST:960DA04864E083F2EAA36F3764D13603", "THREATPOST:A69CA0E766250A90D23BD3D8AD83D37D"]}]}, "score": {"value": -0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:6B3D1206-72DB-4BEA-A98F-4117E0936C39", "AKB:CEA62072-99B0-4C2B-B293-6AC558930860"]}, {"type": "cert", "idList": ["VU:498544"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0088"]}, {"type": "cve", "idList": ["CVE-2019-1151", "CVE-2020-9054"]}, {"type": "kaspersky", "idList": ["KLA11534", "KLA11536", "KLA11697"]}, {"type": "krebs", "idList": ["KREBS:39654A032B4386114B09583F15D4E8D2", "KREBS:D13D787B059B46E5005F07248EA46F0E"]}, {"type": "mscve", "idList": ["MS:CVE-2019-1151"]}, {"type": "nessus", "idList": ["MACOS_MS19_AUG_OFFICE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815197", "OPENVAS:1361412562310815431", "OPENVAS:1361412562310815432", "OPENVAS:1361412562310815433", "OPENVAS:1361412562310815434", "OPENVAS:1361412562310815435", "OPENVAS:1361412562310815436", "OPENVAS:1361412562310815437", "OPENVAS:1361412562310815438", "OPENVAS:1361412562310815439"]}, {"type": "symantec", "idList": ["SMNTC-109519"]}, {"type": "talosblog", "idList": ["TALOSBLOG:F543D5FEAB2BB1C90B9699F8AE8757F4"]}, {"type": "thn", "idList": ["THN:FDE349ED29A8A84B3E71D0DBD64A4574"]}, {"type": "threatpost", "idList": ["THREATPOST:050A36E6453D4472A2734DA342E95366", "THREATPOST:17E3FCD38AE400EE2E294AFDDAD88C3C", "THREATPOST:6126F6585A2D722C27E3DFA390E481C2", "THREATPOST:738DE8A2593073CC7FCE24DA250F4DA2", "THREATPOST:A69CA0E766250A90D23BD3D8AD83D37D"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2019-1151", "epss": "0.113600000", "percentile": "0.942930000", "modified": "2023-03-16"}, {"cve": "CVE-2020-9054", "epss": "0.974980000", "percentile": "0.999520000", "modified": "2023-03-16"}], "vulnersScore": -0.3}, "_state": {"dependencies": 1678920471, "score": 1684007986, "epss": 1679073339}, "_internal": {"score_hash": "5fa96a2f91f4862587f74b6b03caac8e"}}

{"attackerkb": [{"lastseen": "2021-07-20T20:14:37", "description": "\u201d Multiple ZyXEL devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device.\n\nMultiple ZyXEL devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, many ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges.\n\nExploit code for this vulnerability that targets NAS devices is available on the internet. \u201c\n\n \n**Recent assessments:** \n \n**hartescout** at February 26, 2020 11:18pm UTC reported:\n\n\u201d Multiple ZyXEL devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, many ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges.\n\nExploit code for this vulnerability that targets NAS devices is available on the internet. \u201c\n\nExploits are available. What interests me is this shodan.io search posted with 138,000+ devices still vulnerable. A firmware update has been released for most versions of device however, \u201d Block access to the ZyXEL device web interface \u201c is the advice for remaining or an alternative. \nHere is the shodan search I put in as a reference for the topic as well. Again, you\u2019re expert opinion is much more valuable than mine at this early stage. I am unfortunately unable to test these in my lab environment due to other commitments.\n\nedit: I might be mistaken CVE-2020-9054 is listed as the exploit here: <https://kb.cert.org/artifacts/cve-2020-9054.html>\n\n<https://beta.shodan.io/search?query=ssl.cert.subject.CN%3Ausg> \n<https://www.nist.gov/fusion-search?s=CVE-2020-9054> \n<https://twitter.com/wdormann/status/1231987991473602561>\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 2\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-26T00:00:00", "type": "attackerkb", "title": "VU#498544 ZyXEL pre-authentication command injection in weblogin.cgi", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9054"], "modified": "2020-02-26T00:00:00", "id": "AKB:6B3D1206-72DB-4BEA-A98F-4117E0936C39", "href": "https://attackerkb.com/topics/er2aKJLbEI/vu-498544-zyxel-pre-authentication-command-injection-in-weblogin-cgi", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-06T15:06:39", "description": "Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2\n\n \n**Recent assessments:** \n \n**kevthehermit** at March 05, 2020 9:56am UTC reported:\n\nThis affects products that are designed for Small \u2013 Medium enterprise more than home users so it is likely to have a higher value to an attacker. \nAs some of these devices like firewalls are designed to operate at the network perimeter It is fairly simple to identify vulnerable products.\n\nThe exploit is an unauthenticated remote code execution attack that leads to full root-level access on the affected device. This level of access can be used to pivot into the internal network or in the case of Firewall products it could be used to alter or intercept traffic from inside the organisation.\n\nExploit code has been seen for sale and not publicly released, however, the patches are now available to it is possible to reverse engineer the location of the exploit using information from the advisory and access to the firmware.\n\nAdditionally, ZyXel has devices that are no longer supported and will not receive a patch. Full details of affected products and patches can be found on their website.\n\n<https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml>\n\nDetails on the reporting and identification can be found \u2013 <https://krebsonsecurity.com/tag/cve-2020-9054/>\n\n**wvu-r7** at April 05, 2020 1:50am UTC reported:\n\nThis affects products that are designed for Small \u2013 Medium enterprise more than home users so it is likely to have a higher value to an attacker. \nAs some of these devices like firewalls are designed to operate at the network perimeter It is fairly simple to identify vulnerable products.\n\nThe exploit is an unauthenticated remote code execution attack that leads to full root-level access on the affected device. This level of access can be used to pivot into the internal network or in the case of Firewall products it could be used to alter or intercept traffic from inside the organisation.\n\nExploit code has been seen for sale and not publicly released, however, the patches are now available to it is possible to reverse engineer the location of the exploit using information from the advisory and access to the firmware.\n\nAdditionally, ZyXel has devices that are no longer supported and will not receive a patch. Full details of affected products and patches can be found on their website.\n\n<https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml>\n\nDetails on the reporting and identification can be found \u2013 <https://krebsonsecurity.com/tag/cve-2020-9054/>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-20T00:00:00", "type": "attackerkb", "title": "CVE-2020-9054", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9054"], "modified": "2020-07-24T00:00:00", "id": "AKB:CEA62072-99B0-4C2B-B293-6AC558930860", "href": "https://attackerkb.com/topics/ceappoC1VD/cve-2020-9054", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-06-09T01:17:18", "description": "Firmware version of the Zyxel USG, ATP, ZyWALL or VPN is less than 4.35 or the version of Zyxel NAS is less than 5.21. This Zyxel device firmware is missing authentication logic which could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-06-07T00:00:00", "type": "nessus", "title": "Zyxel NAS < 5.21 / USG < 4.35 / ATP < 4.35 / VPN < 4.35 / ZyWALL < 4.35 RCE (CVE-2020-9054)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-9054"], "modified": "2023-06-08T00:00:00", "cpe": ["cpe:/h:zyxel:usg_flex"], "id": "ZYXEL_USG_CVE-2020-9054.NASL", "href": "https://www.tenable.com/plugins/nessus/176894", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(176894);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/06/08\");\n\n script_cve_id(\"CVE-2020-9054\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/15\");\n\n script_name(english:\"Zyxel NAS < 5.21 / USG < 4.35 / ATP < 4.35 / VPN < 4.35 / ZyWALL < 4.35 RCE (CVE-2020-9054)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote security gateway is affected by a remote rode execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Firmware version of the Zyxel USG, ATP, ZyWALL or VPN is less than 4.35 or the version of Zyxel NAS is less \nthan 5.21. This Zyxel device firmware is missing authentication logic which could allow an unauthenticated \nattacker to execute some OS commands remotely by sending crafted packets to an affected device.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://www.zyxel.com/global/en/support/security-advisories/update-zyxel-security-advisory-for-the-remote-code-execution-vulnerability-of-nas-and-firewall-products\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?16154637\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Zyxel USG / ATP / VPN / ZyWALL to version 4.35 or later or update Zyxel NAS to version 5.21 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-9054\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/02/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/02/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/06/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:zyxel:usg_flex\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Firewalls\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"zyxel_usg_web_detect.nbin\", \"zyxel_usg_detect.nbin\");\n script_require_keys(\"installed_sw/Zyxel Unified Security Gateway (USG)\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nvar app = 'Zyxel Unified Security Gateway (USG)';\n\nvar app_info = vcf::combined_get_app_info(app:app);\n\nvar model = app_info['Model'];\nvar constraints = [];\n\nif(empty_or_null(model))\n audit(AUDIT_OS_CONF_UNKNOWN, 'Zyxel device');\n\nif ('ATP' >< model || 'USG' >< model || 'VPN' >< model || 'ZyWALL' >< model)\n constraints = [{ 'fixed_version' : '4.35' }];\nelse if ('NAS' >< model)\n constraints = [{ 'fixed_version' : '5.21' }];\nelse\n audit(AUDIT_NOT_INST, 'Zyxel NAS / USG / ATP / VPN / ZyWALL Device');\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-21T15:26:23", "description": "The Firmware version of the Zyxel USG, ATP, ZyWALL or VPN is affected by multiple vulnerabilities: \n\n - A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device. (CVE-2023-33009)\n\n - A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.32 through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code execution on an affected device. (CVE-2023-33010)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-05-26T00:00:00", "type": "nessus", "title": "Zyxel USG < 4.35 / ATP < 4.35 / VPN < 4.35 / ZyWALL < 4.35 (RCE) (CVE-2020-9054)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-9054", "CVE-2023-33009", "CVE-2023-33010"], "modified": "2023-06-09T00:00:00", "cpe": ["cpe:/h:zyxel:usg_flex"], "id": "ZYXEL_USG_CVE-2023-33010.NASL", "href": "https://www.tenable.com/plugins/nessus/176416", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(176416);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/06/09\");\n\n script_cve_id(\"CVE-2023-33009\", \"CVE-2023-33010\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2023/06/26\");\n script_xref(name:\"IAVA\", value:\"2023-A-0279\");\n\n script_name(english:\"Zyxel USG < 4.35 / ATP < 4.35 / VPN < 4.35 / ZyWALL < 4.35 (RCE) (CVE-2020-9054)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote security gateway is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Firmware version of the Zyxel USG, ATP, ZyWALL or VPN is affected by multiple vulnerabilities: \n\n - A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.32 \n through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) \n firmware versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, \n VPN series firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through \n 4.73 Patch 1, could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and \n even a remote code execution on an affected device. (CVE-2023-33009)\n\n - A buffer overflow vulnerability in the notification function in Zyxel ATP series firmware versions 4.32 \n through 5.36 Patch 1, USG FLEX series firmware versions 4.50 through 5.36 Patch 1, USG FLEX 50(W) firmware \n versions 4.25 through 5.36 Patch 1, USG20(W)-VPN firmware versions 4.25 through 5.36 Patch 1, VPN series \n firmware versions 4.30 through 5.36 Patch 1, ZyWALL/USG series firmware versions 4.25 through 4.73 Patch 1, \n could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and even a remote code \n execution on an affected device. (CVE-2023-33010)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-buffer-overflow-vulnerabilities-of-firewalls\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5a194b9d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Zyxel USG / ATP / VPN to version 4.36 Patch 1 or later or upgrade Zyxel ZyWALL to version 4.73 Patch 1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2023-33010\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2023/05/24\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/05/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/05/26\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:zyxel:usg_flex\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Firewalls\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"zyxel_usg_web_detect.nbin\", \"zyxel_usg_detect.nbin\");\n script_require_keys(\"Settings/ParanoidReport\", \"installed_sw/Zyxel Unified Security Gateway (USG)\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\n# we don't have the ability to detect the patch level yet,\n# so paranoia is required and fixed version is + .01\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvar app = 'Zyxel Unified Security Gateway (USG)';\n\nvar app_info = vcf::combined_get_app_info(app:app);\n\nvar model = app_info['Model'];\nvar constraints = [];\n\nif(empty_or_null(model))\n audit(AUDIT_OS_CONF_UNKNOWN, 'Zyxel device');\n\nif ('ATP' >< model)\n constraints = [{'min_version':'4.32', 'fixed_version' : '5.36.01', 'fixed_display' : '5.36 Patch 1' }];\nelse if (model =~ \"USG FLEX [25]0W?[^0]\")\n constraints = [{'min_version':'4.25', 'fixed_version' : '5.36.01', 'fixed_display' : '5.36 Patch 1' }];\nelse if ('USG FLEX' >< model)\n constraints = [{'min_version':'4.50', 'fixed_version' : '5.36.01', 'fixed_display' : '5.36 Patch 1' }];\nelse if ('VPN' >< model)\n constraints = [{'min_version':'4.30', 'fixed_version' : '5.36.01', 'fixed_display' : '5.36 Patch 1' }];\nelse if ('ZyWALL' >< model)\n constraints = [{'min_version':'4.25', 'fixed_version' : '4.73.01', 'fixed_display' : '4.73 Patch 1' }];\nelse\n audit(AUDIT_NOT_INST, 'Zyxel USG / ATP / VPN / ZyWALL Device');\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:27:01", "description": "The Microsoft Office application installed on the remote macOS or Mac OS X host is missing a security update. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability exists in Microsoft Word due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted file, to execute arbitrary commands in the security context of the current user. (CVE-2019-1201, CVE-2019-1205)\n\n - An information disclosure vulnerability exists in Microsoft Windows Graphics due to improper handling of objects in memory. An authenticated, local attacker can exploit this, by running a specially crafted application to obtain information for further compromise of the system. (CVE-2019-1148, CVE-2019-1153)\n\n - A remote code execution vulnerability exists in Windows font library due to improper handling of embedded fonts. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or open a specially crafted file, to execute arbitrary commands. (CVE-2019-1149, CVE-2019-1151)", "cvss3": {}, "published": "2019-08-14T00:00:00", "type": "nessus", "title": "Security Update for Microsoft Office (August 2019) (macOS)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-1148", "CVE-2019-1149", "CVE-2019-1151", "CVE-2019-1153", "CVE-2019-1201", "CVE-2019-1205"], "modified": "2022-05-19T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x", "cpe:/a:microsoft:office", "cpe:/a:microsoft:excel", "cpe:/a:microsoft:word", "cpe:/a:microsoft:powerpoint", "cpe:/a:microsoft:outlook", "cpe:/a:microsoft:onenote"], "id": "MACOS_MS19_AUG_OFFICE.NASL", "href": "https://www.tenable.com/plugins/nessus/127894", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127894);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/19\");\n\n script_cve_id(\n \"CVE-2019-1148\",\n \"CVE-2019-1149\",\n \"CVE-2019-1151\",\n \"CVE-2019-1153\",\n \"CVE-2019-1201\",\n \"CVE-2019-1205\"\n );\n\n script_name(english:\"Security Update for Microsoft Office (August 2019) (macOS)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote macOS or Mac OS X host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Office application installed on the remote macOS or Mac OS X host is missing a security update. It is,\ntherefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability exists in Microsoft Word due to improper handling of objects in memory. An\n unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted file, to execute\n arbitrary commands in the security context of the current user. (CVE-2019-1201, CVE-2019-1205)\n\n - An information disclosure vulnerability exists in Microsoft Windows Graphics due to improper handling of objects in\n memory. An authenticated, local attacker can exploit this, by running a specially crafted application to obtain\n information for further compromise of the system. (CVE-2019-1148, CVE-2019-1153)\n\n - A remote code execution vulnerability exists in Windows font library due to improper handling of embedded fonts. An\n unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website or\n open a specially crafted file, to execute arbitrary commands. (CVE-2019-1149, CVE-2019-1151)\");\n # https://docs.microsoft.com/en-us/officeupdates/release-notes-office-2016-mac#august-2019-release\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4a62a6d3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Microsoft Office for Mac.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1205\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-1151\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:office\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:excel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:word\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:powerpoint\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:outlook\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:onenote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_office_installed.nbin\");\n script_require_keys(\"Host/MacOSX/Version\");\n script_require_ports(\"installed_sw/Microsoft Word\", \"installed_sw/Microsoft Excel\", \"installed_sw/Microsoft PowerPoint\", \"installed_sw/Microsoft OneNote\", \"installed_sw/Microsoft Outlook\");\n\n exit(0);\n}\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\ninclude(\"vcf.inc\");\n\nos = get_kb_item_or_exit(\"Host/MacOSX/Version\");\napps = make_list(\n 'Microsoft Word',\n 'Microsoft Excel',\n 'Microsoft PowerPoint',\n 'Microsoft OneNote',\n 'Microsoft Outlook'\n);\nreport = '';\n\n#2016\nmin_ver_16 = '16';\nfix_ver_16 = '16.16.13';\nfix_disp_16 = '16.16.13 (19081100)';\n\n#2019\nmin_ver_19 = '16.17.0';\nfix_ver_19 = '16.28';\nfix_disp_19 = '16.28 (19081202)';\n\nforeach app (apps)\n{\n installs = get_installs(app_name:app);\n if (isnull(installs[1]))\n continue;\n\n foreach install (installs[1])\n {\n version = install['version'];\n\n if (ver_compare(ver:version, minver:min_ver_19, fix:fix_ver_19, strict:FALSE) < 0)\n {\n app_label = app + ' for Mac 2019';\n report +=\n '\\n\\n Product : ' + app_label +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix_disp_19;\n }\n else if (ver_compare(ver:version, minver:min_ver_16, fix:fix_ver_16, strict:FALSE) < 0)\n {\n app_label = app + ' for Mac 2016';\n report +=\n '\\n\\n Product : ' + app_label +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix_disp_16;\n }\n }\n}\nif (empty(report))\n audit(AUDIT_HOST_NOT, \"affected\");\n\nif (os =~ \"^Mac OS X 10\\.[0-9](\\.|$)\")\n report += '\\n Note : Update will require Mac OS X 10.10.0 or later.\\n';\n\nsecurity_report_v4(severity:SECURITY_HOLE, port:0, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:27:00", "description": "The remote Windows host is missing security update 4512491 or cumulative update 4512476. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1148, CVE-2019-1153)\n\n - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1154, CVE-2019-1158)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157)\n\n - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2019-1169)\n\n - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078)\n\n - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1057)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine. (CVE-2019-0736)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2019-0714, CVE-2019-0715)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1183)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-0716)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1228)\n\n - A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0720)\n\n - A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets. An attacker who successfully exploited the vulnerability could cause the DHCP server service to stop responding. (CVE-2019-1212)\n\n - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP server. An attacker who successfully exploited the vulnerability could run arbitrary code on the DHCP server. (CVE-2019-1213)", "cvss3": {}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "KB4512491: Windows Server 2008 August 2019 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-0714", "CVE-2019-0715", "CVE-2019-0716", "CVE-2019-0720", "CVE-2019-0736", "CVE-2019-1057", "CVE-2019-1078", "CVE-2019-1133", "CVE-2019-1143", "CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1146", "CVE-2019-1147", "CVE-2019-1148", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152", "CVE-2019-1153", "CVE-2019-1154", "CVE-2019-1155", "CVE-2019-1156", "CVE-2019-1157", "CVE-2019-1158", "CVE-2019-1159", "CVE-2019-1162", "CVE-2019-1164", "CVE-2019-1168", "CVE-2019-1169", "CVE-2019-1177", "CVE-2019-1178", "CVE-2019-1183", "CVE-2019-1187", "CVE-2019-1194", "CVE-2019-1212", "CVE-2019-1213", "CVE-2019-1228"], "modified": "2022-05-19T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS19_AUG_4512476.NASL", "href": "https://www.tenable.com/plugins/nessus/127842", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127842);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/19\");\n\n script_cve_id(\n \"CVE-2019-0714\",\n \"CVE-2019-0715\",\n \"CVE-2019-0716\",\n \"CVE-2019-0720\",\n \"CVE-2019-0736\",\n \"CVE-2019-1057\",\n \"CVE-2019-1078\",\n \"CVE-2019-1133\",\n \"CVE-2019-1143\",\n \"CVE-2019-1144\",\n \"CVE-2019-1145\",\n \"CVE-2019-1146\",\n \"CVE-2019-1147\",\n \"CVE-2019-1148\",\n \"CVE-2019-1149\",\n \"CVE-2019-1150\",\n \"CVE-2019-1151\",\n \"CVE-2019-1152\",\n \"CVE-2019-1153\",\n \"CVE-2019-1154\",\n \"CVE-2019-1155\",\n \"CVE-2019-1156\",\n \"CVE-2019-1157\",\n \"CVE-2019-1158\",\n \"CVE-2019-1159\",\n \"CVE-2019-1162\",\n \"CVE-2019-1164\",\n \"CVE-2019-1168\",\n \"CVE-2019-1169\",\n \"CVE-2019-1177\",\n \"CVE-2019-1178\",\n \"CVE-2019-1183\",\n \"CVE-2019-1187\",\n \"CVE-2019-1194\",\n \"CVE-2019-1212\",\n \"CVE-2019-1213\",\n \"CVE-2019-1228\"\n );\n script_xref(name:\"MSKB\", value:\"4512476\");\n script_xref(name:\"MSKB\", value:\"4512491\");\n script_xref(name:\"MSFT\", value:\"MS19-4512476\");\n script_xref(name:\"MSFT\", value:\"MS19-4512491\");\n\n script_name(english:\"KB4512491: Windows Server 2008 August 2019 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4512491\nor cumulative update 4512476. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1148,\n CVE-2019-1153)\n\n - A denial of service vulnerability exists when the\n XmlLite runtime (XmlLite.dll) improperly parses XML\n input. An attacker who successfully exploited this\n vulnerability could cause a denial of service against an\n XML application. A remote unauthenticated attacker could\n exploit this vulnerability by issuing specially crafted\n requests to an XML application. The update addresses the\n vulnerability by correcting how the XmlLite runtime\n parses XML input. (CVE-2019-1187)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise a users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1154, CVE-2019-1158)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155,\n CVE-2019-1156, CVE-2019-1157)\n\n - An elevation of privilege exists in the p2pimsvc service\n where an attacker who successfully exploited the\n vulnerability could run arbitrary code with elevated\n privileges. (CVE-2019-1168)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1169)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2019-1078)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1057)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1144,\n CVE-2019-1145, CVE-2019-1149, CVE-2019-1150,\n CVE-2019-1151, CVE-2019-1152)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A memory corruption vulnerability exists in the Windows\n DHCP client when an attacker sends specially crafted\n DHCP responses to a client. An attacker who successfully\n exploited the vulnerability could run arbitrary code on\n the client machine. (CVE-2019-0736)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - An elevation of privilege vulnerability exists in the\n way that the rpcss.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0714, CVE-2019-0715)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1183)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-0716)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1228)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-0720)\n\n - A memory corruption vulnerability exists in the Windows\n Server DHCP service when processing specially crafted\n packets. An attacker who successfully exploited the\n vulnerability could cause the DHCP server service to\n stop responding. (CVE-2019-1212)\n\n - An elevation of privilege vulnerability exists in the\n way that the ssdpsrv.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A memory corruption vulnerability exists in the Windows\n Server DHCP service when an attacker sends specially\n crafted packets to a DHCP server. An attacker who\n successfully exploited the vulnerability could run\n arbitrary code on the DHCP server. (CVE-2019-1213)\");\n # https://support.microsoft.com/en-us/help/4512486/windows-7-update-kb4512486\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fa319ae7\");\n # https://support.microsoft.com/en-us/help/4512476/windows-server-2008-update-kb4512476\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?127b7a44\");\n # https://support.microsoft.com/en-us/help/4512491/windows-server-2008-update-kb4512491\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b5f68421\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4512491 or Cumulative Update KB4512476.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1183\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-1213\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-08\";\nkbs = make_list('4512491', '4512476');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Vista\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.0\",\n sp:2,\n rollup_date:\"08_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4512491, 4512476])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:28:04", "description": "The remote Windows host is missing security update 4512486 or cumulative update 4512506. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.\n (CVE-2019-1192)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1148, CVE-2019-1153)\n\n - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1154, CVE-2019-1158)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157)\n\n - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes.\n (CVE-2019-9506)\n\n - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168)\n\n - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2019-1169)\n\n - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078)\n\n - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1181, CVE-2019-1182)\n\n - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0723)\n\n - A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine. (CVE-2019-0736)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1183)\n\n - An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1193)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-0716)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1228)\n\n - A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0720)\n\n - A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets. An attacker who successfully exploited the vulnerability could cause the DHCP server service to stop responding. (CVE-2019-1212)\n\n - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1057)", "cvss3": {}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "KB4512486: Windows 7 and Windows Server 2008 R2 August 2019 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-0714", "CVE-2019-0715", "CVE-2019-0716", "CVE-2019-0720", "CVE-2019-0723", "CVE-2019-0736", "CVE-2019-1057", "CVE-2019-1078", "CVE-2019-1133", "CVE-2019-1143", "CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1146", "CVE-2019-1147", "CVE-2019-1148", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152", "CVE-2019-1153", "CVE-2019-1154", "CVE-2019-1155", "CVE-2019-1156", "CVE-2019-1157", "CVE-2019-1158", "CVE-2019-1159", "CVE-2019-1162", "CVE-2019-1164", "CVE-2019-1168", "CVE-2019-1169", "CVE-2019-1177", "CVE-2019-1178", "CVE-2019-1181", "CVE-2019-1182", "CVE-2019-1183", "CVE-2019-1187", "CVE-2019-1192", "CVE-2019-1193", "CVE-2019-1194", "CVE-2019-1212", "CVE-2019-1228", "CVE-2019-9506"], "modified": "2023-02-10T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS19_AUG_4512506.NASL", "href": "https://www.tenable.com/plugins/nessus/127846", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127846);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/10\");\n\n script_cve_id(\n \"CVE-2019-0714\",\n \"CVE-2019-0715\",\n \"CVE-2019-0716\",\n \"CVE-2019-0720\",\n \"CVE-2019-0723\",\n \"CVE-2019-0736\",\n \"CVE-2019-1057\",\n \"CVE-2019-1078\",\n \"CVE-2019-1133\",\n \"CVE-2019-1143\",\n \"CVE-2019-1144\",\n \"CVE-2019-1145\",\n \"CVE-2019-1146\",\n \"CVE-2019-1147\",\n \"CVE-2019-1148\",\n \"CVE-2019-1149\",\n \"CVE-2019-1150\",\n \"CVE-2019-1151\",\n \"CVE-2019-1152\",\n \"CVE-2019-1153\",\n \"CVE-2019-1154\",\n \"CVE-2019-1155\",\n \"CVE-2019-1156\",\n \"CVE-2019-1157\",\n \"CVE-2019-1158\",\n \"CVE-2019-1159\",\n \"CVE-2019-1162\",\n \"CVE-2019-1164\",\n \"CVE-2019-1168\",\n \"CVE-2019-1169\",\n \"CVE-2019-1177\",\n \"CVE-2019-1178\",\n \"CVE-2019-1181\",\n \"CVE-2019-1182\",\n \"CVE-2019-1183\",\n \"CVE-2019-1187\",\n \"CVE-2019-1192\",\n \"CVE-2019-1193\",\n \"CVE-2019-1194\",\n \"CVE-2019-1212\",\n \"CVE-2019-1228\",\n \"CVE-2019-9506\"\n );\n script_xref(name:\"MSKB\", value:\"4512506\");\n script_xref(name:\"MSKB\", value:\"4512486\");\n script_xref(name:\"MSFT\", value:\"MS19-4512506\");\n script_xref(name:\"MSFT\", value:\"MS19-4512486\");\n\n script_name(english:\"KB4512486: Windows 7 and Windows Server 2008 R2 August 2019 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4512486\nor cumulative update 4512506. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - A security feature bypass vulnerability exists when\n Microsoft browsers improperly handle requests of\n different origins. The vulnerability allows Microsoft\n browsers to bypass Same-Origin Policy (SOP)\n restrictions, and to allow requests that should\n otherwise be ignored. An attacker who successfully\n exploited the vulnerability could force the browser to\n send data that would otherwise be restricted.\n (CVE-2019-1192)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1148,\n CVE-2019-1153)\n\n - A denial of service vulnerability exists when the\n XmlLite runtime (XmlLite.dll) improperly parses XML\n input. An attacker who successfully exploited this\n vulnerability could cause a denial of service against an\n XML application. A remote unauthenticated attacker could\n exploit this vulnerability by issuing specially crafted\n requests to an XML application. The update addresses the\n vulnerability by correcting how the XmlLite runtime\n parses XML input. (CVE-2019-1187)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise a users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1154, CVE-2019-1158)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155,\n CVE-2019-1156, CVE-2019-1157)\n\n - <h1>Executive Summary</h1> Microsoft is aware of the\n Bluetooth BR/EDR (basic rate/enhanced data rate, known\n as "Bluetooth Classic") key negotiation\n vulnerability that exists at the hardware specification\n level of any BR/EDR Bluetooth device. An attacker could\n potentially be able to negotiate the offered key length\n down to 1 byte of entropy, from a maximum of 16 bytes.\n (CVE-2019-9506)\n\n - An elevation of privilege exists in the p2pimsvc service\n where an attacker who successfully exploited the\n vulnerability could run arbitrary code with elevated\n privileges. (CVE-2019-1168)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1169)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2019-1078)\n\n - An elevation of privilege vulnerability exists in the\n way that the ssdpsrv.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1144,\n CVE-2019-1145, CVE-2019-1149, CVE-2019-1150,\n CVE-2019-1151, CVE-2019-1152)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A remote code execution vulnerability exists in Remote\n Desktop Services formerly known as Terminal Services\n when an unauthenticated attacker connects to the target\n system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no\n user interaction. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n target system. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1181, CVE-2019-1182)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0723)\n\n - A memory corruption vulnerability exists in the Windows\n DHCP client when an attacker sends specially crafted\n DHCP responses to a client. An attacker who successfully\n exploited the vulnerability could run arbitrary code on\n the client machine. (CVE-2019-0736)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1183)\n\n - An elevation of privilege vulnerability exists in the\n way that the rpcss.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1193)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-0716)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1228)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-0720)\n\n - A memory corruption vulnerability exists in the Windows\n Server DHCP service when processing specially crafted\n packets. An attacker who successfully exploited the\n vulnerability could cause the DHCP server service to\n stop responding. (CVE-2019-1212)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1057)\");\n # https://support.microsoft.com/en-us/help/4512506/windows-7-update-kb4512506\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b7972a29\");\n # https://support.microsoft.com/en-us/help/4512486/windows-7-update-kb4512486\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fa319ae7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4512486 or Cumulative Update KB4512506.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1182\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-08\";\nkbs = make_list('4512506', '4512486');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:\"08_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4512506, 4512486])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:26:52", "description": "The remote Windows host is missing security update 4512482 or cumulative update 4512518. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.\n (CVE-2019-1192)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1148, CVE-2019-1153)\n\n - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157)\n\n - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes.\n (CVE-2019-9506)\n\n - An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1180)\n\n - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168)\n\n - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078)\n\n - A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker who successfully exploited the vulnerability could cause the DHCP service to become nonresponsive.\n (CVE-2019-1206)\n\n - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1181, CVE-2019-1182)\n\n - A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine. (CVE-2019-0736)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1183)\n\n - An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1193)\n\n - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0718, CVE-2019-0723)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-0716)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1158)\n\n - A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0720)\n\n - A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets. An attacker who successfully exploited the vulnerability could cause the DHCP server service to stop responding. (CVE-2019-1212)\n\n - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1057)", "cvss3": {}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "KB4512482: Windows Server 2012 August 2019 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-0714", "CVE-2019-0715", "CVE-2019-0716", "CVE-2019-0718", "CVE-2019-0720", "CVE-2019-0723", "CVE-2019-0736", "CVE-2019-1057", "CVE-2019-1078", "CVE-2019-1133", "CVE-2019-1143", "CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1146", "CVE-2019-1147", "CVE-2019-1148", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152", "CVE-2019-1153", "CVE-2019-1155", "CVE-2019-1156", "CVE-2019-1157", "CVE-2019-1158", "CVE-2019-1159", "CVE-2019-1162", "CVE-2019-1164", "CVE-2019-1168", "CVE-2019-1177", "CVE-2019-1178", "CVE-2019-1180", "CVE-2019-1181", "CVE-2019-1182", "CVE-2019-1183", "CVE-2019-1187", "CVE-2019-1192", "CVE-2019-1193", "CVE-2019-1194", "CVE-2019-1206", "CVE-2019-1212", "CVE-2019-9506"], "modified": "2023-02-10T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS19_AUG_4512518.NASL", "href": "https://www.tenable.com/plugins/nessus/127851", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127851);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/10\");\n\n script_cve_id(\n \"CVE-2019-0714\",\n \"CVE-2019-0715\",\n \"CVE-2019-0716\",\n \"CVE-2019-0718\",\n \"CVE-2019-0720\",\n \"CVE-2019-0723\",\n \"CVE-2019-0736\",\n \"CVE-2019-1057\",\n \"CVE-2019-1078\",\n \"CVE-2019-1133\",\n \"CVE-2019-1143\",\n \"CVE-2019-1144\",\n \"CVE-2019-1145\",\n \"CVE-2019-1146\",\n \"CVE-2019-1147\",\n \"CVE-2019-1148\",\n \"CVE-2019-1149\",\n \"CVE-2019-1150\",\n \"CVE-2019-1151\",\n \"CVE-2019-1152\",\n \"CVE-2019-1153\",\n \"CVE-2019-1155\",\n \"CVE-2019-1156\",\n \"CVE-2019-1157\",\n \"CVE-2019-1158\",\n \"CVE-2019-1159\",\n \"CVE-2019-1162\",\n \"CVE-2019-1164\",\n \"CVE-2019-1168\",\n \"CVE-2019-1177\",\n \"CVE-2019-1178\",\n \"CVE-2019-1180\",\n \"CVE-2019-1181\",\n \"CVE-2019-1182\",\n \"CVE-2019-1183\",\n \"CVE-2019-1187\",\n \"CVE-2019-1192\",\n \"CVE-2019-1193\",\n \"CVE-2019-1194\",\n \"CVE-2019-1206\",\n \"CVE-2019-1212\",\n \"CVE-2019-9506\"\n );\n script_xref(name:\"MSKB\", value:\"4512518\");\n script_xref(name:\"MSKB\", value:\"4512482\");\n script_xref(name:\"MSFT\", value:\"MS19-4512518\");\n script_xref(name:\"MSFT\", value:\"MS19-4512482\");\n\n script_name(english:\"KB4512482: Windows Server 2012 August 2019 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4512482\nor cumulative update 4512518. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - A security feature bypass vulnerability exists when\n Microsoft browsers improperly handle requests of\n different origins. The vulnerability allows Microsoft\n browsers to bypass Same-Origin Policy (SOP)\n restrictions, and to allow requests that should\n otherwise be ignored. An attacker who successfully\n exploited the vulnerability could force the browser to\n send data that would otherwise be restricted.\n (CVE-2019-1192)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1148,\n CVE-2019-1153)\n\n - A denial of service vulnerability exists when the\n XmlLite runtime (XmlLite.dll) improperly parses XML\n input. An attacker who successfully exploited this\n vulnerability could cause a denial of service against an\n XML application. A remote unauthenticated attacker could\n exploit this vulnerability by issuing specially crafted\n requests to an XML application. The update addresses the\n vulnerability by correcting how the XmlLite runtime\n parses XML input. (CVE-2019-1187)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155,\n CVE-2019-1156, CVE-2019-1157)\n\n - <h1>Executive Summary</h1> Microsoft is aware of the\n Bluetooth BR/EDR (basic rate/enhanced data rate, known\n as "Bluetooth Classic") key negotiation\n vulnerability that exists at the hardware specification\n level of any BR/EDR Bluetooth device. An attacker could\n potentially be able to negotiate the offered key length\n down to 1 byte of entropy, from a maximum of 16 bytes.\n (CVE-2019-9506)\n\n - An elevation of privilege vulnerability exists in the\n way that the wcmsvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1180)\n\n - An elevation of privilege exists in the p2pimsvc service\n where an attacker who successfully exploited the\n vulnerability could run arbitrary code with elevated\n privileges. (CVE-2019-1168)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2019-1078)\n\n - A memory corruption vulnerability exists in the Windows\n Server DHCP service when an attacker sends specially\n crafted packets to a DHCP failover server. An attacker\n who successfully exploited the vulnerability could cause\n the DHCP service to become nonresponsive.\n (CVE-2019-1206)\n\n - An elevation of privilege vulnerability exists in the\n way that the ssdpsrv.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1144,\n CVE-2019-1145, CVE-2019-1149, CVE-2019-1150,\n CVE-2019-1151, CVE-2019-1152)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A remote code execution vulnerability exists in Remote\n Desktop Services formerly known as Terminal Services\n when an unauthenticated attacker connects to the target\n system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no\n user interaction. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n target system. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1181, CVE-2019-1182)\n\n - A memory corruption vulnerability exists in the Windows\n DHCP client when an attacker sends specially crafted\n DHCP responses to a client. An attacker who successfully\n exploited the vulnerability could run arbitrary code on\n the client machine. (CVE-2019-0736)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1183)\n\n - An elevation of privilege vulnerability exists in the\n way that the rpcss.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1193)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0718,\n CVE-2019-0723)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-0716)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise a users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1158)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-0720)\n\n - A memory corruption vulnerability exists in the Windows\n Server DHCP service when processing specially crafted\n packets. An attacker who successfully exploited the\n vulnerability could cause the DHCP server service to\n stop responding. (CVE-2019-1212)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1057)\");\n # https://support.microsoft.com/en-us/help/4512518/windows-server-2012-update-kb4512518\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5235a5d1\");\n # https://support.microsoft.com/en-us/help/4512482/windows-server-2012-update-kb4512482\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?262ad9a7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4512482 or Cumulative Update KB4512518.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1182\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-08\";\nkbs = make_list('4512518', '4512482');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:\"08_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4512518, 4512482])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:27:15", "description": "The remote Windows host is missing security update 4512489 or cumulative update 4512488. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.\n (CVE-2019-1192)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1148, CVE-2019-1153)\n\n - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157)\n\n - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes.\n (CVE-2019-9506)\n\n - An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1180)\n\n - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168)\n\n - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078)\n\n - A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker who successfully exploited the vulnerability could cause the DHCP service to become nonresponsive.\n (CVE-2019-1206)\n\n - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1181, CVE-2019-1182)\n\n - A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine. (CVE-2019-0736)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1183)\n\n - An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1193)\n\n - An information disclosure vulnerability exists in Azure Active Directory (AAD) Microsoft Account (MSA) during the login request session. An attacker who successfully exploited the vulnerability could take over a user's account. (CVE-2019-1172)\n\n - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0718, CVE-2019-0723)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-0716)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1158)\n\n - A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0720)\n\n - A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets. An attacker who successfully exploited the vulnerability could cause the DHCP server service to stop responding. (CVE-2019-1212)\n\n - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1057)", "cvss3": {}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "KB4512489: Windows 8.1 and Windows Server 2012 R2 August 2019 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-0714", "CVE-2019-0715", "CVE-2019-0716", "CVE-2019-0718", "CVE-2019-0720", "CVE-2019-0723", "CVE-2019-0736", "CVE-2019-1057", "CVE-2019-1078", "CVE-2019-1133", "CVE-2019-1143", "CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1146", "CVE-2019-1147", "CVE-2019-1148", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152", "CVE-2019-1153", "CVE-2019-1155", "CVE-2019-1156", "CVE-2019-1157", "CVE-2019-1158", "CVE-2019-1159", "CVE-2019-1162", "CVE-2019-1164", "CVE-2019-1168", "CVE-2019-1172", "CVE-2019-1177", "CVE-2019-1178", "CVE-2019-1180", "CVE-2019-1181", "CVE-2019-1182", "CVE-2019-1183", "CVE-2019-1187", "CVE-2019-1192", "CVE-2019-1193", "CVE-2019-1194", "CVE-2019-1206", "CVE-2019-1212", "CVE-2019-9506"], "modified": "2023-02-10T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS19_AUG_4512488.NASL", "href": "https://www.tenable.com/plugins/nessus/127843", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127843);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/10\");\n\n script_cve_id(\n \"CVE-2019-0714\",\n \"CVE-2019-0715\",\n \"CVE-2019-0716\",\n \"CVE-2019-0718\",\n \"CVE-2019-0720\",\n \"CVE-2019-0723\",\n \"CVE-2019-0736\",\n \"CVE-2019-1057\",\n \"CVE-2019-1078\",\n \"CVE-2019-1133\",\n \"CVE-2019-1143\",\n \"CVE-2019-1144\",\n \"CVE-2019-1145\",\n \"CVE-2019-1146\",\n \"CVE-2019-1147\",\n \"CVE-2019-1148\",\n \"CVE-2019-1149\",\n \"CVE-2019-1150\",\n \"CVE-2019-1151\",\n \"CVE-2019-1152\",\n \"CVE-2019-1153\",\n \"CVE-2019-1155\",\n \"CVE-2019-1156\",\n \"CVE-2019-1157\",\n \"CVE-2019-1158\",\n \"CVE-2019-1159\",\n \"CVE-2019-1162\",\n \"CVE-2019-1164\",\n \"CVE-2019-1168\",\n \"CVE-2019-1172\",\n \"CVE-2019-1177\",\n \"CVE-2019-1178\",\n \"CVE-2019-1180\",\n \"CVE-2019-1181\",\n \"CVE-2019-1182\",\n \"CVE-2019-1183\",\n \"CVE-2019-1187\",\n \"CVE-2019-1192\",\n \"CVE-2019-1193\",\n \"CVE-2019-1194\",\n \"CVE-2019-1206\",\n \"CVE-2019-1212\",\n \"CVE-2019-9506\"\n );\n script_xref(name:\"MSKB\", value:\"4512489\");\n script_xref(name:\"MSKB\", value:\"4512488\");\n script_xref(name:\"MSFT\", value:\"MS19-4512489\");\n script_xref(name:\"MSFT\", value:\"MS19-4512488\");\n\n script_name(english:\"KB4512489: Windows 8.1 and Windows Server 2012 R2 August 2019 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4512489\nor cumulative update 4512488. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - A security feature bypass vulnerability exists when\n Microsoft browsers improperly handle requests of\n different origins. The vulnerability allows Microsoft\n browsers to bypass Same-Origin Policy (SOP)\n restrictions, and to allow requests that should\n otherwise be ignored. An attacker who successfully\n exploited the vulnerability could force the browser to\n send data that would otherwise be restricted.\n (CVE-2019-1192)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1148,\n CVE-2019-1153)\n\n - A denial of service vulnerability exists when the\n XmlLite runtime (XmlLite.dll) improperly parses XML\n input. An attacker who successfully exploited this\n vulnerability could cause a denial of service against an\n XML application. A remote unauthenticated attacker could\n exploit this vulnerability by issuing specially crafted\n requests to an XML application. The update addresses the\n vulnerability by correcting how the XmlLite runtime\n parses XML input. (CVE-2019-1187)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155,\n CVE-2019-1156, CVE-2019-1157)\n\n - <h1>Executive Summary</h1> Microsoft is aware of the\n Bluetooth BR/EDR (basic rate/enhanced data rate, known\n as "Bluetooth Classic") key negotiation\n vulnerability that exists at the hardware specification\n level of any BR/EDR Bluetooth device. An attacker could\n potentially be able to negotiate the offered key length\n down to 1 byte of entropy, from a maximum of 16 bytes.\n (CVE-2019-9506)\n\n - An elevation of privilege vulnerability exists in the\n way that the wcmsvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1180)\n\n - An elevation of privilege exists in the p2pimsvc service\n where an attacker who successfully exploited the\n vulnerability could run arbitrary code with elevated\n privileges. (CVE-2019-1168)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2019-1078)\n\n - A memory corruption vulnerability exists in the Windows\n Server DHCP service when an attacker sends specially\n crafted packets to a DHCP failover server. An attacker\n who successfully exploited the vulnerability could cause\n the DHCP service to become nonresponsive.\n (CVE-2019-1206)\n\n - An elevation of privilege vulnerability exists in the\n way that the ssdpsrv.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1144,\n CVE-2019-1145, CVE-2019-1149, CVE-2019-1150,\n CVE-2019-1151, CVE-2019-1152)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A remote code execution vulnerability exists in Remote\n Desktop Services formerly known as Terminal Services\n when an unauthenticated attacker connects to the target\n system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no\n user interaction. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n target system. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1181, CVE-2019-1182)\n\n - A memory corruption vulnerability exists in the Windows\n DHCP client when an attacker sends specially crafted\n DHCP responses to a client. An attacker who successfully\n exploited the vulnerability could run arbitrary code on\n the client machine. (CVE-2019-0736)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1183)\n\n - An elevation of privilege vulnerability exists in the\n way that the rpcss.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1193)\n\n - An information disclosure vulnerability exists in Azure\n Active Directory (AAD) Microsoft Account (MSA) during\n the login request session. An attacker who successfully\n exploited the vulnerability could take over a user's\n account. (CVE-2019-1172)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0718,\n CVE-2019-0723)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-0716)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise a users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1158)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-0720)\n\n - A memory corruption vulnerability exists in the Windows\n Server DHCP service when processing specially crafted\n packets. An attacker who successfully exploited the\n vulnerability could cause the DHCP server service to\n stop responding. (CVE-2019-1212)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1057)\");\n # https://support.microsoft.com/en-us/help/4512489/windows-8-1-update-kb4512489\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7c858a23\");\n # https://support.microsoft.com/en-us/help/4512488/windows-8-1-update-kb4512488\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1fc7ed0c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4512489 or Cumulative Update KB4512488.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1182\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-08\";\nkbs = make_list('4512488', '4512489');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:\"08_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4512488, 4512489])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:27:13", "description": "The remote Windows host is missing security update 4512497.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.\n (CVE-2019-1192)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1148, CVE-2019-1153)\n\n - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2019-1176)\n\n - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1139, CVE-2019-1140, CVE-2019-1197)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157)\n\n - A denial of service vulnerability exists in the HTTP/2 protocol stack (HTTP.sys) when HTTP.sys improperly parses specially crafted HTTP/2 requests. An attacker who successfully exploited the vulnerability could create a denial of service condition, causing the target system to become unresponsive. (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9518)\n\n - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes.\n (CVE-2019-9506)\n\n - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168)\n\n - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078)\n\n - An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1180, CVE-2019-1186)\n\n - An elevation of privilege vulnerability exists in the way that the unistore.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1179)\n\n - An elevation of privilege exists in SyncController.dll.\n An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.\n (CVE-2019-1198)\n\n - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152)\n\n - A security feature bypass exists when Windows incorrectly validates CAB file signatures. An attacker who successfully exploited this vulnerability could inject code into a CAB file without invalidating the file's signature. (CVE-2019-1163)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1181, CVE-2019-1182)\n\n - A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine. (CVE-2019-0736)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1183)\n\n - An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1193)\n\n - An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1030)\n\n - An information disclosure vulnerability exists in Azure Active Directory (AAD) Microsoft Account (MSA) during the login request session. An attacker who successfully exploited the vulnerability could take over a user's account. (CVE-2019-1172)\n\n - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0718, CVE-2019-0723)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-0716)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1158)\n\n - A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0720)\n\n - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1057)", "cvss3": {}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "KB4512497: Windows 10 August 2019 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-0714", "CVE-2019-0715", "CVE-2019-0716", "CVE-2019-0718", "CVE-2019-0720", "CVE-2019-0723", "CVE-2019-0736", "CVE-2019-1030", "CVE-2019-1057", "CVE-2019-1078", "CVE-2019-1133", "CVE-2019-1139", "CVE-2019-1140", "CVE-2019-1143", "CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1146", "CVE-2019-1147", "CVE-2019-1148", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152", "CVE-2019-1153", "CVE-2019-1155", "CVE-2019-1156", "CVE-2019-1157", "CVE-2019-1158", "CVE-2019-1159", "CVE-2019-1162", "CVE-2019-1163", "CVE-2019-1164", "CVE-2019-1168", "CVE-2019-1172", "CVE-2019-1176", "CVE-2019-1177", "CVE-2019-1178", "CVE-2019-1179", "CVE-2019-1180", "CVE-2019-1181", "CVE-2019-1182", "CVE-2019-1183", "CVE-2019-1186", "CVE-2019-1187", "CVE-2019-1192", "CVE-2019-1193", "CVE-2019-1194", "CVE-2019-1197", "CVE-2019-1198", "CVE-2019-9506", "CVE-2019-9511", "CVE-2019-9512", "CVE-2019-9513", "CVE-2019-9514", "CVE-2019-9518"], "modified": "2023-02-10T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS19_AUG_4512497.NASL", "href": "https://www.tenable.com/plugins/nessus/127844", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127844);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/10\");\n\n script_cve_id(\n \"CVE-2019-0714\",\n \"CVE-2019-0715\",\n \"CVE-2019-0716\",\n \"CVE-2019-0718\",\n \"CVE-2019-0720\",\n \"CVE-2019-0723\",\n \"CVE-2019-0736\",\n \"CVE-2019-1030\",\n \"CVE-2019-1057\",\n \"CVE-2019-1078\",\n \"CVE-2019-1133\",\n \"CVE-2019-1139\",\n \"CVE-2019-1140\",\n \"CVE-2019-1143\",\n \"CVE-2019-1144\",\n \"CVE-2019-1145\",\n \"CVE-2019-1146\",\n \"CVE-2019-1147\",\n \"CVE-2019-1148\",\n \"CVE-2019-1149\",\n \"CVE-2019-1150\",\n \"CVE-2019-1151\",\n \"CVE-2019-1152\",\n \"CVE-2019-1153\",\n \"CVE-2019-1155\",\n \"CVE-2019-1156\",\n \"CVE-2019-1157\",\n \"CVE-2019-1158\",\n \"CVE-2019-1159\",\n \"CVE-2019-1162\",\n \"CVE-2019-1163\",\n \"CVE-2019-1164\",\n \"CVE-2019-1168\",\n \"CVE-2019-1172\",\n \"CVE-2019-1176\",\n \"CVE-2019-1177\",\n \"CVE-2019-1178\",\n \"CVE-2019-1179\",\n \"CVE-2019-1180\",\n \"CVE-2019-1181\",\n \"CVE-2019-1182\",\n \"CVE-2019-1183\",\n \"CVE-2019-1186\",\n \"CVE-2019-1187\",\n \"CVE-2019-1192\",\n \"CVE-2019-1193\",\n \"CVE-2019-1194\",\n \"CVE-2019-1197\",\n \"CVE-2019-1198\",\n \"CVE-2019-9506\",\n \"CVE-2019-9511\",\n \"CVE-2019-9512\",\n \"CVE-2019-9513\",\n \"CVE-2019-9514\",\n \"CVE-2019-9518\"\n );\n script_xref(name:\"MSKB\", value:\"4512497\");\n script_xref(name:\"MSFT\", value:\"MS19-4512497\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0643\");\n\n script_name(english:\"KB4512497: Windows 10 August 2019 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4512497.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - A security feature bypass vulnerability exists when\n Microsoft browsers improperly handle requests of\n different origins. The vulnerability allows Microsoft\n browsers to bypass Same-Origin Policy (SOP)\n restrictions, and to allow requests that should\n otherwise be ignored. An attacker who successfully\n exploited the vulnerability could force the browser to\n send data that would otherwise be restricted.\n (CVE-2019-1192)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1148,\n CVE-2019-1153)\n\n - A denial of service vulnerability exists when the\n XmlLite runtime (XmlLite.dll) improperly parses XML\n input. An attacker who successfully exploited this\n vulnerability could cause a denial of service against an\n XML application. A remote unauthenticated attacker could\n exploit this vulnerability by issuing specially crafted\n requests to an XML application. The update addresses the\n vulnerability by correcting how the XmlLite runtime\n parses XML input. (CVE-2019-1187)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2019-1176)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-1139, CVE-2019-1140,\n CVE-2019-1197)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155,\n CVE-2019-1156, CVE-2019-1157)\n\n - A denial of service vulnerability exists in the HTTP/2\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP/2 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2019-9511,\n CVE-2019-9512, CVE-2019-9513, CVE-2019-9514,\n CVE-2019-9518)\n\n - <h1>Executive Summary</h1> Microsoft is aware of the\n Bluetooth BR/EDR (basic rate/enhanced data rate, known\n as "Bluetooth Classic") key negotiation\n vulnerability that exists at the hardware specification\n level of any BR/EDR Bluetooth device. An attacker could\n potentially be able to negotiate the offered key length\n down to 1 byte of entropy, from a maximum of 16 bytes.\n (CVE-2019-9506)\n\n - An elevation of privilege exists in the p2pimsvc service\n where an attacker who successfully exploited the\n vulnerability could run arbitrary code with elevated\n privileges. (CVE-2019-1168)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2019-1078)\n\n - An elevation of privilege vulnerability exists in the\n way that the wcmsvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1180, CVE-2019-1186)\n\n - An elevation of privilege vulnerability exists in the\n way that the unistore.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1179)\n\n - An elevation of privilege exists in SyncController.dll.\n An attacker who successfully exploited the vulnerability\n could run arbitrary code with elevated privileges.\n (CVE-2019-1198)\n\n - An elevation of privilege vulnerability exists in the\n way that the ssdpsrv.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1144,\n CVE-2019-1145, CVE-2019-1149, CVE-2019-1150,\n CVE-2019-1151, CVE-2019-1152)\n\n - A security feature bypass exists when Windows\n incorrectly validates CAB file signatures. An attacker\n who successfully exploited this vulnerability could\n inject code into a CAB file without invalidating the\n file's signature. (CVE-2019-1163)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A remote code execution vulnerability exists in Remote\n Desktop Services formerly known as Terminal Services\n when an unauthenticated attacker connects to the target\n system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no\n user interaction. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n target system. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1181, CVE-2019-1182)\n\n - A memory corruption vulnerability exists in the Windows\n DHCP client when an attacker sends specially crafted\n DHCP responses to a client. An attacker who successfully\n exploited the vulnerability could run arbitrary code on\n the client machine. (CVE-2019-0736)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1183)\n\n - An elevation of privilege vulnerability exists in the\n way that the rpcss.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1193)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1030)\n\n - An information disclosure vulnerability exists in Azure\n Active Directory (AAD) Microsoft Account (MSA) during\n the login request session. An attacker who successfully\n exploited the vulnerability could take over a user's\n account. (CVE-2019-1172)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0718,\n CVE-2019-0723)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-0716)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise a users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1158)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-0720)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1057)\");\n # https://support.microsoft.com/en-us/help/4512497/windows-10-update-kb4512497\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?44d01258\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4512497.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1182\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-08\";\nkbs = make_list('4512497');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"08_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4512497])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:28:06", "description": "The remote Windows host is missing security update 4512507.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.\n (CVE-2019-1192)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1148, CVE-2019-1153)\n\n - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2019-1176)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157)\n\n - A denial of service vulnerability exists in the HTTP/2 protocol stack (HTTP.sys) when HTTP.sys improperly parses specially crafted HTTP/2 requests. An attacker who successfully exploited the vulnerability could create a denial of service condition, causing the target system to become unresponsive. (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9518)\n\n - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes.\n (CVE-2019-9506)\n\n - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168)\n\n - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078)\n\n - An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1180, CVE-2019-1186)\n\n - An elevation of privilege vulnerability exists in the way that the unistore.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1179)\n\n - An information disclosure vulnerability exists in SymCrypt during the OAEP decryption stage. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1171)\n\n - An elevation of privilege exists in SyncController.dll.\n An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.\n (CVE-2019-1198)\n\n - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152)\n\n - A security feature bypass exists when Windows incorrectly validates CAB file signatures. An attacker who successfully exploited this vulnerability could inject code into a CAB file without invalidating the file's signature. (CVE-2019-1163)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1181, CVE-2019-1182)\n\n - A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine. (CVE-2019-0736)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1183)\n\n - An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1193)\n\n - An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1030)\n\n - An information disclosure vulnerability exists in Azure Active Directory (AAD) Microsoft Account (MSA) during the login request session. An attacker who successfully exploited the vulnerability could take over a user's account. (CVE-2019-1172)\n\n - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0718, CVE-2019-0723)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-0716)\n\n - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1139, CVE-2019-1140, CVE-2019-1195, CVE-2019-1196, CVE-2019-1197)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1158)\n\n - A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0720)\n\n - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1057)", "cvss3": {}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "KB4512507: Windows 10 Version 1703 August 2019 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-0714", "CVE-2019-0715", "CVE-2019-0716", "CVE-2019-0718", "CVE-2019-0720", "CVE-2019-0723", "CVE-2019-0736", "CVE-2019-1030", "CVE-2019-1057", "CVE-2019-1078", "CVE-2019-1133", "CVE-2019-1139", "CVE-2019-1140", "CVE-2019-1143", "CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1146", "CVE-2019-1147", "CVE-2019-1148", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152", "CVE-2019-1153", "CVE-2019-1155", "CVE-2019-1156", "CVE-2019-1157", "CVE-2019-1158", "CVE-2019-1159", "CVE-2019-1162", "CVE-2019-1163", "CVE-2019-1164", "CVE-2019-1168", "CVE-2019-1171", "CVE-2019-1172", "CVE-2019-1176", "CVE-2019-1177", "CVE-2019-1178", "CVE-2019-1179", "CVE-2019-1180", "CVE-2019-1181", "CVE-2019-1182", "CVE-2019-1183", "CVE-2019-1186", "CVE-2019-1187", "CVE-2019-1192", "CVE-2019-1193", "CVE-2019-1194", "CVE-2019-1195", "CVE-2019-1196", "CVE-2019-1197", "CVE-2019-1198", "CVE-2019-9506", "CVE-2019-9511", "CVE-2019-9512", "CVE-2019-9513", "CVE-2019-9514", "CVE-2019-9518"], "modified": "2023-02-10T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS19_AUG_4512507.NASL", "href": "https://www.tenable.com/plugins/nessus/127847", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127847);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/10\");\n\n script_cve_id(\n \"CVE-2019-0714\",\n \"CVE-2019-0715\",\n \"CVE-2019-0716\",\n \"CVE-2019-0718\",\n \"CVE-2019-0720\",\n \"CVE-2019-0723\",\n \"CVE-2019-0736\",\n \"CVE-2019-1030\",\n \"CVE-2019-1057\",\n \"CVE-2019-1078\",\n \"CVE-2019-1133\",\n \"CVE-2019-1139\",\n \"CVE-2019-1140\",\n \"CVE-2019-1143\",\n \"CVE-2019-1144\",\n \"CVE-2019-1145\",\n \"CVE-2019-1146\",\n \"CVE-2019-1147\",\n \"CVE-2019-1148\",\n \"CVE-2019-1149\",\n \"CVE-2019-1150\",\n \"CVE-2019-1151\",\n \"CVE-2019-1152\",\n \"CVE-2019-1153\",\n \"CVE-2019-1155\",\n \"CVE-2019-1156\",\n \"CVE-2019-1157\",\n \"CVE-2019-1158\",\n \"CVE-2019-1159\",\n \"CVE-2019-1162\",\n \"CVE-2019-1163\",\n \"CVE-2019-1164\",\n \"CVE-2019-1168\",\n \"CVE-2019-1171\",\n \"CVE-2019-1172\",\n \"CVE-2019-1176\",\n \"CVE-2019-1177\",\n \"CVE-2019-1178\",\n \"CVE-2019-1179\",\n \"CVE-2019-1180\",\n \"CVE-2019-1181\",\n \"CVE-2019-1182\",\n \"CVE-2019-1183\",\n \"CVE-2019-1186\",\n \"CVE-2019-1187\",\n \"CVE-2019-1192\",\n \"CVE-2019-1193\",\n \"CVE-2019-1194\",\n \"CVE-2019-1195\",\n \"CVE-2019-1196\",\n \"CVE-2019-1197\",\n \"CVE-2019-1198\",\n \"CVE-2019-9506\",\n \"CVE-2019-9511\",\n \"CVE-2019-9512\",\n \"CVE-2019-9513\",\n \"CVE-2019-9514\",\n \"CVE-2019-9518\"\n );\n script_xref(name:\"MSKB\", value:\"4512507\");\n script_xref(name:\"MSFT\", value:\"MS19-4512507\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0643\");\n\n script_name(english:\"KB4512507: Windows 10 Version 1703 August 2019 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4512507.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - A security feature bypass vulnerability exists when\n Microsoft browsers improperly handle requests of\n different origins. The vulnerability allows Microsoft\n browsers to bypass Same-Origin Policy (SOP)\n restrictions, and to allow requests that should\n otherwise be ignored. An attacker who successfully\n exploited the vulnerability could force the browser to\n send data that would otherwise be restricted.\n (CVE-2019-1192)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1148,\n CVE-2019-1153)\n\n - A denial of service vulnerability exists when the\n XmlLite runtime (XmlLite.dll) improperly parses XML\n input. An attacker who successfully exploited this\n vulnerability could cause a denial of service against an\n XML application. A remote unauthenticated attacker could\n exploit this vulnerability by issuing specially crafted\n requests to an XML application. The update addresses the\n vulnerability by correcting how the XmlLite runtime\n parses XML input. (CVE-2019-1187)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2019-1176)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155,\n CVE-2019-1156, CVE-2019-1157)\n\n - A denial of service vulnerability exists in the HTTP/2\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP/2 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2019-9511,\n CVE-2019-9512, CVE-2019-9513, CVE-2019-9514,\n CVE-2019-9518)\n\n - <h1>Executive Summary</h1> Microsoft is aware of the\n Bluetooth BR/EDR (basic rate/enhanced data rate, known\n as "Bluetooth Classic") key negotiation\n vulnerability that exists at the hardware specification\n level of any BR/EDR Bluetooth device. An attacker could\n potentially be able to negotiate the offered key length\n down to 1 byte of entropy, from a maximum of 16 bytes.\n (CVE-2019-9506)\n\n - An elevation of privilege exists in the p2pimsvc service\n where an attacker who successfully exploited the\n vulnerability could run arbitrary code with elevated\n privileges. (CVE-2019-1168)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2019-1078)\n\n - An elevation of privilege vulnerability exists in the\n way that the wcmsvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1180, CVE-2019-1186)\n\n - An elevation of privilege vulnerability exists in the\n way that the unistore.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1179)\n\n - An information disclosure vulnerability exists in\n SymCrypt during the OAEP decryption stage. An attacker\n who successfully exploited this vulnerability could\n obtain information to further compromise the users\n system. (CVE-2019-1171)\n\n - An elevation of privilege exists in SyncController.dll.\n An attacker who successfully exploited the vulnerability\n could run arbitrary code with elevated privileges.\n (CVE-2019-1198)\n\n - An elevation of privilege vulnerability exists in the\n way that the ssdpsrv.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1144,\n CVE-2019-1145, CVE-2019-1149, CVE-2019-1150,\n CVE-2019-1151, CVE-2019-1152)\n\n - A security feature bypass exists when Windows\n incorrectly validates CAB file signatures. An attacker\n who successfully exploited this vulnerability could\n inject code into a CAB file without invalidating the\n file's signature. (CVE-2019-1163)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A remote code execution vulnerability exists in Remote\n Desktop Services formerly known as Terminal Services\n when an unauthenticated attacker connects to the target\n system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no\n user interaction. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n target system. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1181, CVE-2019-1182)\n\n - A memory corruption vulnerability exists in the Windows\n DHCP client when an attacker sends specially crafted\n DHCP responses to a client. An attacker who successfully\n exploited the vulnerability could run arbitrary code on\n the client machine. (CVE-2019-0736)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1183)\n\n - An elevation of privilege vulnerability exists in the\n way that the rpcss.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1193)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1030)\n\n - An information disclosure vulnerability exists in Azure\n Active Directory (AAD) Microsoft Account (MSA) during\n the login request session. An attacker who successfully\n exploited the vulnerability could take over a user's\n account. (CVE-2019-1172)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0718,\n CVE-2019-0723)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-0716)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-1139, CVE-2019-1140,\n CVE-2019-1195, CVE-2019-1196, CVE-2019-1197)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise a users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1158)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-0720)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1057)\");\n # https://support.microsoft.com/en-us/help/4512507/windows-10-update-kb4512507\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?88ec0338\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4512507.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1182\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-08\";\nkbs = make_list('4512507');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"15063\",\n rollup_date:\"08_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4512507])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:27:01", "description": "The remote Windows host is missing security update 4512517.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.\n (CVE-2019-1192)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1148, CVE-2019-1153)\n\n - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2019-1176)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157)\n\n - A denial of service vulnerability exists in the HTTP/2 protocol stack (HTTP.sys) when HTTP.sys improperly parses specially crafted HTTP/2 requests. An attacker who successfully exploited the vulnerability could create a denial of service condition, causing the target system to become unresponsive. (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9518)\n\n - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes.\n (CVE-2019-9506)\n\n - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1139, CVE-2019-1140, CVE-2019-1195, CVE-2019-1197)\n\n - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168)\n\n - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078)\n\n - An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1180, CVE-2019-1186)\n\n - A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker who successfully exploited the vulnerability could cause the DHCP service to become nonresponsive.\n (CVE-2019-1206)\n\n - An elevation of privilege vulnerability exists in the way that the unistore.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1179)\n\n - An elevation of privilege exists in SyncController.dll.\n An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.\n (CVE-2019-1198)\n\n - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152)\n\n - A security feature bypass exists when Windows incorrectly validates CAB file signatures. An attacker who successfully exploited this vulnerability could inject code into a CAB file without invalidating the file's signature. (CVE-2019-1163)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1181, CVE-2019-1182)\n\n - A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine. (CVE-2019-0736)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1183)\n\n - An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1193)\n\n - An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1030)\n\n - An information disclosure vulnerability exists in Azure Active Directory (AAD) Microsoft Account (MSA) during the login request session. An attacker who successfully exploited the vulnerability could take over a user's account. (CVE-2019-1172)\n\n - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0718, CVE-2019-0723)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-0716)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1158)\n\n - A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0720)\n\n - A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets. An attacker who successfully exploited the vulnerability could cause the DHCP server service to stop responding. (CVE-2019-1212)\n\n - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1057)", "cvss3": {}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "KB4512517: Windows 10 Version 1607 and Windows Server 2016 August 2019 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-0714", "CVE-2019-0715", "CVE-2019-0716", "CVE-2019-0718", "CVE-2019-0720", "CVE-2019-0723", "CVE-2019-0736", "CVE-2019-1030", "CVE-2019-1057", "CVE-2019-1078", "CVE-2019-1133", "CVE-2019-1139", "CVE-2019-1140", "CVE-2019-1143", "CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1146", "CVE-2019-1147", "CVE-2019-1148", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152", "CVE-2019-1153", "CVE-2019-1155", "CVE-2019-1156", "CVE-2019-1157", "CVE-2019-1158", "CVE-2019-1159", "CVE-2019-1162", "CVE-2019-1163", "CVE-2019-1164", "CVE-2019-1168", "CVE-2019-1172", "CVE-2019-1176", "CVE-2019-1177", "CVE-2019-1178", "CVE-2019-1179", "CVE-2019-1180", "CVE-2019-1181", "CVE-2019-1182", "CVE-2019-1183", "CVE-2019-1186", "CVE-2019-1187", "CVE-2019-1192", "CVE-2019-1193", "CVE-2019-1194", "CVE-2019-1195", "CVE-2019-1197", "CVE-2019-1198", "CVE-2019-1206", "CVE-2019-1212", "CVE-2019-9506", "CVE-2019-9511", "CVE-2019-9512", "CVE-2019-9513", "CVE-2019-9514", "CVE-2019-9518"], "modified": "2023-02-10T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS19_AUG_4512517.NASL", "href": "https://www.tenable.com/plugins/nessus/127850", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127850);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/10\");\n\n script_cve_id(\n \"CVE-2019-0714\",\n \"CVE-2019-0715\",\n \"CVE-2019-0716\",\n \"CVE-2019-0718\",\n \"CVE-2019-0720\",\n \"CVE-2019-0723\",\n \"CVE-2019-0736\",\n \"CVE-2019-1030\",\n \"CVE-2019-1057\",\n \"CVE-2019-1078\",\n \"CVE-2019-1133\",\n \"CVE-2019-1139\",\n \"CVE-2019-1140\",\n \"CVE-2019-1143\",\n \"CVE-2019-1144\",\n \"CVE-2019-1145\",\n \"CVE-2019-1146\",\n \"CVE-2019-1147\",\n \"CVE-2019-1148\",\n \"CVE-2019-1149\",\n \"CVE-2019-1150\",\n \"CVE-2019-1151\",\n \"CVE-2019-1152\",\n \"CVE-2019-1153\",\n \"CVE-2019-1155\",\n \"CVE-2019-1156\",\n \"CVE-2019-1157\",\n \"CVE-2019-1158\",\n \"CVE-2019-1159\",\n \"CVE-2019-1162\",\n \"CVE-2019-1163\",\n \"CVE-2019-1164\",\n \"CVE-2019-1168\",\n \"CVE-2019-1172\",\n \"CVE-2019-1176\",\n \"CVE-2019-1177\",\n \"CVE-2019-1178\",\n \"CVE-2019-1179\",\n \"CVE-2019-1180\",\n \"CVE-2019-1181\",\n \"CVE-2019-1182\",\n \"CVE-2019-1183\",\n \"CVE-2019-1186\",\n \"CVE-2019-1187\",\n \"CVE-2019-1192\",\n \"CVE-2019-1193\",\n \"CVE-2019-1194\",\n \"CVE-2019-1195\",\n \"CVE-2019-1197\",\n \"CVE-2019-1198\",\n \"CVE-2019-1206\",\n \"CVE-2019-1212\",\n \"CVE-2019-9506\",\n \"CVE-2019-9511\",\n \"CVE-2019-9512\",\n \"CVE-2019-9513\",\n \"CVE-2019-9514\",\n \"CVE-2019-9518\"\n );\n script_xref(name:\"MSKB\", value:\"4512517\");\n script_xref(name:\"MSFT\", value:\"MS19-4512517\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0643\");\n\n script_name(english:\"KB4512517: Windows 10 Version 1607 and Windows Server 2016 August 2019 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4512517.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - A security feature bypass vulnerability exists when\n Microsoft browsers improperly handle requests of\n different origins. The vulnerability allows Microsoft\n browsers to bypass Same-Origin Policy (SOP)\n restrictions, and to allow requests that should\n otherwise be ignored. An attacker who successfully\n exploited the vulnerability could force the browser to\n send data that would otherwise be restricted.\n (CVE-2019-1192)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1148,\n CVE-2019-1153)\n\n - A denial of service vulnerability exists when the\n XmlLite runtime (XmlLite.dll) improperly parses XML\n input. An attacker who successfully exploited this\n vulnerability could cause a denial of service against an\n XML application. A remote unauthenticated attacker could\n exploit this vulnerability by issuing specially crafted\n requests to an XML application. The update addresses the\n vulnerability by correcting how the XmlLite runtime\n parses XML input. (CVE-2019-1187)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2019-1176)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155,\n CVE-2019-1156, CVE-2019-1157)\n\n - A denial of service vulnerability exists in the HTTP/2\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP/2 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2019-9511,\n CVE-2019-9512, CVE-2019-9513, CVE-2019-9514,\n CVE-2019-9518)\n\n - <h1>Executive Summary</h1> Microsoft is aware of the\n Bluetooth BR/EDR (basic rate/enhanced data rate, known\n as "Bluetooth Classic") key negotiation\n vulnerability that exists at the hardware specification\n level of any BR/EDR Bluetooth device. An attacker could\n potentially be able to negotiate the offered key length\n down to 1 byte of entropy, from a maximum of 16 bytes.\n (CVE-2019-9506)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-1139, CVE-2019-1140,\n CVE-2019-1195, CVE-2019-1197)\n\n - An elevation of privilege exists in the p2pimsvc service\n where an attacker who successfully exploited the\n vulnerability could run arbitrary code with elevated\n privileges. (CVE-2019-1168)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2019-1078)\n\n - An elevation of privilege vulnerability exists in the\n way that the wcmsvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1180, CVE-2019-1186)\n\n - A memory corruption vulnerability exists in the Windows\n Server DHCP service when an attacker sends specially\n crafted packets to a DHCP failover server. An attacker\n who successfully exploited the vulnerability could cause\n the DHCP service to become nonresponsive.\n (CVE-2019-1206)\n\n - An elevation of privilege vulnerability exists in the\n way that the unistore.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1179)\n\n - An elevation of privilege exists in SyncController.dll.\n An attacker who successfully exploited the vulnerability\n could run arbitrary code with elevated privileges.\n (CVE-2019-1198)\n\n - An elevation of privilege vulnerability exists in the\n way that the ssdpsrv.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1144,\n CVE-2019-1145, CVE-2019-1149, CVE-2019-1150,\n CVE-2019-1151, CVE-2019-1152)\n\n - A security feature bypass exists when Windows\n incorrectly validates CAB file signatures. An attacker\n who successfully exploited this vulnerability could\n inject code into a CAB file without invalidating the\n file's signature. (CVE-2019-1163)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A remote code execution vulnerability exists in Remote\n Desktop Services formerly known as Terminal Services\n when an unauthenticated attacker connects to the target\n system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no\n user interaction. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n target system. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1181, CVE-2019-1182)\n\n - A memory corruption vulnerability exists in the Windows\n DHCP client when an attacker sends specially crafted\n DHCP responses to a client. An attacker who successfully\n exploited the vulnerability could run arbitrary code on\n the client machine. (CVE-2019-0736)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1183)\n\n - An elevation of privilege vulnerability exists in the\n way that the rpcss.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1193)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1030)\n\n - An information disclosure vulnerability exists in Azure\n Active Directory (AAD) Microsoft Account (MSA) during\n the login request session. An attacker who successfully\n exploited the vulnerability could take over a user's\n account. (CVE-2019-1172)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0718,\n CVE-2019-0723)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-0716)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise a users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1158)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-0720)\n\n - A memory corruption vulnerability exists in the Windows\n Server DHCP service when processing specially crafted\n packets. An attacker who successfully exploited the\n vulnerability could cause the DHCP server service to\n stop responding. (CVE-2019-1212)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1057)\");\n # https://support.microsoft.com/en-us/help/4512517/windows-10-update-kb4512517\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4a3721c7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4512517.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1182\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-08\";\nkbs = make_list('4512517');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date:\"08_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4512517])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:28:19", "description": "The remote Windows host is missing security update 4512516.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.\n (CVE-2019-1192)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2019-1176)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157)\n\n - A denial of service vulnerability exists in the HTTP/2 protocol stack (HTTP.sys) when HTTP.sys improperly parses specially crafted HTTP/2 requests. An attacker who successfully exploited the vulnerability could create a denial of service condition, causing the target system to become unresponsive. (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9518)\n\n - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes.\n (CVE-2019-9506)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2019-1188)\n\n - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168)\n\n - A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0965)\n\n - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078)\n\n - An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1180, CVE-2019-1186)\n\n - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1131, CVE-2019-1139, CVE-2019-1140, CVE-2019-1195, CVE-2019-1196, CVE-2019-1197)\n\n - An elevation of privilege vulnerability exists in the way that the unistore.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1179)\n\n - An information disclosure vulnerability exists in SymCrypt during the OAEP decryption stage. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1171)\n\n - An elevation of privilege exists in SyncController.dll.\n An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.\n (CVE-2019-1198)\n\n - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152)\n\n - A security feature bypass exists when Windows incorrectly validates CAB file signatures. An attacker who successfully exploited this vulnerability could inject code into a CAB file without invalidating the file's signature. (CVE-2019-1163)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1181, CVE-2019-1182)\n\n - A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine. (CVE-2019-0736)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1148, CVE-2019-1153)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1183)\n\n - An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1193)\n\n - An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1030)\n\n - An information disclosure vulnerability exists in Azure Active Directory (AAD) Microsoft Account (MSA) during the login request session. An attacker who successfully exploited the vulnerability could take over a user's account. (CVE-2019-1172)\n\n - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0718, CVE-2019-0723)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-0716)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1158)\n\n - A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0720)\n\n - A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets. An attacker who successfully exploited the vulnerability could cause the DHCP server service to stop responding. (CVE-2019-1212)\n\n - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1057)\n\n - An elevation of privilege vulnerability exists in the way that the psmsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1175)", "cvss3": {}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "KB4512516: Windows 10 Version 1709 August 2019 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-0714", "CVE-2019-0715", "CVE-2019-0716", "CVE-2019-0718", "CVE-2019-0720", "CVE-2019-0723", "CVE-2019-0736", "CVE-2019-0965", "CVE-2019-1030", "CVE-2019-1057", "CVE-2019-1078", "CVE-2019-1131", "CVE-2019-1133", "CVE-2019-1139", "CVE-2019-1140", "CVE-2019-1143", "CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1146", "CVE-2019-1147", "CVE-2019-1148", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152", "CVE-2019-1153", "CVE-2019-1155", "CVE-2019-1156", "CVE-2019-1157", "CVE-2019-1158", "CVE-2019-1159", "CVE-2019-1162", "CVE-2019-1163", "CVE-2019-1164", "CVE-2019-1168", "CVE-2019-1171", "CVE-2019-1172", "CVE-2019-1175", "CVE-2019-1176", "CVE-2019-1177", "CVE-2019-1178", "CVE-2019-1179", "CVE-2019-1180", "CVE-2019-1181", "CVE-2019-1182", "CVE-2019-1183", "CVE-2019-1186", "CVE-2019-1187", "CVE-2019-1188", "CVE-2019-1192", "CVE-2019-1193", "CVE-2019-1194", "CVE-2019-1195", "CVE-2019-1196", "CVE-2019-1197", "CVE-2019-1198", "CVE-2019-1212", "CVE-2019-9506", "CVE-2019-9511", "CVE-2019-9512", "CVE-2019-9513", "CVE-2019-9514", "CVE-2019-9518"], "modified": "2023-02-10T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS19_AUG_4512516.NASL", "href": "https://www.tenable.com/plugins/nessus/127849", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127849);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/10\");\n\n script_cve_id(\n \"CVE-2019-0714\",\n \"CVE-2019-0715\",\n \"CVE-2019-0716\",\n \"CVE-2019-0718\",\n \"CVE-2019-0720\",\n \"CVE-2019-0723\",\n \"CVE-2019-0736\",\n \"CVE-2019-0965\",\n \"CVE-2019-1030\",\n \"CVE-2019-1057\",\n \"CVE-2019-1078\",\n \"CVE-2019-1131\",\n \"CVE-2019-1133\",\n \"CVE-2019-1139\",\n \"CVE-2019-1140\",\n \"CVE-2019-1143\",\n \"CVE-2019-1144\",\n \"CVE-2019-1145\",\n \"CVE-2019-1146\",\n \"CVE-2019-1147\",\n \"CVE-2019-1148\",\n \"CVE-2019-1149\",\n \"CVE-2019-1150\",\n \"CVE-2019-1151\",\n \"CVE-2019-1152\",\n \"CVE-2019-1153\",\n \"CVE-2019-1155\",\n \"CVE-2019-1156\",\n \"CVE-2019-1157\",\n \"CVE-2019-1158\",\n \"CVE-2019-1159\",\n \"CVE-2019-1162\",\n \"CVE-2019-1163\",\n \"CVE-2019-1164\",\n \"CVE-2019-1168\",\n \"CVE-2019-1171\",\n \"CVE-2019-1172\",\n \"CVE-2019-1175\",\n \"CVE-2019-1176\",\n \"CVE-2019-1177\",\n \"CVE-2019-1178\",\n \"CVE-2019-1179\",\n \"CVE-2019-1180\",\n \"CVE-2019-1181\",\n \"CVE-2019-1182\",\n \"CVE-2019-1183\",\n \"CVE-2019-1186\",\n \"CVE-2019-1187\",\n \"CVE-2019-1188\",\n \"CVE-2019-1192\",\n \"CVE-2019-1193\",\n \"CVE-2019-1194\",\n \"CVE-2019-1195\",\n \"CVE-2019-1196\",\n \"CVE-2019-1197\",\n \"CVE-2019-1198\",\n \"CVE-2019-1212\",\n \"CVE-2019-9506\",\n \"CVE-2019-9511\",\n \"CVE-2019-9512\",\n \"CVE-2019-9513\",\n \"CVE-2019-9514\",\n \"CVE-2019-9518\"\n );\n script_xref(name:\"MSKB\", value:\"4512516\");\n script_xref(name:\"MSFT\", value:\"MS19-4512516\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0643\");\n\n script_name(english:\"KB4512516: Windows 10 Version 1709 August 2019 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4512516.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - A security feature bypass vulnerability exists when\n Microsoft browsers improperly handle requests of\n different origins. The vulnerability allows Microsoft\n browsers to bypass Same-Origin Policy (SOP)\n restrictions, and to allow requests that should\n otherwise be ignored. An attacker who successfully\n exploited the vulnerability could force the browser to\n send data that would otherwise be restricted.\n (CVE-2019-1192)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - A denial of service vulnerability exists when the\n XmlLite runtime (XmlLite.dll) improperly parses XML\n input. An attacker who successfully exploited this\n vulnerability could cause a denial of service against an\n XML application. A remote unauthenticated attacker could\n exploit this vulnerability by issuing specially crafted\n requests to an XML application. The update addresses the\n vulnerability by correcting how the XmlLite runtime\n parses XML input. (CVE-2019-1187)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2019-1176)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155,\n CVE-2019-1156, CVE-2019-1157)\n\n - A denial of service vulnerability exists in the HTTP/2\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP/2 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2019-9511,\n CVE-2019-9512, CVE-2019-9513, CVE-2019-9514,\n CVE-2019-9518)\n\n - <h1>Executive Summary</h1> Microsoft is aware of the\n Bluetooth BR/EDR (basic rate/enhanced data rate, known\n as "Bluetooth Classic") key negotiation\n vulnerability that exists at the hardware specification\n level of any BR/EDR Bluetooth device. An attacker could\n potentially be able to negotiate the offered key length\n down to 1 byte of entropy, from a maximum of 16 bytes.\n (CVE-2019-9506)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2019-1188)\n\n - An elevation of privilege exists in the p2pimsvc service\n where an attacker who successfully exploited the\n vulnerability could run arbitrary code with elevated\n privileges. (CVE-2019-1168)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-0965)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2019-1078)\n\n - An elevation of privilege vulnerability exists in the\n way that the wcmsvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1180, CVE-2019-1186)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-1131, CVE-2019-1139,\n CVE-2019-1140, CVE-2019-1195, CVE-2019-1196,\n CVE-2019-1197)\n\n - An elevation of privilege vulnerability exists in the\n way that the unistore.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1179)\n\n - An information disclosure vulnerability exists in\n SymCrypt during the OAEP decryption stage. An attacker\n who successfully exploited this vulnerability could\n obtain information to further compromise the users\n system. (CVE-2019-1171)\n\n - An elevation of privilege exists in SyncController.dll.\n An attacker who successfully exploited the vulnerability\n could run arbitrary code with elevated privileges.\n (CVE-2019-1198)\n\n - An elevation of privilege vulnerability exists in the\n way that the ssdpsrv.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1144,\n CVE-2019-1145, CVE-2019-1149, CVE-2019-1150,\n CVE-2019-1151, CVE-2019-1152)\n\n - A security feature bypass exists when Windows\n incorrectly validates CAB file signatures. An attacker\n who successfully exploited this vulnerability could\n inject code into a CAB file without invalidating the\n file's signature. (CVE-2019-1163)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A remote code execution vulnerability exists in Remote\n Desktop Services formerly known as Terminal Services\n when an unauthenticated attacker connects to the target\n system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no\n user interaction. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n target system. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1181, CVE-2019-1182)\n\n - A memory corruption vulnerability exists in the Windows\n DHCP client when an attacker sends specially crafted\n DHCP responses to a client. An attacker who successfully\n exploited the vulnerability could run arbitrary code on\n the client machine. (CVE-2019-0736)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1148,\n CVE-2019-1153)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1183)\n\n - An elevation of privilege vulnerability exists in the\n way that the rpcss.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1193)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1030)\n\n - An information disclosure vulnerability exists in Azure\n Active Directory (AAD) Microsoft Account (MSA) during\n the login request session. An attacker who successfully\n exploited the vulnerability could take over a user's\n account. (CVE-2019-1172)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0718,\n CVE-2019-0723)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-0716)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise a users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1158)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-0720)\n\n - A memory corruption vulnerability exists in the Windows\n Server DHCP service when processing specially crafted\n packets. An attacker who successfully exploited the\n vulnerability could cause the DHCP server service to\n stop responding. (CVE-2019-1212)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1057)\n\n - An elevation of privilege vulnerability exists in the\n way that the psmsrv.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1175)\");\n # https://support.microsoft.com/en-us/help/4512516/windows-10-update-kb4512516\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e7cadca2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4512516.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1182\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-08\";\nkbs = make_list('4512516');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\nmy_os_build = get_kb_item(\"SMB/WindowsVersionBuild\");\nproductname = get_kb_item_or_exit(\"SMB/ProductName\");\n\nif (my_os_build = \"16299\" && \"enterprise\" >!< tolower(productname) && \"education\" >!< tolower(productname) && \"server\" >!< tolower(productname))\n audit(AUDIT_OS_NOT, \"a supported version of Windows\");\n\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"16299\",\n rollup_date:\"08_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4512516])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:28:02", "description": "The remote Windows host is missing security update 4512501.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.\n (CVE-2019-1192)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2019-1176)\n\n - An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the system. (CVE-2019-1224, CVE-2019-1225)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157)\n\n - A denial of service vulnerability exists in the HTTP/2 protocol stack (HTTP.sys) when HTTP.sys improperly parses specially crafted HTTP/2 requests. An attacker who successfully exploited the vulnerability could create a denial of service condition, causing the target system to become unresponsive. (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9518)\n\n - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes.\n (CVE-2019-9506)\n\n - A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. (CVE-2019-1223)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1227)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2019-1188)\n\n - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168)\n\n - A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0965)\n\n - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078)\n\n - An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1180, CVE-2019-1186)\n\n - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1131, CVE-2019-1139, CVE-2019-1140, CVE-2019-1195, CVE-2019-1196, CVE-2019-1197)\n\n - An elevation of privilege vulnerability exists in the way that the psmsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1175)\n\n - An information disclosure vulnerability exists in SymCrypt during the OAEP decryption stage. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1171)\n\n - An elevation of privilege exists in SyncController.dll.\n An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.\n (CVE-2019-1198)\n\n - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152)\n\n - A security feature bypass exists when Windows incorrectly validates CAB file signatures. An attacker who successfully exploited this vulnerability could inject code into a CAB file without invalidating the file's signature. (CVE-2019-1163)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1183)\n\n - A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0720)\n\n - A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine. (CVE-2019-0736)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1148, CVE-2019-1153)\n\n - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, CVE-2019-1226)\n\n - An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - An elevation of privilege vulnerability exists in the way that the PsmServiceExtHost.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1173)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1193)\n\n - An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1030)\n\n - An information disclosure vulnerability exists in Azure Active Directory (AAD) Microsoft Account (MSA) during the login request session. An attacker who successfully exploited the vulnerability could take over a user's account. (CVE-2019-1172)\n\n - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0718, CVE-2019-0723)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-0716)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1158)\n\n - An elevation of privilege vulnerability exists when Windows Core Shell COM Server Registrar improperly handles COM calls. An attacker who successfully exploited this vulnerability could potentially set certain items to run at a higher level and thereby elevate permissions. (CVE-2019-1184)\n\n - A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets. An attacker who successfully exploited the vulnerability could cause the DHCP server service to stop responding. (CVE-2019-1212)\n\n - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1057)\n\n - An elevation of privilege vulnerability exists in the way that the unistore.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1179)", "cvss3": {}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "KB4512501: Windows 10 Version 1803 August 2019 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-0714", "CVE-2019-0715", "CVE-2019-0716", "CVE-2019-0718", "CVE-2019-0720", "CVE-2019-0723", "CVE-2019-0736", "CVE-2019-0965", "CVE-2019-1030", "CVE-2019-1057", "CVE-2019-1078", "CVE-2019-1131", "CVE-2019-1133", "CVE-2019-1139", "CVE-2019-1140", "CVE-2019-1143", "CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1146", "CVE-2019-1147", "CVE-2019-1148", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152", "CVE-2019-1153", "CVE-2019-1155", "CVE-2019-1156", "CVE-2019-1157", "CVE-2019-1158", "CVE-2019-1159", "CVE-2019-1162", "CVE-2019-1163", "CVE-2019-1164", "CVE-2019-1168", "CVE-2019-1171", "CVE-2019-1172", "CVE-2019-1173", "CVE-2019-1175", "CVE-2019-1176", "CVE-2019-1177", "CVE-2019-1178", "CVE-2019-1179", "CVE-2019-1180", "CVE-2019-1181", "CVE-2019-1182", "CVE-2019-1183", "CVE-2019-1184", "CVE-2019-1186", "CVE-2019-1187", "CVE-2019-1188", "CVE-2019-1192", "CVE-2019-1193", "CVE-2019-1194", "CVE-2019-1195", "CVE-2019-1196", "CVE-2019-1197", "CVE-2019-1198", "CVE-2019-1212", "CVE-2019-1222", "CVE-2019-1223", "CVE-2019-1224", "CVE-2019-1225", "CVE-2019-1226", "CVE-2019-1227", "CVE-2019-9506", "CVE-2019-9511", "CVE-2019-9512", "CVE-2019-9513", "CVE-2019-9514", "CVE-2019-9518"], "modified": "2023-02-10T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS19_AUG_4512501.NASL", "href": "https://www.tenable.com/plugins/nessus/127845", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127845);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/10\");\n\n script_cve_id(\n \"CVE-2019-0714\",\n \"CVE-2019-0715\",\n \"CVE-2019-0716\",\n \"CVE-2019-0718\",\n \"CVE-2019-0720\",\n \"CVE-2019-0723\",\n \"CVE-2019-0736\",\n \"CVE-2019-0965\",\n \"CVE-2019-1030\",\n \"CVE-2019-1057\",\n \"CVE-2019-1078\",\n \"CVE-2019-1131\",\n \"CVE-2019-1133\",\n \"CVE-2019-1139\",\n \"CVE-2019-1140\",\n \"CVE-2019-1143\",\n \"CVE-2019-1144\",\n \"CVE-2019-1145\",\n \"CVE-2019-1146\",\n \"CVE-2019-1147\",\n \"CVE-2019-1148\",\n \"CVE-2019-1149\",\n \"CVE-2019-1150\",\n \"CVE-2019-1151\",\n \"CVE-2019-1152\",\n \"CVE-2019-1153\",\n \"CVE-2019-1155\",\n \"CVE-2019-1156\",\n \"CVE-2019-1157\",\n \"CVE-2019-1158\",\n \"CVE-2019-1159\",\n \"CVE-2019-1162\",\n \"CVE-2019-1163\",\n \"CVE-2019-1164\",\n \"CVE-2019-1168\",\n \"CVE-2019-1171\",\n \"CVE-2019-1172\",\n \"CVE-2019-1173\",\n \"CVE-2019-1175\",\n \"CVE-2019-1176\",\n \"CVE-2019-1177\",\n \"CVE-2019-1178\",\n \"CVE-2019-1179\",\n \"CVE-2019-1180\",\n \"CVE-2019-1181\",\n \"CVE-2019-1182\",\n \"CVE-2019-1183\",\n \"CVE-2019-1184\",\n \"CVE-2019-1186\",\n \"CVE-2019-1187\",\n \"CVE-2019-1188\",\n \"CVE-2019-1192\",\n \"CVE-2019-1193\",\n \"CVE-2019-1194\",\n \"CVE-2019-1195\",\n \"CVE-2019-1196\",\n \"CVE-2019-1197\",\n \"CVE-2019-1198\",\n \"CVE-2019-1212\",\n \"CVE-2019-1222\",\n \"CVE-2019-1223\",\n \"CVE-2019-1224\",\n \"CVE-2019-1225\",\n \"CVE-2019-1226\",\n \"CVE-2019-1227\",\n \"CVE-2019-9506\",\n \"CVE-2019-9511\",\n \"CVE-2019-9512\",\n \"CVE-2019-9513\",\n \"CVE-2019-9514\",\n \"CVE-2019-9518\"\n );\n script_xref(name:\"MSKB\", value:\"4512501\");\n script_xref(name:\"MSFT\", value:\"MS19-4512501\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0643\");\n\n script_name(english:\"KB4512501: Windows 10 Version 1803 August 2019 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4512501.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - A security feature bypass vulnerability exists when\n Microsoft browsers improperly handle requests of\n different origins. The vulnerability allows Microsoft\n browsers to bypass Same-Origin Policy (SOP)\n restrictions, and to allow requests that should\n otherwise be ignored. An attacker who successfully\n exploited the vulnerability could force the browser to\n send data that would otherwise be restricted.\n (CVE-2019-1192)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - A denial of service vulnerability exists when the\n XmlLite runtime (XmlLite.dll) improperly parses XML\n input. An attacker who successfully exploited this\n vulnerability could cause a denial of service against an\n XML application. A remote unauthenticated attacker could\n exploit this vulnerability by issuing specially crafted\n requests to an XML application. The update addresses the\n vulnerability by correcting how the XmlLite runtime\n parses XML input. (CVE-2019-1187)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2019-1176)\n\n - An information disclosure vulnerability exists when the\n Windows RDP server improperly discloses the contents of\n its memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the system. (CVE-2019-1224, CVE-2019-1225)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155,\n CVE-2019-1156, CVE-2019-1157)\n\n - A denial of service vulnerability exists in the HTTP/2\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP/2 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2019-9511,\n CVE-2019-9512, CVE-2019-9513, CVE-2019-9514,\n CVE-2019-9518)\n\n - <h1>Executive Summary</h1> Microsoft is aware of the\n Bluetooth BR/EDR (basic rate/enhanced data rate, known\n as "Bluetooth Classic") key negotiation\n vulnerability that exists at the hardware specification\n level of any BR/EDR Bluetooth device. An attacker could\n potentially be able to negotiate the offered key length\n down to 1 byte of entropy, from a maximum of 16 bytes.\n (CVE-2019-9506)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1223)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1227)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2019-1188)\n\n - An elevation of privilege exists in the p2pimsvc service\n where an attacker who successfully exploited the\n vulnerability could run arbitrary code with elevated\n privileges. (CVE-2019-1168)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-0965)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2019-1078)\n\n - An elevation of privilege vulnerability exists in the\n way that the wcmsvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1180, CVE-2019-1186)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-1131, CVE-2019-1139,\n CVE-2019-1140, CVE-2019-1195, CVE-2019-1196,\n CVE-2019-1197)\n\n - An elevation of privilege vulnerability exists in the\n way that the psmsrv.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1175)\n\n - An information disclosure vulnerability exists in\n SymCrypt during the OAEP decryption stage. An attacker\n who successfully exploited this vulnerability could\n obtain information to further compromise the users\n system. (CVE-2019-1171)\n\n - An elevation of privilege exists in SyncController.dll.\n An attacker who successfully exploited the vulnerability\n could run arbitrary code with elevated privileges.\n (CVE-2019-1198)\n\n - An elevation of privilege vulnerability exists in the\n way that the ssdpsrv.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1144,\n CVE-2019-1145, CVE-2019-1149, CVE-2019-1150,\n CVE-2019-1151, CVE-2019-1152)\n\n - A security feature bypass exists when Windows\n incorrectly validates CAB file signatures. An attacker\n who successfully exploited this vulnerability could\n inject code into a CAB file without invalidating the\n file's signature. (CVE-2019-1163)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1183)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-0720)\n\n - A memory corruption vulnerability exists in the Windows\n DHCP client when an attacker sends specially crafted\n DHCP responses to a client. An attacker who successfully\n exploited the vulnerability could run arbitrary code on\n the client machine. (CVE-2019-0736)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1148,\n CVE-2019-1153)\n\n - A remote code execution vulnerability exists in Remote\n Desktop Services formerly known as Terminal Services\n when an unauthenticated attacker connects to the target\n system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no\n user interaction. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n target system. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1181, CVE-2019-1182,\n CVE-2019-1222, CVE-2019-1226)\n\n - An elevation of privilege vulnerability exists in the\n way that the rpcss.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - An elevation of privilege vulnerability exists in the\n way that the PsmServiceExtHost.dll handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2019-1173)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1193)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1030)\n\n - An information disclosure vulnerability exists in Azure\n Active Directory (AAD) Microsoft Account (MSA) during\n the login request session. An attacker who successfully\n exploited the vulnerability could take over a user's\n account. (CVE-2019-1172)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0718,\n CVE-2019-0723)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-0716)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise a users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1158)\n\n - An elevation of privilege vulnerability exists when\n Windows Core Shell COM Server Registrar improperly\n handles COM calls. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2019-1184)\n\n - A memory corruption vulnerability exists in the Windows\n Server DHCP service when processing specially crafted\n packets. An attacker who successfully exploited the\n vulnerability could cause the DHCP server service to\n stop responding. (CVE-2019-1212)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1057)\n\n - An elevation of privilege vulnerability exists in the\n way that the unistore.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1179)\");\n # https://support.microsoft.com/en-us/help/4512501/august-13-2019-kb4512501-os-build-17134-942\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?39c6baa6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4512501.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1226\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-08\";\nkbs = make_list('4512501');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17134\",\n rollup_date:\"08_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4512501])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:28:03", "description": "The remote Windows host is missing security update 4511553.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the Windows kernel image handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1190)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.\n (CVE-2019-1192)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2019-1176)\n\n - An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the system. (CVE-2019-1224, CVE-2019-1225)\n\n - An elevation of privilege vulnerability exists when reparse points are created by sandboxed processes allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system.\n (CVE-2019-1170)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157)\n\n - A denial of service vulnerability exists in the HTTP/2 protocol stack (HTTP.sys) when HTTP.sys improperly parses specially crafted HTTP/2 requests. An attacker who successfully exploited the vulnerability could create a denial of service condition, causing the target system to become unresponsive. (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9518)\n\n - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes.\n (CVE-2019-9506)\n\n - A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. (CVE-2019-1223)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1227)\n\n - An elevation of privilege vulnerability exists in the way that the PsmServiceExtHost.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1173, CVE-2019-1174)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2019-1188)\n\n - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168)\n\n - A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0965)\n\n - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078)\n\n - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0717, CVE-2019-0718, CVE-2019-0723)\n\n - An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1180, CVE-2019-1186)\n\n - A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker who successfully exploited the vulnerability could cause the DHCP service to become nonresponsive.\n (CVE-2019-1206)\n\n - An elevation of privilege vulnerability exists in the way that the psmsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1175)\n\n - An information disclosure vulnerability exists in SymCrypt during the OAEP decryption stage. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1171)\n\n - An elevation of privilege exists in SyncController.dll.\n An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.\n (CVE-2019-1198)\n\n - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152)\n\n - A security feature bypass exists when Windows incorrectly validates CAB file signatures. An attacker who successfully exploited this vulnerability could inject code into a CAB file without invalidating the file's signature. (CVE-2019-1163)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1183)\n\n - A remote code execution vulnerability exists when Windows Hyper-V Network Switch on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0720)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1148, CVE-2019-1153)\n\n - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, CVE-2019-1226)\n\n - An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1193)\n\n - An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1030)\n\n - An information disclosure vulnerability exists in Azure Active Directory (AAD) Microsoft Account (MSA) during the login request session. An attacker who successfully exploited the vulnerability could take over a user's account. (CVE-2019-1172)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-0716)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1158)\n\n - An elevation of privilege vulnerability exists when Windows Core Shell COM Server Registrar improperly handles COM calls. An attacker who successfully exploited this vulnerability could potentially set certain items to run at a higher level and thereby elevate permissions. (CVE-2019-1184)\n\n - A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets. An attacker who successfully exploited the vulnerability could cause the DHCP server service to stop responding. (CVE-2019-1212)\n\n - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1057)\n\n - An elevation of privilege vulnerability exists in the way that the unistore.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1179)\n\n - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1131, CVE-2019-1139, CVE-2019-1140, CVE-2019-1141, CVE-2019-1195, CVE-2019-1196, CVE-2019-1197)", "cvss3": {}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "KB4511553: Windows 10 Version 1809 and Windows Server 2019 August 2019 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-0714", "CVE-2019-0715", "CVE-2019-0716", "CVE-2019-0717", "CVE-2019-0718", "CVE-2019-0720", "CVE-2019-0723", "CVE-2019-0965", "CVE-2019-1030", "CVE-2019-1057", "CVE-2019-1078", "CVE-2019-1131", "CVE-2019-1133", "CVE-2019-1139", "CVE-2019-1140", "CVE-2019-1141", "CVE-2019-1143", "CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1146", "CVE-2019-1147", "CVE-2019-1148", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152", "CVE-2019-1153", "CVE-2019-1155", "CVE-2019-1156", "CVE-2019-1157", "CVE-2019-1158", "CVE-2019-1159", "CVE-2019-1162", "CVE-2019-1163", "CVE-2019-1164", "CVE-2019-1168", "CVE-2019-1170", "CVE-2019-1171", "CVE-2019-1172", "CVE-2019-1173", "CVE-2019-1174", "CVE-2019-1175", "CVE-2019-1176", "CVE-2019-1177", "CVE-2019-1178", "CVE-2019-1179", "CVE-2019-1180", "CVE-2019-1181", "CVE-2019-1182", "CVE-2019-1183", "CVE-2019-1184", "CVE-2019-1186", "CVE-2019-1187", "CVE-2019-1188", "CVE-2019-1190", "CVE-2019-1192", "CVE-2019-1193", "CVE-2019-1194", "CVE-2019-1195", "CVE-2019-1196", "CVE-2019-1197", "CVE-2019-1198", "CVE-2019-1206", "CVE-2019-1212", "CVE-2019-1222", "CVE-2019-1223", "CVE-2019-1224", "CVE-2019-1225", "CVE-2019-1226", "CVE-2019-1227", "CVE-2019-9506", "CVE-2019-9511", "CVE-2019-9512", "CVE-2019-9513", "CVE-2019-9514", "CVE-2019-9518"], "modified": "2023-02-10T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS19_AUG_4511553.NASL", "href": "https://www.tenable.com/plugins/nessus/127841", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127841);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/10\");\n\n script_cve_id(\n \"CVE-2019-0714\",\n \"CVE-2019-0715\",\n \"CVE-2019-0716\",\n \"CVE-2019-0717\",\n \"CVE-2019-0718\",\n \"CVE-2019-0720\",\n \"CVE-2019-0723\",\n \"CVE-2019-0965\",\n \"CVE-2019-1030\",\n \"CVE-2019-1057\",\n \"CVE-2019-1078\",\n \"CVE-2019-1131\",\n \"CVE-2019-1133\",\n \"CVE-2019-1139\",\n \"CVE-2019-1140\",\n \"CVE-2019-1141\",\n \"CVE-2019-1143\",\n \"CVE-2019-1144\",\n \"CVE-2019-1145\",\n \"CVE-2019-1146\",\n \"CVE-2019-1147\",\n \"CVE-2019-1148\",\n \"CVE-2019-1149\",\n \"CVE-2019-1150\",\n \"CVE-2019-1151\",\n \"CVE-2019-1152\",\n \"CVE-2019-1153\",\n \"CVE-2019-1155\",\n \"CVE-2019-1156\",\n \"CVE-2019-1157\",\n \"CVE-2019-1158\",\n \"CVE-2019-1159\",\n \"CVE-2019-1162\",\n \"CVE-2019-1163\",\n \"CVE-2019-1164\",\n \"CVE-2019-1168\",\n \"CVE-2019-1170\",\n \"CVE-2019-1171\",\n \"CVE-2019-1172\",\n \"CVE-2019-1173\",\n \"CVE-2019-1174\",\n \"CVE-2019-1175\",\n \"CVE-2019-1176\",\n \"CVE-2019-1177\",\n \"CVE-2019-1178\",\n \"CVE-2019-1179\",\n \"CVE-2019-1180\",\n \"CVE-2019-1181\",\n \"CVE-2019-1182\",\n \"CVE-2019-1183\",\n \"CVE-2019-1184\",\n \"CVE-2019-1186\",\n \"CVE-2019-1187\",\n \"CVE-2019-1188\",\n \"CVE-2019-1190\",\n \"CVE-2019-1192\",\n \"CVE-2019-1193\",\n \"CVE-2019-1194\",\n \"CVE-2019-1195\",\n \"CVE-2019-1196\",\n \"CVE-2019-1197\",\n \"CVE-2019-1198\",\n \"CVE-2019-1206\",\n \"CVE-2019-1212\",\n \"CVE-2019-1222\",\n \"CVE-2019-1223\",\n \"CVE-2019-1224\",\n \"CVE-2019-1225\",\n \"CVE-2019-1226\",\n \"CVE-2019-1227\",\n \"CVE-2019-9506\",\n \"CVE-2019-9511\",\n \"CVE-2019-9512\",\n \"CVE-2019-9513\",\n \"CVE-2019-9514\",\n \"CVE-2019-9518\"\n );\n script_xref(name:\"MSKB\", value:\"4511553\");\n script_xref(name:\"MSFT\", value:\"MS19-4511553\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0643\");\n\n script_name(english:\"KB4511553: Windows 10 Version 1809 and Windows Server 2019 August 2019 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4511553.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows kernel image handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2019-1190)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - A security feature bypass vulnerability exists when\n Microsoft browsers improperly handle requests of\n different origins. The vulnerability allows Microsoft\n browsers to bypass Same-Origin Policy (SOP)\n restrictions, and to allow requests that should\n otherwise be ignored. An attacker who successfully\n exploited the vulnerability could force the browser to\n send data that would otherwise be restricted.\n (CVE-2019-1192)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - A denial of service vulnerability exists when the\n XmlLite runtime (XmlLite.dll) improperly parses XML\n input. An attacker who successfully exploited this\n vulnerability could cause a denial of service against an\n XML application. A remote unauthenticated attacker could\n exploit this vulnerability by issuing specially crafted\n requests to an XML application. The update addresses the\n vulnerability by correcting how the XmlLite runtime\n parses XML input. (CVE-2019-1187)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2019-1176)\n\n - An information disclosure vulnerability exists when the\n Windows RDP server improperly discloses the contents of\n its memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the system. (CVE-2019-1224, CVE-2019-1225)\n\n - An elevation of privilege vulnerability exists when\n reparse points are created by sandboxed processes\n allowing sandbox escape. An attacker who successfully\n exploited the vulnerability could use the sandbox escape\n to elevate privileges on an affected system.\n (CVE-2019-1170)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155,\n CVE-2019-1156, CVE-2019-1157)\n\n - A denial of service vulnerability exists in the HTTP/2\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP/2 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2019-9511,\n CVE-2019-9512, CVE-2019-9513, CVE-2019-9514,\n CVE-2019-9518)\n\n - <h1>Executive Summary</h1> Microsoft is aware of the\n Bluetooth BR/EDR (basic rate/enhanced data rate, known\n as "Bluetooth Classic") key negotiation\n vulnerability that exists at the hardware specification\n level of any BR/EDR Bluetooth device. An attacker could\n potentially be able to negotiate the offered key length\n down to 1 byte of entropy, from a maximum of 16 bytes.\n (CVE-2019-9506)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1223)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1227)\n\n - An elevation of privilege vulnerability exists in the\n way that the PsmServiceExtHost.dll handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2019-1173, CVE-2019-1174)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2019-1188)\n\n - An elevation of privilege exists in the p2pimsvc service\n where an attacker who successfully exploited the\n vulnerability could run arbitrary code with elevated\n privileges. (CVE-2019-1168)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-0965)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2019-1078)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0717,\n CVE-2019-0718, CVE-2019-0723)\n\n - An elevation of privilege vulnerability exists in the\n way that the wcmsvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1180, CVE-2019-1186)\n\n - A memory corruption vulnerability exists in the Windows\n Server DHCP service when an attacker sends specially\n crafted packets to a DHCP failover server. An attacker\n who successfully exploited the vulnerability could cause\n the DHCP service to become nonresponsive.\n (CVE-2019-1206)\n\n - An elevation of privilege vulnerability exists in the\n way that the psmsrv.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1175)\n\n - An information disclosure vulnerability exists in\n SymCrypt during the OAEP decryption stage. An attacker\n who successfully exploited this vulnerability could\n obtain information to further compromise the users\n system. (CVE-2019-1171)\n\n - An elevation of privilege exists in SyncController.dll.\n An attacker who successfully exploited the vulnerability\n could run arbitrary code with elevated privileges.\n (CVE-2019-1198)\n\n - An elevation of privilege vulnerability exists in the\n way that the ssdpsrv.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1144,\n CVE-2019-1145, CVE-2019-1149, CVE-2019-1150,\n CVE-2019-1151, CVE-2019-1152)\n\n - A security feature bypass exists when Windows\n incorrectly validates CAB file signatures. An attacker\n who successfully exploited this vulnerability could\n inject code into a CAB file without invalidating the\n file's signature. (CVE-2019-1163)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1183)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V Network Switch on a host server fails to\n properly validate input from an authenticated user on a\n guest operating system. (CVE-2019-0720)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1148,\n CVE-2019-1153)\n\n - A remote code execution vulnerability exists in Remote\n Desktop Services formerly known as Terminal Services\n when an unauthenticated attacker connects to the target\n system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no\n user interaction. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n target system. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1181, CVE-2019-1182,\n CVE-2019-1222, CVE-2019-1226)\n\n - An elevation of privilege vulnerability exists in the\n way that the rpcss.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1193)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1030)\n\n - An information disclosure vulnerability exists in Azure\n Active Directory (AAD) Microsoft Account (MSA) during\n the login request session. An attacker who successfully\n exploited the vulnerability could take over a user's\n account. (CVE-2019-1172)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-0716)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise a users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1158)\n\n - An elevation of privilege vulnerability exists when\n Windows Core Shell COM Server Registrar improperly\n handles COM calls. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2019-1184)\n\n - A memory corruption vulnerability exists in the Windows\n Server DHCP service when processing specially crafted\n packets. An attacker who successfully exploited the\n vulnerability could cause the DHCP server service to\n stop responding. (CVE-2019-1212)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1057)\n\n - An elevation of privilege vulnerability exists in the\n way that the unistore.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1179)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-1131, CVE-2019-1139,\n CVE-2019-1140, CVE-2019-1141, CVE-2019-1195,\n CVE-2019-1196, CVE-2019-1197)\");\n # https://support.microsoft.com/en-us/help/4511553/windows-10-update-kb4511553\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fcb0045c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4511553.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1226\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-08\";\nkbs = make_list('4511553');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17763\",\n rollup_date:\"08_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4511553])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:26:58", "description": "The remote Windows host is missing security update 4512508.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the way that the Windows kernel image handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1190)\n\n - An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins. The vulnerability allows Microsoft browsers to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.\n (CVE-2019-1192)\n\n - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - A denial of service vulnerability exists when the XmlLite runtime (XmlLite.dll) improperly parses XML input. An attacker who successfully exploited this vulnerability could cause a denial of service against an XML application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to an XML application. The update addresses the vulnerability by correcting how the XmlLite runtime parses XML input. (CVE-2019-1187)\n\n - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n (CVE-2019-1176)\n\n - An information disclosure vulnerability exists when the Windows RDP server improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the system. (CVE-2019-1224, CVE-2019-1225)\n\n - An elevation of privilege vulnerability exists when reparse points are created by sandboxed processes allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system.\n (CVE-2019-1170)\n\n - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157)\n\n - A denial of service vulnerability exists in the HTTP/2 protocol stack (HTTP.sys) when HTTP.sys improperly parses specially crafted HTTP/2 requests. An attacker who successfully exploited the vulnerability could create a denial of service condition, causing the target system to become unresponsive. (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9518)\n\n - <h1>Executive Summary</h1> Microsoft is aware of the Bluetooth BR/EDR (basic rate/enhanced data rate, known as "Bluetooth Classic") key negotiation vulnerability that exists at the hardware specification level of any BR/EDR Bluetooth device. An attacker could potentially be able to negotiate the offered key length down to 1 byte of entropy, from a maximum of 16 bytes.\n (CVE-2019-9506)\n\n - A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. (CVE-2019-1223)\n\n - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1227)\n\n - An elevation of privilege vulnerability exists in the way that the PsmServiceExtHost.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1173, CVE-2019-1174)\n\n - A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2019-1188)\n\n - An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1168)\n\n - A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0965)\n\n - An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2019-1078)\n\n - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0717, CVE-2019-0718, CVE-2019-0723)\n\n - An elevation of privilege vulnerability exists in the way that the wcmsvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1180, CVE-2019-1186)\n\n - An elevation of privilege vulnerability exists in the way that the psmsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1175)\n\n - An information disclosure vulnerability exists in SymCrypt during the OAEP decryption stage. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1171)\n\n - An elevation of privilege exists in SyncController.dll.\n An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.\n (CVE-2019-1198)\n\n - An elevation of privilege vulnerability exists in the way that the ssdpsrv.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152)\n\n - A security feature bypass exists when Windows incorrectly validates CAB file signatures. An attacker who successfully exploited this vulnerability could inject code into a CAB file without invalidating the file's signature. (CVE-2019-1163)\n\n - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1183)\n\n - An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1148, CVE-2019-1153)\n\n - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs;\n view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, CVE-2019-1226)\n\n - An elevation of privilege vulnerability exists in the way that the rpcss.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - An elevation of privilege vulnerability exists due to a stack corruption in Windows Subsystem for Linux. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1185)\n\n - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1193)\n\n - An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1030)\n\n - An information disclosure vulnerability exists in Azure Active Directory (AAD) Microsoft Account (MSA) during the login request session. An attacker who successfully exploited the vulnerability could take over a user's account. (CVE-2019-1172)\n\n - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-0716)\n\n - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise a users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1158)\n\n - An elevation of privilege vulnerability exists when Windows Core Shell COM Server Registrar improperly handles COM calls. An attacker who successfully exploited this vulnerability could potentially set certain items to run at a higher level and thereby elevate permissions. (CVE-2019-1184)\n\n - A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets. An attacker who successfully exploited the vulnerability could cause the DHCP server service to stop responding. (CVE-2019-1212)\n\n - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1057)\n\n - An elevation of privilege vulnerability exists in the way that the unistore.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.\n (CVE-2019-1179)\n\n - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1131, CVE-2019-1139, CVE-2019-1140, CVE-2019-1141, CVE-2019-1195, CVE-2019-1196, CVE-2019-1197)", "cvss3": {}, "published": "2019-08-13T00:00:00", "type": "nessus", "title": "KB4512508: Windows 10 Version 1903 August 2019 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-0714", "CVE-2019-0715", "CVE-2019-0716", "CVE-2019-0717", "CVE-2019-0718", "CVE-2019-0723", "CVE-2019-0965", "CVE-2019-1030", "CVE-2019-1057", "CVE-2019-1078", "CVE-2019-1131", "CVE-2019-1133", "CVE-2019-1139", "CVE-2019-1140", "CVE-2019-1141", "CVE-2019-1143", "CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1146", "CVE-2019-1147", "CVE-2019-1148", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152", "CVE-2019-1153", "CVE-2019-1155", "CVE-2019-1156", "CVE-2019-1157", "CVE-2019-1158", "CVE-2019-1159", "CVE-2019-1162", "CVE-2019-1163", "CVE-2019-1164", "CVE-2019-1168", "CVE-2019-1170", "CVE-2019-1171", "CVE-2019-1172", "CVE-2019-1173", "CVE-2019-1174", "CVE-2019-1175", "CVE-2019-1176", "CVE-2019-1177", "CVE-2019-1178", "CVE-2019-1179", "CVE-2019-1180", "CVE-2019-1181", "CVE-2019-1182", "CVE-2019-1183", "CVE-2019-1184", "CVE-2019-1185", "CVE-2019-1186", "CVE-2019-1187", "CVE-2019-1188", "CVE-2019-1190", "CVE-2019-1192", "CVE-2019-1193", "CVE-2019-1194", "CVE-2019-1195", "CVE-2019-1196", "CVE-2019-1197", "CVE-2019-1198", "CVE-2019-1212", "CVE-2019-1222", "CVE-2019-1223", "CVE-2019-1224", "CVE-2019-1225", "CVE-2019-1226", "CVE-2019-1227", "CVE-2019-9506", "CVE-2019-9511", "CVE-2019-9512", "CVE-2019-9513", "CVE-2019-9514", "CVE-2019-9518"], "modified": "2023-02-10T00:00:00", "cpe": ["cpe:/o:microsoft:windows", "cpe:/a:microsoft:edge"], "id": "SMB_NT_MS19_AUG_4512508.NASL", "href": "https://www.tenable.com/plugins/nessus/127848", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127848);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/10\");\n\n script_cve_id(\n \"CVE-2019-0714\",\n \"CVE-2019-0715\",\n \"CVE-2019-0716\",\n \"CVE-2019-0717\",\n \"CVE-2019-0718\",\n \"CVE-2019-0723\",\n \"CVE-2019-0965\",\n \"CVE-2019-1030\",\n \"CVE-2019-1057\",\n \"CVE-2019-1078\",\n \"CVE-2019-1131\",\n \"CVE-2019-1133\",\n \"CVE-2019-1139\",\n \"CVE-2019-1140\",\n \"CVE-2019-1141\",\n \"CVE-2019-1143\",\n \"CVE-2019-1144\",\n \"CVE-2019-1145\",\n \"CVE-2019-1146\",\n \"CVE-2019-1147\",\n \"CVE-2019-1148\",\n \"CVE-2019-1149\",\n \"CVE-2019-1150\",\n \"CVE-2019-1151\",\n \"CVE-2019-1152\",\n \"CVE-2019-1153\",\n \"CVE-2019-1155\",\n \"CVE-2019-1156\",\n \"CVE-2019-1157\",\n \"CVE-2019-1158\",\n \"CVE-2019-1159\",\n \"CVE-2019-1162\",\n \"CVE-2019-1163\",\n \"CVE-2019-1164\",\n \"CVE-2019-1168\",\n \"CVE-2019-1170\",\n \"CVE-2019-1171\",\n \"CVE-2019-1172\",\n \"CVE-2019-1173\",\n \"CVE-2019-1174\",\n \"CVE-2019-1175\",\n \"CVE-2019-1176\",\n \"CVE-2019-1177\",\n \"CVE-2019-1178\",\n \"CVE-2019-1179\",\n \"CVE-2019-1180\",\n \"CVE-2019-1181\",\n \"CVE-2019-1182\",\n \"CVE-2019-1183\",\n \"CVE-2019-1184\",\n \"CVE-2019-1185\",\n \"CVE-2019-1186\",\n \"CVE-2019-1187\",\n \"CVE-2019-1188\",\n \"CVE-2019-1190\",\n \"CVE-2019-1192\",\n \"CVE-2019-1193\",\n \"CVE-2019-1194\",\n \"CVE-2019-1195\",\n \"CVE-2019-1196\",\n \"CVE-2019-1197\",\n \"CVE-2019-1198\",\n \"CVE-2019-1212\",\n \"CVE-2019-1222\",\n \"CVE-2019-1223\",\n \"CVE-2019-1224\",\n \"CVE-2019-1225\",\n \"CVE-2019-1226\",\n \"CVE-2019-1227\",\n \"CVE-2019-9506\",\n \"CVE-2019-9511\",\n \"CVE-2019-9512\",\n \"CVE-2019-9513\",\n \"CVE-2019-9514\",\n \"CVE-2019-9518\"\n );\n script_xref(name:\"MSKB\", value:\"4512508\");\n script_xref(name:\"MSFT\", value:\"MS19-4512508\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0643\");\n\n script_name(english:\"KB4512508: Windows 10 Version 1903 August 2019 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4512508.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n way that the Windows kernel image handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2019-1190)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles calls to Advanced Local\n Procedure Call (ALPC). An attacker who successfully\n exploited this vulnerability could run arbitrary code in\n the security context of the local system. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2019-1162)\n\n - A security feature bypass vulnerability exists when\n Microsoft browsers improperly handle requests of\n different origins. The vulnerability allows Microsoft\n browsers to bypass Same-Origin Policy (SOP)\n restrictions, and to allow requests that should\n otherwise be ignored. An attacker who successfully\n exploited the vulnerability could force the browser to\n send data that would otherwise be restricted.\n (CVE-2019-1192)\n\n - A remote code execution vulnerability exists in the way\n that the scripting engine handles objects in memory in\n Internet Explorer. The vulnerability could corrupt\n memory in such a way that an attacker could execute\n arbitrary code in the context of the current user. An\n attacker who successfully exploited the vulnerability\n could gain the same user rights as the current user.\n (CVE-2019-1133, CVE-2019-1194)\n\n - A denial of service vulnerability exists when the\n XmlLite runtime (XmlLite.dll) improperly parses XML\n input. An attacker who successfully exploited this\n vulnerability could cause a denial of service against an\n XML application. A remote unauthenticated attacker could\n exploit this vulnerability by issuing specially crafted\n requests to an XML application. The update addresses the\n vulnerability by correcting how the XmlLite runtime\n parses XML input. (CVE-2019-1187)\n\n - An elevation of privilege vulnerability exists when\n DirectX improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs; view, change, or delete\n data; or create new accounts with full user rights.\n (CVE-2019-1176)\n\n - An information disclosure vulnerability exists when the\n Windows RDP server improperly discloses the contents of\n its memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the system. (CVE-2019-1224, CVE-2019-1225)\n\n - An elevation of privilege vulnerability exists when\n reparse points are created by sandboxed processes\n allowing sandbox escape. An attacker who successfully\n exploited the vulnerability could use the sandbox escape\n to elevate privileges on an affected system.\n (CVE-2019-1170)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1146, CVE-2019-1147, CVE-2019-1155,\n CVE-2019-1156, CVE-2019-1157)\n\n - A denial of service vulnerability exists in the HTTP/2\n protocol stack (HTTP.sys) when HTTP.sys improperly\n parses specially crafted HTTP/2 requests. An attacker\n who successfully exploited the vulnerability could\n create a denial of service condition, causing the target\n system to become unresponsive. (CVE-2019-9511,\n CVE-2019-9512, CVE-2019-9513, CVE-2019-9514,\n CVE-2019-9518)\n\n - <h1>Executive Summary</h1> Microsoft is aware of the\n Bluetooth BR/EDR (basic rate/enhanced data rate, known\n as "Bluetooth Classic") key negotiation\n vulnerability that exists at the hardware specification\n level of any BR/EDR Bluetooth device. An attacker could\n potentially be able to negotiate the offered key length\n down to 1 byte of entropy, from a maximum of 16 bytes.\n (CVE-2019-9506)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1223)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1227)\n\n - An elevation of privilege vulnerability exists in the\n way that the PsmServiceExtHost.dll handles objects in\n memory. An attacker who successfully exploited the\n vulnerability could execute code with elevated\n permissions. (CVE-2019-1173, CVE-2019-1174)\n\n - A remote code execution vulnerability exists in\n Microsoft Windows that could allow remote code execution\n if a .LNK file is processed. An attacker who\n successfully exploited this vulnerability could gain the\n same user rights as the local user. (CVE-2019-1188)\n\n - An elevation of privilege exists in the p2pimsvc service\n where an attacker who successfully exploited the\n vulnerability could run arbitrary code with elevated\n privileges. (CVE-2019-1168)\n\n - A remote code execution vulnerability exists when\n Windows Hyper-V on a host server fails to properly\n validate input from an authenticated user on a guest\n operating system. (CVE-2019-0965)\n\n - An information disclosure vulnerability exists when the\n Windows Graphics component improperly handles objects in\n memory. An attacker who successfully exploited this\n vulnerability could obtain information to further\n compromise the users system. An authenticated attacker\n could exploit this vulnerability by running a specially\n crafted application. The update addresses the\n vulnerability by correcting how the Windows Graphics\n Component handles objects in memory. (CVE-2019-1078)\n\n - A denial of service vulnerability exists when Microsoft\n Hyper-V Network Switch on a host server fails to\n properly validate input from a privileged user on a\n guest operating system. An attacker who successfully\n exploited the vulnerability could cause the host server\n to crash. (CVE-2019-0714, CVE-2019-0715, CVE-2019-0717,\n CVE-2019-0718, CVE-2019-0723)\n\n - An elevation of privilege vulnerability exists in the\n way that the wcmsvc.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1180, CVE-2019-1186)\n\n - An elevation of privilege vulnerability exists in the\n way that the psmsrv.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1175)\n\n - An information disclosure vulnerability exists in\n SymCrypt during the OAEP decryption stage. An attacker\n who successfully exploited this vulnerability could\n obtain information to further compromise the users\n system. (CVE-2019-1171)\n\n - An elevation of privilege exists in SyncController.dll.\n An attacker who successfully exploited the vulnerability\n could run arbitrary code with elevated privileges.\n (CVE-2019-1198)\n\n - An elevation of privilege vulnerability exists in the\n way that the ssdpsrv.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1178)\n\n - A remote code execution vulnerability exists when the\n Windows font library improperly handles specially\n crafted embedded fonts. An attacker who successfully\n exploited the vulnerability could take control of the\n affected system. An attacker could then install\n programs; view, change, or delete data; or create new\n accounts with full user rights. (CVE-2019-1144,\n CVE-2019-1145, CVE-2019-1149, CVE-2019-1150,\n CVE-2019-1151, CVE-2019-1152)\n\n - A security feature bypass exists when Windows\n incorrectly validates CAB file signatures. An attacker\n who successfully exploited this vulnerability could\n inject code into a CAB file without invalidating the\n file's signature. (CVE-2019-1163)\n\n - An elevation of privilege vulnerability exists when the\n Windows kernel fails to properly handle objects in\n memory. An attacker who successfully exploited this\n vulnerability could run arbitrary code in kernel mode.\n An attacker could then install programs; view, change,\n or delete data; or create new accounts with full user\n rights. (CVE-2019-1159, CVE-2019-1164)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1183)\n\n - An information disclosure vulnerability exists when the\n Microsoft Windows Graphics Component improperly handles\n objects in memory. An attacker who successfully\n exploited the vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1148,\n CVE-2019-1153)\n\n - A remote code execution vulnerability exists in Remote\n Desktop Services formerly known as Terminal Services\n when an unauthenticated attacker connects to the target\n system using RDP and sends specially crafted requests.\n This vulnerability is pre-authentication and requires no\n user interaction. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n target system. An attacker could then install programs;\n view, change, or delete data; or create new accounts\n with full user rights. (CVE-2019-1181, CVE-2019-1182,\n CVE-2019-1222, CVE-2019-1226)\n\n - An elevation of privilege vulnerability exists in the\n way that the rpcss.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1177)\n\n - An elevation of privilege vulnerability exists due to a\n stack corruption in Windows Subsystem for Linux. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1185)\n\n - A remote code execution vulnerability exists in the way\n that Microsoft browsers access objects in memory. The\n vulnerability could corrupt memory in a way that could\n allow an attacker to execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1193)\n\n - An information disclosure vulnerability exists when\n Microsoft Edge improperly handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1030)\n\n - An information disclosure vulnerability exists in Azure\n Active Directory (AAD) Microsoft Account (MSA) during\n the login request session. An attacker who successfully\n exploited the vulnerability could take over a user's\n account. (CVE-2019-1172)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-0716)\n\n - An information disclosure vulnerability exists when the\n Windows GDI component improperly discloses the contents\n of its memory. An attacker who successfully exploited\n the vulnerability could obtain information to further\n compromise a users system. There are multiple ways an\n attacker could exploit the vulnerability, such as by\n convincing a user to open a specially crafted document\n or by convincing a user to visit an untrusted webpage.\n The update addresses the vulnerability by correcting how\n the Windows GDI component handles objects in memory.\n (CVE-2019-1143, CVE-2019-1158)\n\n - An elevation of privilege vulnerability exists when\n Windows Core Shell COM Server Registrar improperly\n handles COM calls. An attacker who successfully\n exploited this vulnerability could potentially set\n certain items to run at a higher level and thereby\n elevate permissions. (CVE-2019-1184)\n\n - A memory corruption vulnerability exists in the Windows\n Server DHCP service when processing specially crafted\n packets. An attacker who successfully exploited the\n vulnerability could cause the DHCP server service to\n stop responding. (CVE-2019-1212)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1057)\n\n - An elevation of privilege vulnerability exists in the\n way that the unistore.dll handles objects in memory. An\n attacker who successfully exploited the vulnerability\n could execute code with elevated permissions.\n (CVE-2019-1179)\n\n - A remote code execution vulnerability exists in the way\n that the Chakra scripting engine handles objects in\n memory in Microsoft Edge. The vulnerability could\n corrupt memory in such a way that an attacker could\n execute arbitrary code in the context of the current\n user. An attacker who successfully exploited the\n vulnerability could gain the same user rights as the\n current user. (CVE-2019-1131, CVE-2019-1139,\n CVE-2019-1140, CVE-2019-1141, CVE-2019-1195,\n CVE-2019-1196, CVE-2019-1197)\");\n # https://support.microsoft.com/en-us/help/4512508/windows-10-update-kb4512508\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?26a6c137\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4512508.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1226\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-08\";\nkbs = make_list('4512508');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"18362\",\n rollup_date:\"08_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4512508])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "krebs": [{"lastseen": "2020-03-07T09:34:47", "description": "#### Patch comes amid active exploitation by ransomware gangs\n\nNetworking hardware vendor **Zyxel** today released an update to fix a critical flaw in many of its network attached storage (NAS) devices that can be used to remotely commandeer them. The patch comes 12 days after KrebsOnSecurity alerted the company that precise instructions for exploiting the vulnerability were being sold for $20,000 in the cybercrime underground.\n\nBased in Taiwan, [Zyxel Communications Corp.](<https://www.zyxel.com/us/en/>) (a.k.a \"ZyXEL\") is a maker of networking devices, including Wi-Fi routers, NAS products and hardware firewalls. The company has roughly 1,500 employees and boasts some 100 million devices deployed worldwide. While in many respects the class of vulnerability addressed in this story is depressingly common among Internet of Things (IoT) devices, the flaw is notable because it has attracted the interest of groups specializing in deploying ransomware at scale.\n\nKrebsOnSecurity first learned about the flaw on Feb. 12 from **Alex Holden**, founder of Milwaukee-based security firm [Hold Security](<https://www.holdsecurity.com>). Holden had obtained a copy of the exploit code, which allows an attacker to remotely compromise more than a dozen types of Zyxel NAS products remotely without any help from users.\n\n[![](https://krebsonsecurity.com/wp-content/uploads/2020/02/zyxel-0dayinstructions.png)](<https://krebsonsecurity.com/wp-content/uploads/2020/02/zyxel-0dayinstructions.png>)\n\nA snippet from the documentation provided by 500mhz for the Zyxel 0day.\n\nHolden said the seller of the exploit code -- a ne'er-do-well who goes by the nickname \"**500mhz**\" -is known for being reliable and thorough in his sales of 0day exploits (a.k.a. \"zero-days,\" these are vulnerabilities in hardware or software products that vendors first learn about when exploit code and/or active exploitation shows up online).\n\nFor example, this and previous zero-days for sale by 500mhz came with exhaustive documentation detailing virtually everything about the flaw, including any preconditions needed to exploit it, step-by-step configuration instructions, tips on how to remove traces of exploitation, and example search links that could be used to readily locate [thousands of vulnerable devices](<https://fofa.so/result?q=%22NAS326%22+%26%26+ZyXEL&qbase64=Ik5BUzMyNiIgJiZaeVhFTA%3D%3D>).\n\n500mhz's profile on one cybercrime forum states that he is constantly buying, selling and trading various 0day vulnerabilities.\n\n\"In some cases, it is possible to exchange your 0day with my existing 0day, or sell mine,\" his Russian-language profile reads.\n\n[![](https://krebsonsecurity.com/wp-content/uploads/2020/02/500mhz.png)](<https://krebsonsecurity.com/wp-content/uploads/2020/02/500mhz.png>)\n\nThe profile page of 500mhz, translated from Russian to English via Google Chrome.\n\n#### PARTIAL PATCH\n\nKrebsOnSecurity first contacted Zyxel on Feb. 12, sharing a copy of the exploit code and description of the vulnerability. When four days elapsed without any response from the vendor to notifications sent via multiple methods, this author shared the same information with vulnerability analysts at the [U.S. Department of Homeland Security (DHS)](<https://www.cisa.gov/>) and with the [CERT Coordination Center (CERT/CC](<https://en.wikipedia.org/wiki/CERT_Coordination_Center>)), a partnership between DHS and **Carnegie Mellon University**.\n\nLess than 24 hours after contacting DHS and CERT/CC, KrebsOnSecurity heard back from Zyxel, which thanked KrebsOnSecurity for the alert without acknowledging its failure to respond until they were sent the same information by others.\n\n\"Thanks for flagging,\" Zyxel's team wrote on Feb. 17. \"We\u2019ve just received an alert of the same vulnerabilities from US-CERT over the weekend, and we\u2019re now in the process of investigating. Still, we heartily appreciate you bringing it to our attention.\"\n\nEarlier today, Zyxel sent a message saying it had [published a security advisory and patch](<https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml>) for the zero-day exploit in some of its affected products. The vulnerable devices include NAS542, NAS540, NAS520, NAS326, NSA325 v2, NSA325, NSA320S, NSA320, NSA310S, NSA310, NSA221, NSA220+, NSA220, and NSA210. The flaw is designated as [CVE-2020-9054](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9054>).\n\nHowever, many of these devices are no longer supported by Zyxel and will not be patched. Zyxel's advice for those users is simply \"do not leave the product directly exposed to the internet.\"\n\n\"If possible, connect it to a security router or firewall for additional protection,\" the advisory reads.\n\nHolden said given the simplicity of the exploit -- which allows an attacker to seize remote control over an affected device by injecting just two characters to the username field of the login panel for Zyxel NAS devices -- it's likely other Zyxel products may have related vulnerabilities.\n\n\"Considering how stupid this exploit is, I'm guessing this is not the only one of its class in their products,\" he said.\n\nCERT's [advisory on the flaw](<https://www.kb.cert.org/vuls/id/498544/>) rates it at a \"10\" -- its most severe. The advisory includes additional mitigation instructions, including a proof-of-concept exploit that has the ability to power down affected Zyxel devices.\n\n#### EMOTET GOES IOT?\n\nHolden said recent activity suggests that attackers known for deploying ransomware have been actively working to test the zero-day for use against targets. Specifically, Holden said the exploit is now being used by a group of bad guys who are seeking to fold the exploit into [Emotet](<https://www.us-cert.gov/ncas/alerts/TA18-201A>), a powerful malware tool typically disseminated via spam that is frequently used to seed a target with malcode which holds the victim's files for ransom.\n\nHolden said 500mhz was offering the Zyxel exploit for $20,000 on cybercrime forums, although it's not clear whether the Emotet gang paid anywhere near that amount for access to the code. Still, he said, ransomware gangs could easily earn back their investment by successfully compromising a single target with this simple but highly reliable exploit.\n\n\"From the attacker's standpoint simple is better,\" he said. \"The commercial value of this exploit was set at $20,000, but that's not much when you consider a ransomware gang could easily make that money back and then some in a short period of time.\"\n\nEmotet's nascent forays into IoT come amid other disturbing developments for the prolific exploitation platform. Earlier this month, security researchers noted that Emotet now has [the capability to spread in a worm-like fashion via Wi-Fi networks](<https://threatpost.com/emotet-now-hacks-nearby-wi-fi-networks-to-spread-like-a-worm/152725/>).\n\n\"To me, a 0day exploit in Zyxel is not as scary as who bought it,\" he said. \"The Emotet guys have been historically targeting PCs, laptops and servers, but their venture now into IoT devices is very disturbing.\"\n\n#### DISCLOSURE DEBATE\n\nThis experience was a good reminder that vulnerability reporting and remediation often can be a frustrating process. Twelve days turnaround is fairly quick as these things go, although probably not quick enough for customers using products affected by zero-day vulnerabilities.\n\nIt can be tempting when one is not getting any response from a vendor to simply publish an alert detailing one's findings, and the pressure to do so certainly increases when there is a zero-day flaw involved. KrebsOnSecurity ultimately opted not to do that for three reasons.\n\nFirstly, at the time there was no evidence that the flaws were being actively exploited, and because the vendor had assured DHS and CERT-CC that it would soon have a patch available.\n\nPerhaps most importantly, public disclosure of an unpatched flaw could well have made a bad situation worse, without offering affected users much in the way of information about how to protect their systems.\n\nMany hardware and software vendors include a link from their home pages to /security.txt, which is [a proposed standard](<https://tools.ietf.org/html/draft-foudil-securitytxt-08>) for allowing security researchers to quickly identify the points of contact at vendors when seeking to report security vulnerabilities. But even vendors who haven't yet adopted this standard (Zyxel has not) usually will respond to reports at security@[vendordomainhere]; indeed, Zyxel encourages researchers to forward any such reports to security@zyxel.com.tw.\n\nOn the subject of full disclosure, I should note that while this author is listed by Hold Security's site as an advisor, KrebsOnSecurity has never sought nor received remuneration of any kind in connection with this role.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-24T17:13:11", "type": "krebs", "title": "Zyxel Fixes 0day in Network Storage Devices", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9054"], "modified": "2020-02-24T17:13:11", "id": "KREBS:39654A032B4386114B09583F15D4E8D2", "href": "https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-20T19:36:53", "description": "In February, hardware maker **Zyxel** [fixed a zero-day vulnerability in its routers and VPN firewall products](<https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/>) after KrebsOnSecurity told the company the flaw was being abused by attackers to break into devices. This week, security researchers said they spotted that same vulnerability being exploited by a new variant of [Mirai](<https://krebsonsecurity.com/?s=mirai&x=0&y=0>), a malware strain that targets vulnerable **Internet of Things** (IoT) devices for use in large-scale attacks and [as proxies for other cybercrime activity](<https://krebsonsecurity.com/2016/10/iot-devices-as-proxies-for-cybercrime/>).\n\n![](https://krebsonsecurity.com/wp-content/uploads/2017/08/iotc.png)\n\nSecurity experts at **Palo Alto Networks** [said Thursday](<https://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/>) their sensors detected the new Mirai variant -- dubbed **Mukashi** -- on Mar. 12. The new Mirai strain targets [CVE-2020-9054](<https://kb.cert.org/vuls/id/498544/>), a critical flaw that exists in many VPN firewalls and network attached storage (NAS) devices made by Taiwanese vendor **Zyxel Communication Corp.**, which boasts some 100 million devices deployed worldwide.\n\nLike other Mirai variants, Mukashi constantly scans the Internet for vulnerable IoT devices like security cameras and digital video recorders (DVRs), looking for a range of machines protected only by factory-default credentials or commonly-picked passwords.\n\nPalo Alto said IoT systems infected by Mukashi then report back to a control server, which can be used to disseminate new instructions -- such as downloading additional software or [launching distributed denial of service (DDoS) attacks](<https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/>).\n\n[![](https://krebsonsecurity.com/wp-content/uploads/2020/03/mukashicommands.png)](<https://krebsonsecurity.com/wp-content/uploads/2020/03/mukashicommands.png>)\n\nThe commands Mukashi botmasters can send to infected devices include scanning for and exploiting other systems, and launching DDoS attacks. Image: Palo Alto Networks.\n\nZyxel [issued a patch](<https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml>) for the flaw on Feb. 24, but the update did not fix the problem on many older Zyxel devices which are no longer being supported by the company. For those devices, Zyxel's advice was not to leave them connected to the Internet.\n\n[A joint advisory on CVE-2020-9054](<https://kb.cert.org/vuls/id/498544/>) from the **U.S. Department of Homeland Security** and the **CERT Coordination Center** rates this vulnerability at a \u201c10\u201d \u2014 the most severe kind of flaw. The DHS/CERT advisory also includes sample code to test if a Zyxel product is vulnerable to the flaw.\n\nMy advice? If you can\u2019t [patch it](<https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml>), pitch it, as Mukashi is not the only thing interested in this Zyxel bug: Recent activity suggests attackers known for deploying ransomware have been actively working to test it for use against targets.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-20T14:46:15", "type": "krebs", "title": "Zyxel Flaw Powers New Mirai IoT Botnet Strain", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9054"], "modified": "2020-03-20T14:46:15", "id": "KREBS:D13D787B059B46E5005F07248EA46F0E", "href": "https://krebsonsecurity.com/2020/03/zxyel-flaw-powers-new-mirai-iot-botnet-strain/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:38:33", "description": "[![Mirai IoT Botnet Malware](https://thehackernews.com/images/-WCqttfMDeDY/XnXGIzThpXI/AAAAAAAAAHQ/I-F_v7YoIY4v3LbJmv164JaWpHPYR18KQCLcBGAsYHQ/s728-e100/Zyxel-Mirai-IoT-Botnet-malware.jpg)](<https://thehackernews.com/images/-WCqttfMDeDY/XnXGIzThpXI/AAAAAAAAAHQ/I-F_v7YoIY4v3LbJmv164JaWpHPYR18KQCLcBGAsYHQ/s728-e100/Zyxel-Mirai-IoT-Botnet-malware.jpg>)\n\nA new version of the infamous Mirai botnet is exploiting a recently uncovered critical vulnerability in network-attached storage (NAS) devices in an attempt to remotely infect and control vulnerable machines. \n \nCalled \"[Mukashi](<https://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/>),\" the new variant of the malware employs brute-force attacks using different combinations of default credentials to log into Zyxel NAS, UTM, ATP, and VPN firewall products to take control of the devices and add them to a network of infected bots that can be used to carry out Distributed Denial of Service (DDoS) attacks. \n \nMultiple Zyxel NAS products running firmware versions up to 5.21 are vulnerable to the compromise, Palo Alto Networks' Unit 42 global threat intelligence team said, adding they uncovered the first such exploitation of the flaw in the wild on March 12. \n \n\n\n## Zyxel's Pre-Authentication Command Injection Flaw\n\n \nMukashi hinges on a pre-authentication [command injection vulnerability](<https://www.kb.cert.org/vuls/id/498544/>) (tracked as [CVE-2020-9054](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9054>)), for which a proof-of-concept was only made publicly available last month. The flaw resides in a \"weblogin.cgi\" program used by the Zyxel devices, thereby potentially allowing attackers to perform remote code execution via command injection. \n \n\"The executable weblogin.cgi doesn't properly sanitize the username parameter during authentication. The attacker can use a single quote (') to close the string and a semicolon (;) to concat arbitrary commands to achieve command injection,\" according to Unit 42 researchers. \"Since weblogin.cgi accepts both HTTP GET and POST requests, the attacker can embed the malicious payload in one of these HTTP requests and gain code execution.\" \n \n\n\n[![Zyxel Mirai IoT Botnet](https://thehackernews.com/images/-DFEV2bTe2Ew/XnXCzCVIoqI/AAAAAAAAAG8/qDq3xDNv_k85JJ2QaqcPzO-kqG43TQaVQCLcBGAsYHQ/s728-e100/Zyxel-Mirai-IoT-Botnet.jpg)](<https://thehackernews.com/images/-DFEV2bTe2Ew/XnXCzCVIoqI/AAAAAAAAAG8/qDq3xDNv_k85JJ2QaqcPzO-kqG43TQaVQCLcBGAsYHQ/s728-e100/Zyxel-Mirai-IoT-Botnet.jpg>)\n\n \nZyxel issued a [patch for the vulnerability](<https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml>) last month after it emerged that [precise instructions](<https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/>) for exploiting the flaw were being sold in underground cybercrime forums for $20,000 for use against targets. But the update doesn't address the flaw on many older unsupported devices. \n \nAs a workaround, the Taiwan-based networking equipment maker has urged users of those affected models to not leave the products directly exposed to the Internet, and connect them to a security router or firewall for additional protection. \n \n\n\n## Mukashi Targets Zyxel NAS Devices\n\n \nJust like other Mirai variants, Mukashi operates by scanning the Internet for vulnerable IoT devices like routers, NAS devices, security cameras, and digital video recorders (DVRs), looking for potential hosts that are protected only by factory-default credentials or commonly-used passwords to co-opt them into the botnet. \n \nIf a brute-force login turns out to be successful, Mukashi not only reports the login attempt to a remote attacker-controlled command-and-control (C2) server but also awaits further commands to launch DDoS attacks. \n \n\n\n[![Mirai IoT Botnet ](https://thehackernews.com/images/-wltph8qO7IM/XnXDNciCnMI/AAAAAAAAAHE/17qHlLa1zZch4AEAescHlxqR3k7W9kWSQCLcBGAsYHQ/s728-e100/iot-botnet.jpg)](<https://thehackernews.com/images/-wltph8qO7IM/XnXDNciCnMI/AAAAAAAAAHE/17qHlLa1zZch4AEAescHlxqR3k7W9kWSQCLcBGAsYHQ/s728-e100/iot-botnet.jpg>)\n\n \n\"When it's executed, Mukashi prints the message 'Protecting your device from further infections.' to the console,\" Unit42 researchers said. \"The malware then proceeds to change its process name to dvrhelper, suggesting Mukashi may inherit certain traits from its predecessor.\" \n \n\n\n## Mirai's History of DDoS attacks\n\n \nThe [Mirai botnet](<https://thehackernews.com/2017/12/hacker-ddos-mirai-botnet.html>), since its discovery in 2016, has been linked to a string of large-scale DDoS attacks, including one against [DNS service provider Dyn](<https://thehackernews.com/2016/10/dyn-dns-ddos.html>) in October 2016, causing major internet platforms and services to remain inaccessible to users in Europe and North America. \n \nSince then, [numerous variants of Mirai](<https://thehackernews.com/2019/03/mirai-botnet-enterprise-security.html>) have sprung up, in part due to the availability of its [source code](<https://thehackernews.com/2016/10/mirai-source-code-iot-botnet.html>) on the Internet since 2016. \n \nIt's recommended that all Zyxel consumers download the firmware update to protect devices from Mukashi hijacks. Updating default credentials with complex login passwords can also go a long way towards preventing such brute-force attacks. \n \nThe full list of Zyxel products affected by the flaw is [available here](<https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml>). You can also test if a Zyxel NAS device is vulnerable here.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-21T07:51:00", "type": "thn", "title": "Mukashi: A New Mirai IoT Botnet Variant Targeting Zyxel NAS Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9054"], "modified": "2020-06-10T14:51:44", "id": "THN:FDE349ED29A8A84B3E71D0DBD64A4574", "href": "https://thehackernews.com/2020/03/zyxel-mukashi-mirai-iot-botnet.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2023-07-21T17:22:44", "description": "Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-25T00:00:00", "type": "cisa_kev", "title": "Zyxel Multiple NAS Devices OS Command Injection Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9054"], "modified": "2022-03-25T00:00:00", "id": "CISA-KEV-CVE-2020-9054", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-03-11T21:25:35", "description": "Security researchers are warning that networking hardware vendor Zyxel and its Cloud CNM SecuManager software is chock-full of unpatched vulnerabilities that kick open the doors for hackers to exploit. In all, researchers have identified 16 vulnerabilities, ranging from multiple backdoors and default credentials to insecure memory storage.\n\nThe Zyxel CNM SecuManager is a networking management software solution that provides an integrated console to monitor and manage enterprise security gateways, such as the company\u2019s own ZyWALL USG and its VPN series products. When contacted by Threatpost, Zyxel would not say how many users of the product there are, only that the number was \u201climited.\u201d\n\nHowever, security researchers Pierre Kim and Alexandre Torres wrote in [a report posted Monday](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html>) that \u201cthe attack surface is very large and many different stacks are being used making it very interesting. Furthermore, some daemons are running as root and are reachable from the WAN. Also, there is no firewall by default.\u201d The report outlined the more than a dozen flaws.\n\nOn Monday, Taiwan-based Zyxel declined to comment on the research, adding that it was unaware of the report. Because of the sensitive nature of the vulnerability claims, Threatpost declined at the time to publish the researchers\u2019 findings.\n\nOn Wednesday, Nathan Yen, AVP of Zyxel Gateway SBU, reached out to Threatpost and said that the company was now aware of issues and was working to quickly to fix them. He did not specifically address any of the 16 vulnerability claims.\n\nResearcher Kim told Threatpost he did not disclose the vulnerabilities to Zyxel because he believed that the vendor intentionally created backdoors into its product that would open Cloud CNM SecuManager software to remote access by Zyxel, post-customer installation.\n\n\u201cThe only effective way when dealing with backdoors planted with the vendor is to publish zero-day vulnerabilities using full disclosure,\u201d he said. \u201cBy going full disclosure, the vendor will be forced to remove the backdoors.\u201d\n\nYen did not address those claims by the researchers.\n\nResearchers said that flaws were reported on December 20, and on Monday they publicly disclosed the vulnerabilities online and via security mailing lists.\n\n**Researchers Outline Bugs**\n\nAccording to the report, the vulnerable software includes Zyxel CNM SecuManager versions 3.1.0 and 3.1.1 \u2013 last updated in November 2018.\n\nTopping the researchers\u2019 list of security concerns is the use of hard-coded Secure Shell (SSH) server keys, used by network administrators for remote login and remote control of hardware assets.\n\n\u201cBy default, the appliance uses hardcoded SSH server keys for the main host and for the chroot environments,\u201d they wrote. A chroot is an operation to change a root directory for a running process and its dependent directories on Unix operating systems. \u201cThis allows an attacker to [man in the middle] MITM and decrypt the encrypted traffic,\u201d they wrote.\n\nAnother vulnerability is tied to predefined passwords for admin accounts. \u201cBy default, we can extract the pre-defined admin and the pre-defined users from MySQL,\u201d researchers wrote. MySQL is an open-source relational database management system. Researchers described the effort as \u201ctrivial,\u201d making it easy to obtain the extraction of \u201cprevious admin/users.\u201d\n\nAlso of concern to researchers is what they said was the Zyxel CNM SecuManager\u2019s \u201cinsecure management over the cloud.\u201d\n\n\u201cBy default, myzxel.pyc used for communication to the \u2018Cloud\u2019 uses some hardcoded variables for communication over HTTPS,\u201d they wrote. As they described, \u201cThe function get_account_info uses the account_id, the jwt_secret and the jwt_secret_id\u2026 The jwt_secret and jwt_secret_id are generated as unique key for each appliance.\u201d\n\nIn this context, researchers said an attacker can extract account information using backdoors in the SecuManager\u2019s APIs or by using the \u201canonymous access to the ZODB interface and decrypting the secret account_id value.\u201d\n\nA ZODB, or Zope Object Database, is an object-oriented database for transparently and persistently storing Python objects, [according to a technical description](<http://www.zodb.org/en/latest/>).\n\n\u201cThere are likely to be way more zero-day vulnerabilities in the appliance, but we decided not to dig more due to time constraints,\u201d wrote Kim and Torres.\n\n**Zyxel Promises Fixes**\n\n\u201cWhile we\u2019re still investigating the listed issues, it\u2019s important to note that the CloudCNM SecuManager is a network management tool customized for specific customer demands and is used by a very limited number of customers,\u201d according to a written response from Yen to Threatpost.\n\nYen told Threatpost that the CloudCNM SecuManager was co-developed with a third-party vendor. \u201cWe\u2019re working with them to solve the issues as our top priority. We\u2019ll reach out to individual customers directly to roll out the solution,\u201d he said.\n\nNone of the vulnerabilities Kim and Torres identified could be found on the [company\u2019s security advisory page](<https://www.zyxel.com/us/en/support/security_advisories.shtml>) at the time of this report.\n\nLate last month, Zyxel patched a zero-day vulnerability tied to a critical flaw in many of its network attached storage (NAS) devices. The bug, [tracked as CVE-2020-9054](<https://www.zyxel.com/us/en/support/remote-code-execution-vulnerability-of-NAS-products.shtml>), allowed a remote, unauthenticated adversary to execute arbitrary code on a vulnerable device. Patches were made available for four out of 14 effected NAS devices. The other 10 NAS devices were no longer supported by Zyxel.\n\n**Vulnerabilities Summary**\n\nThe researchers\u2019 full list of Zyxel CNM SecuManager software vulnerabilities follows:\n\n 1. [Hardcoded SSH server keys](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#ssh-servers-keys>)\n 2. [Backdoors accounts in MySQL](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#mysql-backdoor-accounts>)\n 3. [Hardcoded certificate and backdoor access in Ejabberd](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#ejabberd-backdoors>)\n 4. [Open ZODB storage without authentication](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#open-zodb>)\n 5. [MyZyxel \u2018Cloud\u2019 Hardcoded Secret](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#myzyxel-hardcoded-secret>)\n 6. [Hardcoded Secrets, APIs](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#hardcoded-secrets-apis>)\n 7. [Predefined passwords for admin accounts](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#predefined-pwd-admins>)\n 8. [Insecure management over the \u2018Cloud\u2019](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#insecure-cloud>)\n 9. [xmppCnrSender.py log escape sequence injection](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#xmpp-escape-seq-injection>)\n 10. [xmppCnrSender.py no authentication and clear-text communication](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#xmpp-no-auth-cleartext>)\n 11. [Incorrect HTTP requests cause out of range access in Zope](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#zope-out-of-range>)\n 12. [XSS on the web interface](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#xss>)\n 13. [Private SSH key](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#private-ssh-key>)\n 14. [Backdoor APIs](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#backdoor-apis>)\n 15. [Backdoor management access and RCE](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#backdoor-management-rce>)\n 16. [Pre-auth RCE with chrooted access](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#pre-auth-rce>)\n\n\u201cAt this time, I would advise customers to avoid using this product,\u201d Kim said. \u201cI also have some questions about the \u2018Cloud\u2019 functionality provided by Zyxel and the fact that some encryption keys are hardcoded and HTTPS communication are not secure because of the lack of verification of certificates \u2013 this allows an attacker to intercept and modify the management traffic to and from the SecuManager product.\u201d\n\n**_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n\nWrite a comment\n\n**Share this article:**\n\n * [Cloud Security](<https://threatpost.com/category/cloud-security/>)\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n", "cvss3": {}, "published": "2020-03-11T21:20:23", "type": "threatpost", "title": "Flaws Riddle Zyxel\u2019s Network Management Software", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-9054"], "modified": "2020-03-11T21:20:23", "id": "THREATPOST:17E3FCD38AE400EE2E294AFDDAD88C3C", "href": "https://threatpost.com/flaws-zyxels-network-management-software/153554/?utm_source=rss&utm_medium=rss&utm_campaign=flaws-zyxels-network-management-software", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-15T11:23:31", "description": "Another variant of the shape-shifting Mirai botnet is attacking Zyxel network-attached storage (NAS) devices using a critical vulnerability that was only recently discovered, according to security researchers.\n\nThe variant, dubbed Mukashi, takes advantage of a pre-authentication command injection vulnerability found in Zyxel NAS storage devices, according to researchers at [Palo Alto Networks\u2019](<https://www.paloaltonetworks.com/>) [Unit 42](<https://unit42.paloaltonetworks.com/>) global threat intelligence team. A proof of concept for the vulnerability, [CVE-2020-9054](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9054>), was published publicly only last month.\n\n\u201cMukashi brute forces the logins using different combinations of default credentials, while informing its command and control (C2) server of the successful login attempts,\u201d Unit 42 [Ken Hsu](<https://unit42.paloaltonetworks.com/author/ken-hsu/>), [Zhibin Zhang](<https://unit42.paloaltonetworks.com/author/zhibin-zhang/>) and [Ruchna Nigam](<https://unit42.paloaltonetworks.com/author/ruchna-nigam/>) wrote in a [blog post](<https://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/>) published Thursday. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nMany and potentially all Zyxel NAS products running firmware versions up to 5.21 are vulnerable to compromise, they said.\n\n\u201cWe\u2019re aware of the CVE-2020-9054 vulnerability and [already released firmware updates](<https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml>) for the affected products immediately,\u2019 a spokesperson for Zyxel wrote to Threatpost in response to email-based questions about the bug. \n\n\u201cWe\u2019ve been proactively communicating the issue to our customers on Zyxel Forum and through direct email alerts to urge customers to install the firmware updates or follow the workaround for optimal protection,\u201d the company representative wrote.\n\nResearchers Alex Holden, founder of Milwaukee-based security firm [Hold Security](<https://www.holdsecurity.com>), discovered the Zyxel NAS vulnerability last month when someone was selling precise instructions for how to exploit it on the cybercrime underground. He alerted Brian Krebs of [KrebsonSecurity](<https://krebsonsecurity.com/>), who informed Zyxel of the exploit and published [a report](<https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/>) about the vulnerability, which he said can allow a threat actor to remotely compromise and take control of more than a dozen of Zyxel\u2019s devices.\n\n\u201cThis initial discovery also mentioned \u2018the exploit is now being used by a group of bad guys who are seeking to fold the exploit into Emotet,'\u201d according to Unit 42 researchers.\n\nThe Mirai botnet has been around in some form or another for some time. Source code for Mirai [was released](<https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/>) in October 2016 and since then numerous malware variants have been seen in the wild. The Internet of Things (IoT) botnet has been linked to major distributed denial of service (DDoS) attacks, and its multiple variants in the past several years have been indiscriminate in their targeting.\n\nMirai and its variants have been observed taking down technology such as [routers](<https://threatpost.com/new-mirai-variant-targets-routers-knocks-900000-offline/122155/>), internet-based companies such as [DNS providers](<https://threatpost.com/mirai-fueled-iot-botnet-behind-ddos-attacks-on-dns-providers/121475/>), business sectors such as [financial services](<https://threatpost.com/mirai-variant-targets-financial-sector-with-iot-ddos-attacks/131056/>), and horizontal players such as [enterprise companies](<https://threatpost.com/mirai-enterprise-systems/142889/>), to name a few. Mirai even has bolstered cybercriminals by giving [the DDoS as a service](<https://threatpost.com/mirai-giving-ddos-as-a-service-industry-a-boost/122493/>) industry prevalent on hacker forums a boost.\n\nMirai variants observed by researchers show a shift in focus in the last year to target hardware and [processors](<https://threatpost.com/new-mirai-samples-grow-the-number-of-processors-targets/143566/>), and the latest variant Mukashi bucks that trend. Mukashi shares some characteristics with previous Mirai variants as well as the Mirai botnet from which it was spawned, Unit 42 researchers wrote.\n\nThe variant operates by scanning the TCP port 23 of random hosts, brute forcing the logins using different combinations of default credentials. It then reports the successful login attempt to its C2 server, from which it is also capable of receiving C2 commands and launching DDoS attacks\u2014a characteristic it shares with other Mirai variants, they said.\n\nBefore being fully deployed, Mukashi binds to the TCP port 23448 to ensure only a single instance of the botnet runs on the infected system, according to researchers. Then, once executed, Mukashi prints the message \u201cProtecting your device from further infections\u201d to the console, after which it changes its process name to \u201cdvrhelper\u201d\u2013a name implies that implies Mukashi may also have inherited some of Mirai\u2019s functionality, they wrote.\n\nOne thing that is different about Mukashi than other Mirai variants is its method of encryption, researchers noted. While those use conventional xor encryption, Mukashi uses a custom decryption routine to encrypt these commands and credentials, they said, providing a script for the encryption.\n\nZyxel has published a [vendor advisory](<https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml>) on the vulnerability as well as [a website](<https://kb.cert.org/artifacts/cve-2020-9054.html>) for testing whether a device is vulnerable.\n\nOn March 9, [researchers identified over 16 security flaws](<https://threatpost.com/flaws-zyxels-network-management-software/153554/>) in Zyxel\u2019s Cloud CNM SecuManager software. Some of those bugs included multiple backdoors and hardcoded SSH server keys.\n", "cvss3": {}, "published": "2020-03-20T13:27:07", "type": "threatpost", "title": "New Mirai Variant 'Mukashi' Targets Zyxel NAS Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-9054"], "modified": "2020-03-20T13:27:07", "id": "THREATPOST:738DE8A2593073CC7FCE24DA250F4DA2", "href": "https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-03-20T13:38:40", "description": "Another variant of the shape-shifting Mirai botnet is attacking Zyxel network-attached storage (NAS) devices using a critical vulnerability that was only recently discovered, according to security researchers.\n\nThe variant, dubbed Mukashi, takes advantage of a pre-authentication command injection vulnerability found in Zyxel NAS storage devices, according to researchers at [Palo Alto Networks\u2019](<https://www.paloaltonetworks.com/>) [Unit 42](<https://unit42.paloaltonetworks.com/>) global threat intelligence team. A proof of concept for the vulnerability, [CVE-2020-9054](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9054>), was published publicly only last month.\n\n\u201cMukashi brute forces the logins using different combinations of default credentials, while informing its command and control (C2) server of the successful login attempts,\u201d Unit 42 [Ken Hsu](<https://unit42.paloaltonetworks.com/author/ken-hsu/>), [Zhibin Zhang](<https://unit42.paloaltonetworks.com/author/zhibin-zhang/>) and [Ruchna Nigam](<https://unit42.paloaltonetworks.com/author/ruchna-nigam/>) wrote in a [blog post](<https://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/>) published Thursday. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nMany and potentially all Zyxel NAS products running firmware versions up to 5.21 are vulnerable to compromise, they said.\n\n\u201cWe\u2019re aware of the CVE-2020-9054 vulnerability and [already released firmware updates](<https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml>) for the affected products immediately,\u2019 a spokesperson for Zyxel wrote to Threatpost in response to email-based questions about the bug. \n\n\u201cWe\u2019ve been proactively communicating the issue to our customers on Zyxel Forum and through direct email alerts to urge customers to install the firmware updates or follow the workaround for optimal protection,\u201d the company representative wrote.\n\nResearchers Alex Holden, founder of Milwaukee-based security firm [Hold Security](<https://www.holdsecurity.com>), discovered the Zyxel NAS vulnerability last month when someone was selling precise instructions for how to exploit it on the cybercrime underground. He alerted Brian Krebs of [KrebsonSecurity](<https://krebsonsecurity.com/>), who informed Zyxel of the exploit and published [a report](<https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/>) about the vulnerability, which he said can allow a threat actor to remotely compromise and take control of more than a dozen of Zyxel\u2019s devices.\n\n\u201cThis initial discovery also mentioned \u2018the exploit is now being used by a group of bad guys who are seeking to fold the exploit into Emotet,'\u201d according to Unit 42 researchers.\n\nThe Mirai botnet has been around in some form or another for some time. Source code for Mirai [was released](<https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/>) in October 2016 and since then numerous malware variants have been seen in the wild. The Internet of Things (IoT) botnet has been linked to major distributed denial of service (DDoS) attacks, and its multiple variants in the past several years have been indiscriminate in their targeting.\n\nMirai and its variants have been observed taking down technology such as [routers](<https://threatpost.com/new-mirai-variant-targets-routers-knocks-900000-offline/122155/>), internet-based companies such as [DNS providers](<https://threatpost.com/mirai-fueled-iot-botnet-behind-ddos-attacks-on-dns-providers/121475/>), business sectors such as [financial services](<https://threatpost.com/mirai-variant-targets-financial-sector-with-iot-ddos-attacks/131056/>), and horizontal players such as [enterprise companies](<https://threatpost.com/mirai-enterprise-systems/142889/>), to name a few. Mirai even has bolstered cybercriminals by giving [the DDoS as a service](<https://threatpost.com/mirai-giving-ddos-as-a-service-industry-a-boost/122493/>) industry prevalent on hacker forums a boost.\n\nMirai variants observed by researchers show a shift in focus in the last year to target hardware and [processors](<https://threatpost.com/new-mirai-samples-grow-the-number-of-processors-targets/143566/>), and the latest variant Mukashi bucks that trend. Mukashi shares some characteristics with previous Mirai variants as well as the Mirai botnet from which it was spawned, Unit 42 researchers wrote.\n\nThe variant operates by scanning the TCP port 23 of random hosts, brute forcing the logins using different combinations of default credentials. It then reports the successful login attempt to its C2 server, from which it is also capable of receiving C2 commands and launching DDoS attacks\u2014a characteristic it shares with other Mirai variants, they said.\n\nBefore being fully deployed, Mukashi binds to the TCP port 23448 to ensure only a single instance of the botnet runs on the infected system, according to researchers. Then, once executed, Mukashi prints the message \u201cProtecting your device from further infections\u201d to the console, after which it changes its process name to \u201cdvrhelper\u201d\u2013a name implies that implies Mukashi may also have inherited some of Mirai\u2019s functionality, they wrote.\n\nOne thing that is different about Mukashi than other Mirai variants is its method of encryption, researchers noted. While those use conventional xor encryption, Mukashi uses a custom decryption routine to encrypt these commands and credentials, they said, providing a script for the encryption.\n\nZyxel has published a [vendor advisory](<https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml>) on the vulnerability as well as [a website](<https://kb.cert.org/artifacts/cve-2020-9054.html>) for testing whether a device is vulnerable.\n\nOn March 9, [researchers identified over 16 security flaws](<https://threatpost.com/flaws-zyxels-network-management-software/153554/>) in Zyxel\u2019s Cloud CNM SecuManager software. Some of those bugs included multiple backdoors and hardcoded SSH server keys.\n", "cvss3": {}, "published": "2020-03-20T13:27:07", "type": "threatpost", "title": "New Mirai Variant 'Mukashi' Targets Zyxel NAS Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-9054"], "modified": "2020-03-20T13:27:07", "id": "THREATPOST:A69CA0E766250A90D23BD3D8AD83D37D", "href": "https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/?utm_source=rss&utm_medium=rss&utm_campaign=new-mirai-variant-mukashi-targets-zyxel-nas-devices", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-09T22:11:23", "description": "Security researchers are warning that networking hardware vendor Zyxel and its Cloud CNM SecuManager software is chock-full of unpatched vulnerabilities that kick open the doors for hackers to exploit. In all, researchers have identified 16 vulnerabilities, ranging from multiple backdoors and default credentials to insecure memory storage.\n\nThe Zyxel CNM SecuManager is a networking management software solution that provides an integrated console to monitor and manage enterprise security gateways, such as the company\u2019s own ZyWALL USG and its VPN series products. When contacted by Threatpost, Zyxel would not say how many users of the product there are, only that the number was \u201climited.\u201d\n\nHowever, security researchers Pierre Kim and Alexandre Torres wrote in [a report posted Monday](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html>) that \u201cthe attack surface is very large and many different stacks are being used making it very interesting. Furthermore, some daemons are running as root and are reachable from the WAN. Also, there is no firewall by default.\u201d The report outlined the more than a dozen flaws.\n\nOn Monday, Taiwan-based Zyxel declined to comment on the research, adding that it was unaware of the report. Because of the sensitive nature of the vulnerability claims, Threatpost declined at the time to publish the researchers\u2019 findings.\n\nOn Wednesday, Nathan Yen, AVP of Zyxel Gateway SBU, reached out to Threatpost and said that the company was now aware of issues and was working to quickly to fix them. He did not specifically address any of the 16 vulnerability claims.\n\nResearcher Kim told Threatpost he did not disclose the vulnerabilities to Zyxel because he believed that the vendor intentionally created backdoors into its product that would open Cloud CNM SecuManager software to remote access by Zyxel, post-customer installation.\n\n\u201cThe only effective way when dealing with backdoors planted with the vendor is to publish zero-day vulnerabilities using full disclosure,\u201d he said. \u201cBy going full disclosure, the vendor will be forced to remove the backdoors.\u201d\n\nYen did not address those claims by the researchers.\n\nResearchers said that flaws were reported on December 20, and on Monday they publicly disclosed the vulnerabilities online and via security mailing lists.\n\n**Researchers Outline Bugs**\n\nAccording to the report, the vulnerable software includes Zyxel CNM SecuManager versions 3.1.0 and 3.1.1 \u2013 last updated in November 2018.\n\nTopping the researchers\u2019 list of security concerns is the use of hard-coded Secure Shell (SSH) server keys, used by network administrators for remote login and remote control of hardware assets.\n\n\u201cBy default, the appliance uses hardcoded SSH server keys for the main host and for the chroot environments,\u201d they wrote. A chroot is an operation to change a root directory for a running process and its dependent directories on Unix operating systems. \u201cThis allows an attacker to [man in the middle] MITM and decrypt the encrypted traffic,\u201d they wrote.\n\nAnother vulnerability is tied to predefined passwords for admin accounts. \u201cBy default, we can extract the pre-defined admin and the pre-defined users from MySQL,\u201d researchers wrote. MySQL is an open-source relational database management system. Researchers described the effort as \u201ctrivial,\u201d making it easy to obtain the extraction of \u201cprevious admin/users.\u201d\n\nAlso of concern to researchers is what they said was the Zyxel CNM SecuManager\u2019s \u201cinsecure management over the cloud.\u201d\n\n\u201cBy default, myzxel.pyc used for communication to the \u2018Cloud\u2019 uses some hardcoded variables for communication over HTTPS,\u201d they wrote. As they described, \u201cThe function get_account_info uses the account_id, the jwt_secret and the jwt_secret_id\u2026 The jwt_secret and jwt_secret_id are generated as unique key for each appliance.\u201d\n\nIn this context, researchers said an attacker can extract account information using backdoors in the SecuManager\u2019s APIs or by using the \u201canonymous access to the ZODB interface and decrypting the secret account_id value.\u201d\n\nA ZODB, or Zope Object Database, is an object-oriented database for transparently and persistently storing Python objects, [according to a technical description](<http://www.zodb.org/en/latest/>).\n\n\u201cThere are likely to be way more zero-day vulnerabilities in the appliance, but we decided not to dig more due to time constraints,\u201d wrote Kim and Torres.\n\n**Zyxel Promises Fixes**\n\n\u201cWhile we\u2019re still investigating the listed issues, it\u2019s important to note that the CloudCNM SecuManager is a network management tool customized for specific customer demands and is used by a very limited number of customers,\u201d according to a written response from Yen to Threatpost.\n\nYen told Threatpost that the CloudCNM SecuManager was co-developed with a third-party vendor. \u201cWe\u2019re working with them to solve the issues as our top priority. We\u2019ll reach out to individual customers directly to roll out the solution,\u201d he said.\n\nNone of the vulnerabilities Kim and Torres identified could be found on the [company\u2019s security advisory page](<https://www.zyxel.com/us/en/support/security_advisories.shtml>) at the time of this report.\n\nLate last month, Zyxel patched a zero-day vulnerability tied to a critical flaw in many of its network attached storage (NAS) devices. The bug, [tracked as CVE-2020-9054](<https://www.zyxel.com/us/en/support/remote-code-execution-vulnerability-of-NAS-products.shtml>), allowed a remote, unauthenticated adversary to execute arbitrary code on a vulnerable device. Patches were made available for four out of 14 effected NAS devices. The other 10 NAS devices were no longer supported by Zyxel.\n\n**Vulnerabilities Summary**\n\nThe researchers\u2019 full list of Zyxel CNM SecuManager software vulnerabilities follows:\n\n 1. [Hardcoded SSH server keys](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#ssh-servers-keys>)\n 2. [Backdoors accounts in MySQL](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#mysql-backdoor-accounts>)\n 3. [Hardcoded certificate and backdoor access in Ejabberd](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#ejabberd-backdoors>)\n 4. [Open ZODB storage without authentication](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#open-zodb>)\n 5. [MyZyxel \u2018Cloud\u2019 Hardcoded Secret](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#myzyxel-hardcoded-secret>)\n 6. [Hardcoded Secrets, APIs](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#hardcoded-secrets-apis>)\n 7. [Predefined passwords for admin accounts](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#predefined-pwd-admins>)\n 8. [Insecure management over the \u2018Cloud\u2019](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#insecure-cloud>)\n 9. [xmppCnrSender.py log escape sequence injection](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#xmpp-escape-seq-injection>)\n 10. [xmppCnrSender.py no authentication and clear-text communication](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#xmpp-no-auth-cleartext>)\n 11. [Incorrect HTTP requests cause out of range access in Zope](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#zope-out-of-range>)\n 12. [XSS on the web interface](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#xss>)\n 13. [Private SSH key](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#private-ssh-key>)\n 14. [Backdoor APIs](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#backdoor-apis>)\n 15. [Backdoor management access and RCE](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#backdoor-management-rce>)\n 16. [Pre-auth RCE with chrooted access](<https://pierrekim.github.io/blog/2020-03-09-zyxel-secumanager-0day-vulnerabilities.html#pre-auth-rce>)\n\n\u201cAt this time, I would advise customers to avoid using this product,\u201d Kim said. \u201cI also have some questions about the \u2018Cloud\u2019 functionality provided by Zyxel and the fact that some encryption keys are hardcoded and HTTPS communication are not secure because of the lack of verification of certificates \u2013 this allows an attacker to intercept and modify the management traffic to and from the SecuManager product.\u201d\n\n**_Interested in security for the Internet of Things and how 5G will change the threat landscape? Join our free Threatpost webinar, [\u201c5G, the Olympics and Next-Gen Security Challenges,\u201d](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>) as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. [Register here](<https://attendee.gotowebinar.com/register/3191336203359293954?source=art>)._**\n\n**Share this article:**\n\n * [Cloud Security](<https://threatpost.com/category/cloud-security/>)\n * [Vulnerabilities](<https://threatpost.com/category/vulnerabilities/>)\n", "cvss3": {}, "published": "2020-03-11T21:20:23", "type": "threatpost", "title": "Flaws Riddle Zyxel\u2019s Network Management Software", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-9054"], "modified": "2020-03-11T21:20:23", "id": "THREATPOST:6126F6585A2D722C27E3DFA390E481C2", "href": "https://threatpost.com/flaws-zyxels-network-management-software/153554/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-19T14:40:31", "description": "A researcher [ has released](<https://github.com/0vercl0k/CVE-2021-31166>) a proof-of-concept (PoC) exploit for [ CVE-2021-31166](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31166>), a use-after-free, highly critical vulnerability in the HTTP protocol stack (`http.sys`) that could lead to wormable remote code execution (RCE).\n\nMicrosoft discovered the flaw internally, releasing a patch in its May 11 [ Patch Tuesday](<https://threatpost.com/wormable-windows-bug-dos-rce/166057/>) update. This was the most severe bug in that batch: an `http.sys` issue that requires neither user authentication nor user interaction to exploit. An exploit would allow RCE with kernel privileges or a denial-of-service (DoS) attack.\n\nAccording to a tweet from Microsoft\u2019s Justin Campbell, the vulnerability was found by [ @_mxms](<https://twitter.com/_mxms>) and [ @fzzyhd1](<https://twitter.com/fzzyhd1>).\n\n> Fortunately this http.sys bug was an internal find by our team. This one thanks to [@_mxms](<https://twitter.com/_mxms?ref_src=twsrc%5Etfw>), [@fzzyhd1](<https://twitter.com/fzzyhd1?ref_src=twsrc%5Etfw>) and everyone who contributes to our tooling and automation. <https://t.co/0ru9BQMaJ9>\n> \n> \u2014 Justin Campbell (@metr0) [May 13, 2021](<https://twitter.com/metr0/status/1392631376592076805?ref_src=twsrc%5Etfw>)\n\n`http.sys` enables Windows and applications to communicate with other devices; it can be run standalone or in conjunction with Internet Information Services (IIS).\n\n## Microsoft Advises Priority Patching\n\n\u201cIn most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (`http.sys`) to process packets,\u201d Microsoft explained in its [ advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31166>). Given that the vulnerability is wormable, Microsoft recommends prioritizing the patching of affected servers.\n\n\u201cWith a CVSS score of 9.8, the vulnerability announced has the potential to be both directly impactful and is also exceptionally simple to exploit, leading to a remote and unauthenticated denial-of-service (Blue Screen of Death) for affected products,\u201d McAfee\u2019s Steve Povolny said in an [ analysis](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/major-http-vulnerability-in-windows-could-lead-to-wormable-exploit/>) of the flaw at the time.\n\n[ ![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>)\n\nPovolny explained that the problem lies in how Windows improperly tracks pointers while processing objects in network packets containing HTTP requests. The vulnerability only affects the latest versions of Windows 10 and Windows Server, meaning that the exposure for internet-facing enterprise servers is \u201cfairly limited,\u201d he said. That\u2019s because many of these systems run Long Term Servicing Channel (LTSC) versions, such as Windows Server 2016 and 2019, which aren\u2019t susceptible to this flaw.\n\n## Public Exploit for Wormable Security Bug\n\nResearcher Axel Souchet, who used to work for Microsoft, published the PoC to [ GitHub](<https://github.com/0vercl0k/CVE-2021-31166>), noting that the bug happens in `http!UlpParseContentCoding`, where the function has a local `LIST_ENTRY` and appends an item to it. \u201cWhen it\u2019s done, it moves it into the Request structure; but it doesn\u2019t `NULL` out the local list,\u201d he explained. \u201cThe issue with that is that an attacker can trigger a code path that frees every [entry] of the local list, leaving them dangling in the Request object.\u201d\n\nThis isn\u2019t the first PoC exploit for CVE-2021-31166 that Souchet has released, but this is the first wormable one. Over the weekend, he released a PoC that only locked the impacted Windows system as long as it\u2019s running an IIS server. That initial exploit shows how an attacker can leverage the flaw to cause DoS on a targeted system by sending it specially crafted packets.\n\n> I've built a PoC for CVE-2021-31166 the \"HTTP Protocol Stack Remote Code Execution Vulnerability\": <https://t.co/8mqLCByvCp> \ud83d\udd25\ud83d\udd25 [pic.twitter.com/yzgUs2CQO5](<https://t.co/yzgUs2CQO5>)\n> \n> \u2014 Axel Souchet (@0vercl0k) [May 16, 2021](<https://twitter.com/0vercl0k/status/1393970836302811138?ref_src=twsrc%5Etfw>)\n\n## And Thus Does the Exploit Lifecycle Crank Up Again\n\nThe publishing of a PoC code like this is typically the first step in the [ lifecycle of an exploit](<https://threatpost.com/top-microsoft-adobe-exploits-list/166241/>). As explained by Trend Micro\u2019s Mayra Rosario Fuentes at the RSA Conference 2021 on Monday, the next step in that lifecycle is for crooks to sell it.\n\nAfter it\u2019s in the wild, a vulnerability moves into the stage of public disclosure. Next, the vendor patches the vulnerability. Finally, that vulnerability goes down two paths: If it\u2019s patched, that\u2019s it, end of life. If not, the exploit\u2019s still there, waiting to be purchased on underground forums and set free on whichever unlucky victims haven\u2019t yet patched.\n\nOne example is the eight-month lifecycle of CVE-2020-9054: an exploit sold on the XSS cybercriminal forum for $20,000 in February 2020 that got written up by cybersecurity journalist Brian Krebs, was publicly disclosed and patched by Microsoft in March 2020, and wound up being [ exploited by a botnet a month later](<https://threatpost.com/new-mirai-variant-mukashi-targets-zyxel-nas-devices/153982/>). That botnet, a variant of the [ Mirai botnet](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>) named Mukashi that targeted Zyxel network-attached storage (NAS) devices, allowed threat actors to remotely compromise and control devices.\n\nFive months after it was patched, in August 2020, another forum post requested an exploit, offering a bargain basement payment of $2,000. It\u2019s a tenth of the original exploit, but a solid indication that some vulnerabilities have a long shelf life \u2013 most particularly if they\u2019re used to crack open Microsoft products. Microsoft exploits, after all, are by far the [ most-requested](<https://threatpost.com/top-microsoft-adobe-exploits-list/166241/>) and the most-sold exploit flavors on the underground market: All the more reason to heed Microsoft\u2019s advice to prioritize patching for this one.\n\n**Download our exclusive FREE Threatpost Insider eBook, ****_\u201c_**[ **_2021: The Evolution of Ransomware_**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)**_,\u201d_**** to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what\u2019s next for ransomware and the related emerging risks. Get the whole story and **[ **DOWNLOAD**](<https://threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART>)** the eBook now \u2013 on us!**\n", "cvss3": {}, "published": "2021-05-19T14:35:06", "type": "threatpost", "title": "Windows PoC Exploit Released for Wormable RCE", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-9054", "CVE-2021-31166"], "modified": "2021-05-19T14:35:06", "id": "THREATPOST:960DA04864E083F2EAA36F3764D13603", "href": "https://threatpost.com/windows-exploit-wormable-rce/166289/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-18T07:36:18", "description": "A command injection vulnerability exists in Multiple ZyXEL network-attached storage (NAS) devices. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-26T00:00:00", "type": "checkpoint_advisories", "title": "ZyXEL NAS Command Injection (CVE-2020-9054)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9054"], "modified": "2022-02-17T00:00:00", "id": "CPAI-2020-0088", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2023-06-06T17:12:40", "description": "### Overview\n\nMultiple ZyXEL devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device.\n\n### Description\n\n[CWE-78](<https://cwe.mitre.org/data/definitions/78.html>): Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\n\nMultiple ZyXEL devices achieve authentication by using the `weblogin.cgi` CGI executable. This program fails to properly sanitize the `username` parameter that is passed to it. If the `username` parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, many ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. \n \nExploit code for this vulnerability that targets NAS devices is available on the internet. For this reason, we have created a [PoC exploit](<https://kb.cert.org/artifacts/cve-2020-9054.html>) that has the ability to power down affected ZyXEL NAS devices. \n \n--- \n \n### Impact\n\nBy sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. \n \n--- \n \n### Solution\n\n**Apply an update** \n \nZyXEL has made [firmware updates available](<https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml>) for NAS326, NAS520, NAS540, NAS542, ATP100, ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200, VPN50, VPN100, VPN300, VPN1000, ZyWALL110, ZyWALL310, and ZyWALL1100 devices. Owners of NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2 as well as some other ZyXEL devices may not be able to install firmware updates, as these devices are no longer supported. Be cautious when updating firmware on affected devices, as the ZyXEL firmware upgrade process both uses an insecure channel (FTP) for retrieving updates, and the firmware files are only verified by checksum rather than cryptographic signature. For these reasons, any attacker that has control of DNS or IP routing may be able to cause a malicious firmware to be installed on a ZyXEL device. \n \nPlease also consider the following workarounds: \n \n--- \n \n**Block access to the ZyXEL device web interface** \n \nThis issue can be mitigated by blocking (for example with a firewall) access to the web interface (80/tcp and 443/tcp) of any vulnerable ZyXEL device. Any machine that can access the ZyXEL web interface should not also be able to access the internet. \n \n**Restrict access to vulnerable ZyXEL devices** \n \nDirect exploitation of this vulnerability can be mitigated by restricting access to vulnerable devices. In particular, do not expose such devices directly to the internet. Note however, that it is still possible for attackers to exploit devices that are not directly connected to the internet. For example, by way of viewing a web page. \n \n--- \n \n### Vendor Information\n\n498544\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Zyxel Affected\n\nNotified: February 15, 2020 Updated: February 24, 2020 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml>\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C \nTemporal | 9.5 | E:F/RL:U/RC:C \nEnvironmental | 7.1 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References\n\n * <https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml>\n * <https://krebsonsecurity.com/2020/02/zyxel-fixes-0day-in-network-storage-devices/>\n * <https://cwe.mitre.org/data/definitions/78.html>\n\n### Acknowledgements\n\nThanks to Brian Krebs for notifying us of the exploit availability, which was uncovered by Alex Holden of Hold Security.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2020-9054](<http://web.nvd.nist.gov/vuln/detail/CVE-2020-9054>) \n---|--- \n**Date Public:** | 2020-02-12 \n**Date First Published:** | 2020-02-24 \n**Date Last Updated: ** | 2020-02-26 16:16 UTC \n**Document Revision: ** | 42 \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-24T00:00:00", "type": "cert", "title": "ZyXEL pre-authentication command injection in weblogin.cgi", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9054"], "modified": "2020-02-26T16:16:00", "id": "VU:498544", "href": "https://www.kb.cert.org/vuls/id/498544", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-06-06T15:05:53", "description": "Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.21 contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device. ZyXEL NAS devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges. By sending a specially-crafted HTTP POST or GET request to a vulnerable ZyXEL device, a remote, unauthenticated attacker may be able to execute arbitrary code on the device. This may happen by directly connecting to a device if it is directly exposed to an attacker. However, there are ways to trigger such crafted requests even if an attacker does not have direct connectivity to a vulnerable devices. For example, simply visiting a website can result in the compromise of any ZyXEL device that is reachable from the client system. Affected products include: NAS326 before firmware V5.21(AAZF.7)C0 NAS520 before firmware V5.21(AASZ.3)C0 NAS540 before firmware V5.21(AATB.4)C0 NAS542 before firmware V5.21(ABAG.4)C0 ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices. Affected models that are end-of-support: NSA210, NSA220, NSA220+, NSA221, NSA310, NSA310S, NSA320, NSA320S, NSA325 and NSA325v2", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-04T20:15:00", "type": "cve", "title": "CVE-2020-9054", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-9054"], "modified": "2020-03-06T17:58:00", "cpe": [], "id": "CVE-2020-9054", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9054", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-06-13T14:29:43", "description": "A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka 'Microsoft Graphics Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-08-14T21:15:00", "type": "cve", "title": "CVE-2019-1144", "cwe": ["CWE-415"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_rt_8.1:-"], "id": "CVE-2019-1144", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1144", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-13T14:29:53", "description": "A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka 'Microsoft Graphics Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1152.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-08-14T21:15:00", "type": "cve", "title": "CVE-2019-1151", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_10:1809", "cpe:/a:microsoft:office:2019", "cpe:/o:microsoft:windows_10:1803"], "id": "CVE-2019-1151", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1151", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2019:*:*:*:*:macos:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*"]}, {"lastseen": "2023-06-13T14:29:52", "description": "A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka 'Microsoft Graphics Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1151, CVE-2019-1152.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-08-14T21:15:00", "type": "cve", "title": "CVE-2019-1150", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_rt_8.1:-"], "id": "CVE-2019-1150", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1150", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-13T14:29:56", "description": "A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka 'Microsoft Graphics Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-08-14T21:15:00", "type": "cve", "title": "CVE-2019-1152", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_rt_8.1:-"], "id": "CVE-2019-1152", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1152", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-13T14:29:41", "description": "A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka 'Microsoft Graphics Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1144, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-08-14T21:15:00", "type": "cve", "title": "CVE-2019-1145", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_rt_8.1:-"], "id": "CVE-2019-1145", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1145", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-13T14:29:49", "description": "A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka 'Microsoft Graphics Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1144, CVE-2019-1145, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-08-14T21:15:00", "type": "cve", "title": "CVE-2019-1149", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2016:1803", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1903", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1709", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1703", "cpe:/o:microsoft:windows_10:1809", "cpe:/a:microsoft:office:2019", "cpe:/o:microsoft:windows_10:1803"], "id": "CVE-2019-1149", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1149", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1703:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:office:2019:*:*:*:*:macos:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*"]}], "symantec": [{"lastseen": "2021-06-08T19:04:43", "description": "### Description\n\nMicrosoft Windows is prone to a remote code-execution vulnerability. Successful exploits may allow an attacker to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial of service conditions.\n\n### Technologies Affected\n\n * Microsoft Office 2019 for Mac \n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 Version 1709 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for 32-bit Systems \n * Microsoft Windows 10 Version 1803 for ARM64-based Systems \n * Microsoft Windows 10 Version 1803 for x64-based Systems \n * Microsoft Windows 10 Version 1809 for 32-bit Systems \n * Microsoft Windows 10 Version 1809 for ARM64-based Systems \n * Microsoft Windows 10 Version 1809 for x64-based Systems \n * Microsoft Windows 10 Version 1903 for 32-bit Systems \n * Microsoft Windows 10 Version 1903 for ARM64-based Systems \n * Microsoft Windows 10 Version 1903 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1703 for 32-bit Systems \n * Microsoft Windows 10 version 1703 for x64-based Systems \n * Microsoft Windows 10 version 1709 for 32-bit Systems \n * Microsoft Windows 10 version 1709 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 1803 \n * Microsoft Windows Server 1903 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 \n * Microsoft Windows Server 2019 \n\n### Recommendations\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits\n\n**Do not follow links provided by unknown or untrusted sources.** \nWeb users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.\n\n**Implement multiple redundant layers of security.** \nMemory-protection schemes (such as nonexecutable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "cvss3": {}, "published": "2019-08-13T00:00:00", "type": "symantec", "title": "Microsoft Windows Graphics Component CVE-2019-1151 Remote Code Execution Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2019-1151"], "modified": "2019-08-13T00:00:00", "id": "SMNTC-109519", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/109519", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2023-08-08T19:04:54", "description": "A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n\nThere are multiple ways an attacker could exploit the vulnerability:\n\n * In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability and then convince users to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email or instant message that takes users to the attacker's website, or by opening an attachment sent through email.\n * In a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit the vulnerability and then convince users to open the document file.\n\nThe security update addresses the vulnerability by correcting how the Windows font library handles embedded fonts.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-08-13T07:00:00", "type": "mscve", "title": "Microsoft Graphics Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1151"], "modified": "2019-08-13T07:00:00", "id": "MS:CVE-2019-1151", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-1151", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-06-05T16:27:14", "description": "This host is missing a critical security\n update for Microsoft Office 2019 on Mac OSX according to Microsoft security\n update August 2019", "cvss3": {}, "published": "2019-08-14T00:00:00", "type": "openvas", "title": "Microsoft Office Multiple Vulnerabilities-Aug19 (Mac OS X)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-1153", "CVE-2019-1201", "CVE-2019-1148", "CVE-2019-1151", "CVE-2019-1149", "CVE-2019-1205"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310815197", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815197", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815197\");\n script_version(\"2020-06-04T09:02:37+0000\");\n script_cve_id(\"CVE-2019-1201\", \"CVE-2019-1205\", \"CVE-2019-1148\", \"CVE-2019-1149\",\n \"CVE-2019-1151\", \"CVE-2019-1153\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 09:02:37 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-08-14 11:52:30 +0530 (Wed, 14 Aug 2019)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"Microsoft Office Multiple Vulnerabilities-Aug19 (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update for Microsoft Office 2019 on Mac OSX according to Microsoft security\n update August 2019\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Multiple errors in Microsoft Word software when it fails to properly handle\n objects in memory.\n\n - Multiple errors when the Microsoft Windows Graphics Component improperly\n handles objects in memory.\n\n - Multiple errors when the Windows font library improperly handles specially\n crafted embedded fonts.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in the context of the current user and gain access to\n potentially sensitive data.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Office 2019 on Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to latest version provided by vendor.\n Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/officeupdates/update-history-office-for-mac\");\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1201\");\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1205\");\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1148\");\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1149\");\n script_xref(name:\"URL\", value:\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1151\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gb_microsoft_office_detect_macosx.nasl\");\n script_mandatory_keys(\"MS/Office/MacOSX/Ver\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nif(!offVer = get_kb_item(\"MS/Office/MacOSX/Ver\")){\n exit(0);\n}\n\nif(offVer =~ \"^16\\.\")\n{\n if(version_in_range(version:offVer, test_version:\"16.17.0\", test_version2:\"16.27\"))\n {\n report = report_fixed_ver(installed_version:offVer, fixed_version:\"Upgrade to latest version provided by vendor\");\n security_message(data:report);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T20:40:49", "description": "This host is missing a critical security\n update according to Microsoft KB4512506.", "cvss3": {}, "published": "2019-08-14T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4512506)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-1157", "CVE-2019-1078", "CVE-2019-1057", "CVE-2019-1146", "CVE-2019-1145", "CVE-2019-1177", "CVE-2019-1164", "CVE-2019-1156", "CVE-2019-0720", "CVE-2019-0723", "CVE-2019-1153", "CVE-2019-1212", "CVE-2019-1133", "CVE-2019-1158", "CVE-2019-1192", "CVE-2019-1154", "CVE-2019-1144", "CVE-2019-9506", "CVE-2019-1182", "CVE-2019-1148", "CVE-2019-0714", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1194", "CVE-2019-0716", "CVE-2019-1152", "CVE-2019-1228", "CVE-2019-1193", "CVE-2019-1187", "CVE-2019-0715", "CVE-2019-1147", "CVE-2019-1162", "CVE-2019-1168", "CVE-2019-1169", "CVE-2019-1155", "CVE-2019-1149", "CVE-2019-0736", "CVE-2019-1181", "CVE-2019-1143", "CVE-2019-1178", "CVE-2019-1159", "CVE-2019-1183"], "modified": "2020-07-17T00:00:00", "id": "OPENVAS:1361412562310815438", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815438", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815438\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2019-0714\", \"CVE-2019-0715\", \"CVE-2019-0716\", \"CVE-2019-0720\",\n \"CVE-2019-0723\", \"CVE-2019-0736\", \"CVE-2019-1057\", \"CVE-2019-1078\",\n \"CVE-2019-1133\", \"CVE-2019-1143\", \"CVE-2019-1144\", \"CVE-2019-1145\",\n \"CVE-2019-1146\", \"CVE-2019-1147\", \"CVE-2019-1148\", \"CVE-2019-1149\",\n \"CVE-2019-1150\", \"CVE-2019-1151\", \"CVE-2019-1152\", \"CVE-2019-1153\",\n \"CVE-2019-1154\", \"CVE-2019-1155\", \"CVE-2019-1156\", \"CVE-2019-1157\",\n \"CVE-2019-1158\", \"CVE-2019-1159\", \"CVE-2019-1162\", \"CVE-2019-1164\",\n \"CVE-2019-1168\", \"CVE-2019-1169\", \"CVE-2019-1177\", \"CVE-2019-1178\",\n \"CVE-2019-1181\", \"CVE-2019-1182\", \"CVE-2019-1183\", \"CVE-2019-1187\",\n \"CVE-2019-1192\", \"CVE-2019-1193\", \"CVE-2019-1194\", \"CVE-2019-1212\",\n \"CVE-2019-1228\", \"CVE-2019-9506\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-08-14 10:21:38 +0530 (Wed, 14 Aug 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4512506)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4512506.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on\n the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exist as,\n\n - Microsoft Hyper-V Network Switch on a host server fails to properly validate\n input from a privileged user on a guest operating system.\n\n - Windows improperly handles objects in memory.\n\n - VBScript engine improperly handles objects in memory.\n\n - The XmlLite runtime (XmlLite.dll) improperly parses XML input.\n\n - Microsoft browsers improperly handle requests of different origins.\n\n - Windows Server DHCP service improperly process specially crafted packets.\n\n - Bluetooth BR/EDR key negotiation vulnerability that exists at the hardware\n specification level of any BR/EDR Bluetooth device.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n an attacker to crash the host server, execute arbitrary code on the target\n system, obtain information that could be used to try to further compromise\n the affected system and negotiate the offered key length of bluetooth\n connection.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 7 for 32-bit/x64 Systems Service Pack 1\n\n - Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4512506\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) <= 0){\n exit(0);\n}\n\ndllPath = smb_get_system32root();\nif(!dllPath)\n exit(0);\n\nfileVer = fetch_file_version(sysPath:dllPath, file_name:\"Urlmon.dll\");\nif(!fileVer)\n exit(0);\n\nif(version_is_less(version:fileVer, test_version:\"11.0.9600.19431\")) {\n report = report_fixed_ver(file_checked:dllPath + \"\\Urlmon.dll\",\n file_version:fileVer, vulnerable_range:\"Less than 11.0.9600.19431\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-08T12:52:50", "description": "This host is missing a critical security\n update according to Microsoft KB4512488", "cvss3": {}, "published": "2019-08-14T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4512488)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-1157", "CVE-2019-1078", "CVE-2019-1057", "CVE-2019-1146", "CVE-2019-1145", "CVE-2019-1177", "CVE-2019-1164", "CVE-2019-1156", "CVE-2019-0720", "CVE-2019-0723", "CVE-2019-1153", "CVE-2019-1212", "CVE-2019-1133", "CVE-2019-1158", "CVE-2019-1192", "CVE-2019-1144", "CVE-2019-9506", "CVE-2019-1182", "CVE-2019-1148", "CVE-2019-0714", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-0718", "CVE-2019-1194", "CVE-2019-0716", "CVE-2019-1152", "CVE-2019-1193", "CVE-2019-1187", "CVE-2019-1180", "CVE-2019-0715", "CVE-2019-1172", "CVE-2019-1147", "CVE-2019-1162", "CVE-2019-1206", "CVE-2019-1168", "CVE-2019-1155", "CVE-2019-1149", "CVE-2019-0736", "CVE-2019-1181", "CVE-2019-1143", "CVE-2019-1178", "CVE-2019-1159", "CVE-2019-1183"], "modified": "2019-12-20T00:00:00", "id": "OPENVAS:1361412562310815439", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815439", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815439\");\n script_version(\"2019-12-20T10:24:46+0000\");\n script_cve_id(\"CVE-2019-0714\", \"CVE-2019-0715\", \"CVE-2019-0716\", \"CVE-2019-1168\",\n \"CVE-2019-1172\", \"CVE-2019-0718\", \"CVE-2019-0720\", \"CVE-2019-0723\",\n \"CVE-2019-0736\", \"CVE-2019-1177\", \"CVE-2019-1178\", \"CVE-2019-1057\",\n \"CVE-2019-1078\", \"CVE-2019-1180\", \"CVE-2019-1181\", \"CVE-2019-1133\",\n \"CVE-2019-1182\", \"CVE-2019-1183\", \"CVE-2019-1145\", \"CVE-2019-1146\",\n \"CVE-2019-1147\", \"CVE-2019-1192\", \"CVE-2019-1193\", \"CVE-2019-1194\",\n \"CVE-2019-1148\", \"CVE-2019-1149\", \"CVE-2019-1150\", \"CVE-2019-1151\",\n \"CVE-2019-1152\", \"CVE-2019-1206\", \"CVE-2019-1212\", \"CVE-2019-1153\",\n \"CVE-2019-1155\", \"CVE-2019-9506\", \"CVE-2019-1156\", \"CVE-2019-1157\",\n \"CVE-2019-1158\", \"CVE-2019-1159\", \"CVE-2019-1162\", \"CVE-2019-1164\",\n \"CVE-2019-1143\", \"CVE-2019-1144\", \"CVE-2019-1187\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-20 10:24:46 +0000 (Fri, 20 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-08-14 10:47:57 +0530 (Wed, 14 Aug 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4512488)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4512488\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on\n the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows improperly handles objects in memory.\n\n - Microsoft Hyper-V Network Switch on a host server fails to properly\n validate input from a privileged user on a guest operating system.\n\n - Windows font library improperly handles specially crafted embedded\n fonts.\n\n - Windows improperly handles calls to Advanced Local Procedure Call (ALPC).\n\n - Windows Jet Database Engine improperly handles objects in memory.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Windows kernel fails to properly handle objects in memory.\n\n - Microsoft XML Core Services MSXML parser improperly processes user input.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to cause a target system to stop responding, run arbitrary code on the client\n machine and obtain information to further compromise a user's system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 8.1 for 32-bit/x64\n\n - Microsoft Windows Server 2012 R2\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4512488\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"Urlmon.dll\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"11.0.9600.19431\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Urlmon.dll\",\n file_version:fileVer, vulnerable_range:\"Less than 11.0.9600.19431\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T20:40:52", "description": "This host is missing a critical security\n update according to Microsoft KB4512497", "cvss3": {}, "published": "2019-08-14T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4512497)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-1157", "CVE-2019-1078", "CVE-2019-1057", "CVE-2019-1146", "CVE-2019-1145", "CVE-2019-1177", "CVE-2019-1198", "CVE-2019-1164", "CVE-2019-1156", "CVE-2019-0720", "CVE-2019-0723", "CVE-2019-1153", "CVE-2019-1163", "CVE-2019-1179", "CVE-2019-1133", "CVE-2019-1158", "CVE-2019-1192", "CVE-2019-1140", "CVE-2019-1144", "CVE-2019-9506", "CVE-2019-9512", "CVE-2019-1182", "CVE-2019-1148", "CVE-2019-1139", "CVE-2019-9511", "CVE-2019-0988", "CVE-2019-0714", "CVE-2019-9518", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-0718", "CVE-2019-1197", "CVE-2019-1030", "CVE-2019-1194", "CVE-2019-0716", "CVE-2019-1152", "CVE-2019-9513", "CVE-2019-1193", "CVE-2019-1187", "CVE-2019-1180", "CVE-2019-0715", "CVE-2019-1172", "CVE-2019-1147", "CVE-2019-1162", "CVE-2019-1176", "CVE-2019-1168", "CVE-2019-9514", "CVE-2019-1155", "CVE-2019-1149", "CVE-2019-0736", "CVE-2019-1181", "CVE-2019-1143", "CVE-2019-1178", "CVE-2019-1159", "CVE-2019-1186", "CVE-2019-1183"], "modified": "2020-07-17T00:00:00", "id": "OPENVAS:1361412562310815431", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815431", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815431\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2019-0714\", \"CVE-2019-0715\", \"CVE-2019-1168\", \"CVE-2019-1172\",\n \"CVE-2019-0716\", \"CVE-2019-0718\", \"CVE-2019-0720\", \"CVE-2019-0723\",\n \"CVE-2019-1176\", \"CVE-2019-1177\", \"CVE-2019-0736\", \"CVE-2019-1030\",\n \"CVE-2019-1057\", \"CVE-2019-1178\", \"CVE-2019-1179\", \"CVE-2019-1180\",\n \"CVE-2019-1181\", \"CVE-2019-1078\", \"CVE-2019-1133\", \"CVE-2019-1139\",\n \"CVE-2019-1140\", \"CVE-2019-1182\", \"CVE-2019-1183\", \"CVE-2019-1145\",\n \"CVE-2019-1146\", \"CVE-2019-1147\", \"CVE-2019-1192\", \"CVE-2019-1193\",\n \"CVE-2019-1194\", \"CVE-2019-1148\", \"CVE-2019-1149\", \"CVE-2019-1197\",\n \"CVE-2019-1198\", \"CVE-2019-1150\", \"CVE-2019-1151\", \"CVE-2019-1152\",\n \"CVE-2019-1153\", \"CVE-2019-1155\", \"CVE-2019-9506\", \"CVE-2019-9511\",\n \"CVE-2019-1156\", \"CVE-2019-1157\", \"CVE-2019-9512\", \"CVE-2019-9513\",\n \"CVE-2019-9514\", \"CVE-2019-9518\", \"CVE-2019-1158\", \"CVE-2019-1159\",\n \"CVE-2019-1162\", \"CVE-2019-1163\", \"CVE-2019-1164\", \"CVE-2019-1143\",\n \"CVE-2019-1144\", \"CVE-2019-1186\", \"CVE-2019-1187\", \"CVE-2019-0988\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-08-14 08:45:08 +0530 (Wed, 14 Aug 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4512497)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4512497\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows improperly handles objects in memory.\n\n - Microsoft Hyper-V Network Switch on a host server fails to properly\n validate input from a privileged user on a guest operating system.\n\n - Windows font library improperly handles specially crafted embedded fonts.\n\n - Windows improperly handles calls to Advanced Local Procedure Call (ALPC).\n\n - Windows Jet Database Engine improperly handles objects in memory.\n\n - The Chakra scripting engine improperly handles objects in memory in Microsoft\n Edge.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Windows kernel fails to properly handle objects in memory.\n\n - Microsoft Windows Graphics Component improperly handles objects in\n memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code on the client machine, elevate privileges and create a\n denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 for x64-based Systems\n\n - Microsoft Windows 10 for 32-bit Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4512497\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer)\n exit(0);\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.10240.0\", test_version2:\"11.0.10240.18304\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.10240.0 - 11.0.10240.18304\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-05T16:27:18", "description": "This host is missing a critical security\n update according to Microsoft KB4512507", "cvss3": {}, "published": "2019-08-14T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4512507)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-1157", "CVE-2019-1078", "CVE-2019-1057", "CVE-2019-1146", "CVE-2019-1145", "CVE-2019-1195", "CVE-2019-1177", "CVE-2019-1198", "CVE-2019-1164", "CVE-2019-1156", "CVE-2019-0720", "CVE-2019-0723", "CVE-2019-1153", "CVE-2019-1163", "CVE-2019-1179", "CVE-2019-1171", "CVE-2019-1133", "CVE-2019-1158", "CVE-2019-1192", "CVE-2019-1140", "CVE-2019-1144", "CVE-2019-9506", "CVE-2019-9512", "CVE-2019-1182", "CVE-2019-1148", "CVE-2019-1139", "CVE-2019-9511", "CVE-2019-0714", "CVE-2019-9518", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-0718", "CVE-2019-1197", "CVE-2019-1030", "CVE-2019-1194", "CVE-2019-0716", "CVE-2019-1152", "CVE-2019-9513", "CVE-2019-1193", "CVE-2019-1187", "CVE-2019-1180", "CVE-2019-0715", "CVE-2019-1172", "CVE-2019-1147", "CVE-2019-1162", "CVE-2019-1176", "CVE-2019-1168", "CVE-2019-1196", "CVE-2019-9514", "CVE-2019-1155", "CVE-2019-1149", "CVE-2019-0736", "CVE-2019-1181", "CVE-2019-1143", "CVE-2019-1178", "CVE-2019-1159", "CVE-2019-1186", "CVE-2019-1183"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310815435", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815435", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815435\");\n script_version(\"2020-06-04T09:02:37+0000\");\n script_cve_id(\"CVE-2019-0714\", \"CVE-2019-0715\", \"CVE-2019-1168\", \"CVE-2019-1171\",\n \"CVE-2019-1172\", \"CVE-2019-0716\", \"CVE-2019-0718\", \"CVE-2019-0720\",\n \"CVE-2019-0723\", \"CVE-2019-1176\", \"CVE-2019-1177\", \"CVE-2019-0736\",\n \"CVE-2019-1030\", \"CVE-2019-1057\", \"CVE-2019-1178\", \"CVE-2019-1179\",\n \"CVE-2019-1180\", \"CVE-2019-1078\", \"CVE-2019-1133\", \"CVE-2019-1139\",\n \"CVE-2019-1140\", \"CVE-2019-1181\", \"CVE-2019-1182\", \"CVE-2019-1183\",\n \"CVE-2019-1145\", \"CVE-2019-1146\", \"CVE-2019-1192\", \"CVE-2019-1193\",\n \"CVE-2019-1194\", \"CVE-2019-1147\", \"CVE-2019-1148\", \"CVE-2019-1149\",\n \"CVE-2019-1195\", \"CVE-2019-1196\", \"CVE-2019-1197\", \"CVE-2019-1198\",\n \"CVE-2019-1150\", \"CVE-2019-1151\", \"CVE-2019-1152\", \"CVE-2019-1153\",\n \"CVE-2019-9506\", \"CVE-2019-9511\", \"CVE-2019-1155\", \"CVE-2019-1156\",\n \"CVE-2019-1157\", \"CVE-2019-9512\", \"CVE-2019-9513\", \"CVE-2019-9514\",\n \"CVE-2019-9518\", \"CVE-2019-1158\", \"CVE-2019-1159\", \"CVE-2019-1162\",\n \"CVE-2019-1163\", \"CVE-2019-1164\", \"CVE-2019-1143\", \"CVE-2019-1144\",\n \"CVE-2019-1186\", \"CVE-2019-1187\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 09:02:37 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-08-14 09:37:12 +0530 (Wed, 14 Aug 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4512507)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4512507\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows improperly handles objects in memory.\n\n - Microsoft Hyper-V Network Switch on a host server fails to properly\n validate input from a privileged user on a guest operating system.\n\n - Windows font library improperly handles specially crafted embedded\n fonts.\n\n - Windows improperly handles calls to Advanced Local Procedure Call (ALPC).\n\n - Windows Jet Database Engine improperly handles objects in memory.\n\n - The Chakra scripting engine handles objects in memory in Microsoft Edge.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Windows kernel fails to properly handle objects in memory.\n\n - An elevation of privilege exists in SyncController in the HTTP/2\n protocol stack (HTTP)\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code on the client machine, obtain information to further\n compromise user's system, elevate privileges and create a denial of service\n condition causing the target system to become unresponsive.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 10 Version 1703 x32/x64.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4512507\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.15063.0\", test_version2:\"11.0.15063.1987\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.15063.0 - 11.0.15063.1987\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T20:40:39", "description": "This host is missing a critical security\n update according to Microsoft KB4512517", "cvss3": {}, "published": "2019-08-14T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4512517)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-1157", "CVE-2019-1078", "CVE-2019-1057", "CVE-2019-1146", "CVE-2019-1145", "CVE-2019-1195", "CVE-2019-1177", "CVE-2019-1198", "CVE-2019-1164", "CVE-2019-1156", "CVE-2019-0720", "CVE-2019-0723", "CVE-2019-1153", "CVE-2019-1163", "CVE-2019-1179", "CVE-2019-1212", "CVE-2019-1133", "CVE-2019-1158", "CVE-2019-1192", "CVE-2019-1140", "CVE-2019-1144", "CVE-2019-9506", "CVE-2019-9512", "CVE-2019-1182", "CVE-2019-1148", "CVE-2019-1139", "CVE-2019-9511", "CVE-2019-0714", "CVE-2019-9518", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-0718", "CVE-2019-1197", "CVE-2019-1030", "CVE-2019-1194", "CVE-2019-0716", "CVE-2019-1152", "CVE-2019-9513", "CVE-2019-1193", "CVE-2019-1187", "CVE-2019-1180", "CVE-2019-0715", "CVE-2019-1172", "CVE-2019-1147", "CVE-2019-1162", "CVE-2019-1206", "CVE-2019-1176", "CVE-2019-1168", "CVE-2019-9514", "CVE-2019-1155", "CVE-2019-1149", "CVE-2019-0736", "CVE-2019-1181", "CVE-2019-1143", "CVE-2019-1178", "CVE-2019-1159", "CVE-2019-1186", "CVE-2019-1183"], "modified": "2020-07-17T00:00:00", "id": "OPENVAS:1361412562310815432", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815432", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815432\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2019-0714\", \"CVE-2019-0715\", \"CVE-2019-1168\", \"CVE-2019-1172\",\n \"CVE-2019-0716\", \"CVE-2019-0718\", \"CVE-2019-0720\", \"CVE-2019-0723\",\n \"CVE-2019-1176\", \"CVE-2019-1177\", \"CVE-2019-0736\", \"CVE-2019-1030\",\n \"CVE-2019-1057\", \"CVE-2019-1178\", \"CVE-2019-1179\", \"CVE-2019-1180\",\n \"CVE-2019-1181\", \"CVE-2019-1078\", \"CVE-2019-1133\", \"CVE-2019-1139\",\n \"CVE-2019-1140\", \"CVE-2019-1182\", \"CVE-2019-1183\", \"CVE-2019-1145\",\n \"CVE-2019-1146\", \"CVE-2019-1147\", \"CVE-2019-1192\", \"CVE-2019-1193\",\n \"CVE-2019-1194\", \"CVE-2019-1148\", \"CVE-2019-1149\", \"CVE-2019-1195\",\n \"CVE-2019-1197\", \"CVE-2019-1198\", \"CVE-2019-1150\", \"CVE-2019-1151\",\n \"CVE-2019-1152\", \"CVE-2019-1206\", \"CVE-2019-1212\", \"CVE-2019-1153\",\n \"CVE-2019-1155\", \"CVE-2019-9506\", \"CVE-2019-9511\", \"CVE-2019-1156\",\n \"CVE-2019-1157\", \"CVE-2019-9512\", \"CVE-2019-9513\", \"CVE-2019-9514\",\n \"CVE-2019-9518\", \"CVE-2019-1158\", \"CVE-2019-1159\", \"CVE-2019-1162\",\n \"CVE-2019-1163\", \"CVE-2019-1164\", \"CVE-2019-1143\", \"CVE-2019-1144\",\n \"CVE-2019-1186\", \"CVE-2019-1187\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-08-14 08:51:47 +0530 (Wed, 14 Aug 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4512517)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4512517\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows improperly handles objects in memory.\n\n - Microsoft Hyper-V Network Switch on a host server fails to properly\n validate input from a privileged user on a guest operating system.\n\n - Windows font library improperly handles specially crafted embedded fonts.\n\n - Windows improperly handles calls to Advanced Local Procedure Call (ALPC).\n\n - Windows Jet Database Engine improperly handles objects in memory.\n\n - The Chakra scripting engine improperly handles objects in memory in Microsoft\n Edge.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Windows kernel fails to properly handle objects in memory.\n\n - Microsoft Windows Graphics Component improperly handles objects in\n memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code on the client machine, elevate privileges and create a\n denial of service condition causing the target system to become unresponsive\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows Server 2016\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4512517\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2016:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer)\n exit(0);\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.14393.0\", test_version2:\"11.0.14393.3142\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.14393.0 - 11.0.14393.3142\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T20:40:51", "description": "This host is missing a critical security\n update according to Microsoft KB4512516", "cvss3": {}, "published": "2019-08-14T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4512516)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-1157", "CVE-2019-1078", "CVE-2019-1057", "CVE-2019-1146", "CVE-2019-1145", "CVE-2019-1195", "CVE-2019-1177", "CVE-2019-1198", "CVE-2019-1164", "CVE-2019-1156", "CVE-2019-0720", "CVE-2019-0723", "CVE-2019-1153", "CVE-2019-1163", "CVE-2019-1179", "CVE-2019-1188", "CVE-2019-1212", "CVE-2019-1171", "CVE-2019-1133", "CVE-2019-1158", "CVE-2019-1192", "CVE-2019-1175", "CVE-2019-1140", "CVE-2019-1144", "CVE-2019-9506", "CVE-2019-9512", "CVE-2019-1182", "CVE-2019-1148", "CVE-2019-1139", "CVE-2019-9511", "CVE-2019-0714", "CVE-2019-9518", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-0718", "CVE-2019-1197", "CVE-2019-1030", "CVE-2019-1194", "CVE-2019-0716", "CVE-2019-0965", "CVE-2019-1152", "CVE-2019-9513", "CVE-2019-1193", "CVE-2019-1187", "CVE-2019-1180", "CVE-2019-1131", "CVE-2019-0715", "CVE-2019-1172", "CVE-2019-1147", "CVE-2019-1162", "CVE-2019-1176", "CVE-2019-1168", "CVE-2019-1196", "CVE-2019-9514", "CVE-2019-1155", "CVE-2019-1149", "CVE-2019-0736", "CVE-2019-1181", "CVE-2019-1143", "CVE-2019-1178", "CVE-2019-1159", "CVE-2019-1186", "CVE-2019-1183"], "modified": "2020-07-17T00:00:00", "id": "OPENVAS:1361412562310815433", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815433", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815433\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2019-0714\", \"CVE-2019-0715\", \"CVE-2019-1168\", \"CVE-2019-1171\",\n \"CVE-2019-1172\", \"CVE-2019-0716\", \"CVE-2019-0718\", \"CVE-2019-0720\",\n \"CVE-2019-0723\", \"CVE-2019-1175\", \"CVE-2019-1176\", \"CVE-2019-1177\",\n \"CVE-2019-0736\", \"CVE-2019-0965\", \"CVE-2019-1030\", \"CVE-2019-1057\",\n \"CVE-2019-1178\", \"CVE-2019-1179\", \"CVE-2019-1180\", \"CVE-2019-1078\",\n \"CVE-2019-1131\", \"CVE-2019-1133\", \"CVE-2019-1139\", \"CVE-2019-1140\",\n \"CVE-2019-1181\", \"CVE-2019-1182\", \"CVE-2019-1183\", \"CVE-2019-1145\",\n \"CVE-2019-1146\", \"CVE-2019-1192\", \"CVE-2019-1193\", \"CVE-2019-1194\",\n \"CVE-2019-1147\", \"CVE-2019-1148\", \"CVE-2019-1149\", \"CVE-2019-1195\",\n \"CVE-2019-1196\", \"CVE-2019-1197\", \"CVE-2019-1198\", \"CVE-2019-1150\",\n \"CVE-2019-1151\", \"CVE-2019-1212\", \"CVE-2019-1152\", \"CVE-2019-1153\",\n \"CVE-2019-9506\", \"CVE-2019-1155\", \"CVE-2019-1156\", \"CVE-2019-1157\",\n \"CVE-2019-9511\", \"CVE-2019-9512\", \"CVE-2019-9513\", \"CVE-2019-9514\",\n \"CVE-2019-9518\", \"CVE-2019-1158\", \"CVE-2019-1159\", \"CVE-2019-1162\",\n \"CVE-2019-1163\", \"CVE-2019-1164\", \"CVE-2019-1143\", \"CVE-2019-1144\",\n \"CVE-2019-1186\", \"CVE-2019-1187\", \"CVE-2019-1188\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-08-14 09:12:59 +0530 (Wed, 14 Aug 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4512516)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4512516\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows improperly handles objects in memory.\n\n - Microsoft Hyper-V Network Switch on a host server fails to properly\n validate input from a privileged user on a guest operating system.\n\n - Windows DirectX improperly handles objects in memory.\n\n - Windows font library improperly handles specially crafted embedded\n fonts.\n\n - Windows improperly handles calls to Advanced Local Procedure Call (ALPC).\n\n - Windows Jet Database Engine improperly handles objects in memory.\n\n - Chakra scripting engine improperly handles objects in memory in Microsoft\n Edge.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Windows kernel fails to properly handle objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code on the client machine, disclose sensitive information,\n elevate privileges and create a denial of service condition causing the target\n system to become unresponsive.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1709 for 64-based Systems\n\n - Microsoft Windows 10 Version 1709 for 32-bit Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4512516\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer)\n exit(0);\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.16299.0\", test_version2:\"11.0.16299.1330\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.16299.0 - 11.0.16299.1330\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-05T16:27:16", "description": "This host is missing a critical security\n update according to Microsoft KB4511553", "cvss3": {}, "published": "2019-08-14T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4511553)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-1157", "CVE-2019-1078", "CVE-2019-1057", "CVE-2019-1146", "CVE-2019-1145", "CVE-2019-1195", "CVE-2019-1177", "CVE-2019-1198", "CVE-2019-1164", "CVE-2019-1156", "CVE-2019-0720", "CVE-2019-1226", "CVE-2019-0723", "CVE-2019-1153", "CVE-2019-1163", "CVE-2019-1179", "CVE-2019-1188", "CVE-2019-1212", "CVE-2019-1171", "CVE-2019-1133", "CVE-2019-1158", "CVE-2019-1192", "CVE-2019-1175", "CVE-2019-1140", "CVE-2019-1227", "CVE-2019-1144", "CVE-2019-9506", "CVE-2019-9512", "CVE-2019-1182", "CVE-2019-1170", "CVE-2019-1148", "CVE-2019-1139", "CVE-2019-9511", "CVE-2019-1225", "CVE-2019-0714", "CVE-2019-9518", "CVE-2019-1150", "CVE-2019-1222", "CVE-2019-1184", "CVE-2019-1151", "CVE-2019-0718", "CVE-2019-1197", "CVE-2019-1030", "CVE-2019-1194", "CVE-2019-0716", "CVE-2019-1173", "CVE-2019-0965", "CVE-2019-1152", "CVE-2019-9513", "CVE-2019-1174", "CVE-2019-1193", "CVE-2019-1187", "CVE-2019-1180", "CVE-2019-1131", "CVE-2019-0715", "CVE-2019-1172", "CVE-2019-1147", "CVE-2019-1162", "CVE-2019-1141", "CVE-2019-1206", "CVE-2019-1223", "CVE-2019-1176", "CVE-2019-1168", "CVE-2019-1196", "CVE-2019-9514", "CVE-2019-1155", "CVE-2019-1190", "CVE-2019-1149", "CVE-2019-1224", "CVE-2019-1181", "CVE-2019-1143", "CVE-2019-1178", "CVE-2019-0717", "CVE-2019-1159", "CVE-2019-1186", "CVE-2019-1183"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310815437", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815437", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815437\");\n script_version(\"2020-06-04T09:02:37+0000\");\n script_cve_id(\"CVE-2019-0714\", \"CVE-2019-0715\", \"CVE-2019-1168\", \"CVE-2019-1170\",\n \"CVE-2019-1171\", \"CVE-2019-1172\", \"CVE-2019-0716\", \"CVE-2019-0717\",\n \"CVE-2019-0718\", \"CVE-2019-0720\", \"CVE-2019-0723\", \"CVE-2019-1173\",\n \"CVE-2019-1174\", \"CVE-2019-1175\", \"CVE-2019-1176\", \"CVE-2019-1177\",\n \"CVE-2019-0965\", \"CVE-2019-1030\", \"CVE-2019-1057\", \"CVE-2019-1178\",\n \"CVE-2019-1179\", \"CVE-2019-1180\", \"CVE-2019-1078\", \"CVE-2019-1131\",\n \"CVE-2019-1133\", \"CVE-2019-1139\", \"CVE-2019-1140\", \"CVE-2019-1181\",\n \"CVE-2019-1182\", \"CVE-2019-1183\", \"CVE-2019-1184\", \"CVE-2019-1145\",\n \"CVE-2019-1146\", \"CVE-2019-1192\", \"CVE-2019-1193\", \"CVE-2019-1194\",\n \"CVE-2019-1147\", \"CVE-2019-1148\", \"CVE-2019-1149\", \"CVE-2019-1195\",\n \"CVE-2019-1196\", \"CVE-2019-1197\", \"CVE-2019-1198\", \"CVE-2019-1150\",\n \"CVE-2019-1151\", \"CVE-2019-1206\", \"CVE-2019-1212\", \"CVE-2019-1222\",\n \"CVE-2019-1223\", \"CVE-2019-1152\", \"CVE-2019-1153\", \"CVE-2019-1224\",\n \"CVE-2019-1225\", \"CVE-2019-1226\", \"CVE-2019-1227\", \"CVE-2019-9506\",\n \"CVE-2019-1155\", \"CVE-2019-1156\", \"CVE-2019-1157\", \"CVE-2019-9511\",\n \"CVE-2019-9512\", \"CVE-2019-9513\", \"CVE-2019-9514\", \"CVE-2019-9518\",\n \"CVE-2019-1158\", \"CVE-2019-1159\", \"CVE-2019-1162\", \"CVE-2019-1163\",\n \"CVE-2019-1164\", \"CVE-2019-1141\", \"CVE-2019-1143\", \"CVE-2019-1144\",\n \"CVE-2019-1186\", \"CVE-2019-1187\", \"CVE-2019-1188\", \"CVE-2019-1190\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 09:02:37 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-08-14 09:56:24 +0530 (Wed, 14 Aug 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4511553)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4511553\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Microsoft Hyper-V Network Switch on a host server fails to properly\n validate input from a privileged user on a guest operating system.\n\n - Windows improperly handles objects in memory.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Windows font library improperly handles specially crafted embedded\n fonts.\n\n - Windows improperly handles calls to Advanced Local Procedure Call (ALPC).\n\n - Windows Jet Database Engine improperly handles objects in memory.\n\n - The Chakra scripting engine handles objects in memory in Microsoft Edge.\n\n - Windows RDP server improperly discloses the contents of its memory.\n\n - Windows kernel fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in kernel mode, obtain information to further compromise\n a user's system, elevate permissions and create a denial of service condition\n causing the target system to become unresponsive.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1809 for x64-based Systems\n\n - Microsoft Windows Server 2019\n\n - Microsoft Windows 10 Version 1809 for 32-bit Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4511553\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1, win2019:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.17763.0\", test_version2:\"11.0.17763.677\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.17763.0 - 11.0.17763.677\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-05T16:27:23", "description": "This host is missing a critical security\n update according to Microsoft KB4512508", "cvss3": {}, "published": "2019-08-14T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4512508)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-1157", "CVE-2019-1078", "CVE-2019-1057", "CVE-2019-1146", "CVE-2019-1145", "CVE-2019-1195", "CVE-2019-1177", "CVE-2019-1198", "CVE-2019-1164", "CVE-2019-1156", "CVE-2019-1226", "CVE-2019-0723", "CVE-2019-1153", "CVE-2019-1163", "CVE-2019-1179", "CVE-2019-1188", "CVE-2019-1212", "CVE-2019-1171", "CVE-2019-1133", "CVE-2019-1158", "CVE-2019-1192", "CVE-2019-1175", "CVE-2019-1140", "CVE-2019-1227", "CVE-2019-1144", "CVE-2019-9506", "CVE-2019-9512", "CVE-2019-1182", "CVE-2019-1170", "CVE-2019-1148", "CVE-2019-1139", "CVE-2019-9511", "CVE-2019-1225", "CVE-2019-0714", "CVE-2019-9518", "CVE-2019-1150", "CVE-2019-1222", "CVE-2019-1184", "CVE-2019-1151", "CVE-2019-0718", "CVE-2019-1197", "CVE-2019-1030", "CVE-2019-1194", "CVE-2019-0716", "CVE-2019-1173", "CVE-2019-0965", "CVE-2019-1152", "CVE-2019-9513", "CVE-2019-1174", "CVE-2019-1193", "CVE-2019-1187", "CVE-2019-1180", "CVE-2019-1131", "CVE-2019-0715", "CVE-2019-1172", "CVE-2019-1147", "CVE-2019-1185", "CVE-2019-1162", "CVE-2019-1141", "CVE-2019-1206", "CVE-2019-1223", "CVE-2019-1176", "CVE-2019-1168", "CVE-2019-1196", "CVE-2019-9514", "CVE-2019-1155", "CVE-2019-1190", "CVE-2019-1149", "CVE-2019-1224", "CVE-2019-1181", "CVE-2019-1143", "CVE-2019-1178", "CVE-2019-0717", "CVE-2019-1159", "CVE-2019-1186", "CVE-2019-1183"], "modified": "2020-06-04T00:00:00", "id": "OPENVAS:1361412562310815434", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815434", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815434\");\n script_version(\"2020-06-04T09:02:37+0000\");\n script_cve_id(\"CVE-2019-0714\", \"CVE-2019-0715\", \"CVE-2019-1164\", \"CVE-2019-1168\",\n \"CVE-2019-1170\", \"CVE-2019-1171\", \"CVE-2019-1172\", \"CVE-2019-0716\",\n \"CVE-2019-0717\", \"CVE-2019-0718\", \"CVE-2019-0723\", \"CVE-2019-1173\",\n \"CVE-2019-1174\", \"CVE-2019-1175\", \"CVE-2019-1176\", \"CVE-2019-1177\",\n \"CVE-2019-0965\", \"CVE-2019-1030\", \"CVE-2019-1057\", \"CVE-2019-1178\",\n \"CVE-2019-1179\", \"CVE-2019-1180\", \"CVE-2019-1078\", \"CVE-2019-1131\",\n \"CVE-2019-1133\", \"CVE-2019-1139\", \"CVE-2019-1181\", \"CVE-2019-1182\",\n \"CVE-2019-1183\", \"CVE-2019-1184\", \"CVE-2019-1145\", \"CVE-2019-1146\",\n \"CVE-2019-1192\", \"CVE-2019-1193\", \"CVE-2019-1147\", \"CVE-2019-1148\",\n \"CVE-2019-1149\", \"CVE-2019-1194\", \"CVE-2019-1195\", \"CVE-2019-1196\",\n \"CVE-2019-1197\", \"CVE-2019-1198\", \"CVE-2019-1150\", \"CVE-2019-1151\",\n \"CVE-2019-1206\", \"CVE-2019-1212\", \"CVE-2019-1222\", \"CVE-2019-1223\",\n \"CVE-2019-1152\", \"CVE-2019-1153\", \"CVE-2019-1224\", \"CVE-2019-1225\",\n \"CVE-2019-1226\", \"CVE-2019-1227\", \"CVE-2019-9506\", \"CVE-2019-1155\",\n \"CVE-2019-1156\", \"CVE-2019-9511\", \"CVE-2019-9512\", \"CVE-2019-9513\",\n \"CVE-2019-9514\", \"CVE-2019-9518\", \"CVE-2019-1157\", \"CVE-2019-1158\",\n \"CVE-2019-1159\", \"CVE-2019-1162\", \"CVE-2019-1163\", \"CVE-2019-1140\",\n \"CVE-2019-1141\", \"CVE-2019-1143\", \"CVE-2019-1144\", \"CVE-2019-1185\",\n \"CVE-2019-1186\", \"CVE-2019-1187\", \"CVE-2019-1188\", \"CVE-2019-1190\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 09:02:37 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-08-14 09:26:41 +0530 (Wed, 14 Aug 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4512508)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4512508\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Microsoft Hyper-V Network Switch on a host server fails to properly\n validate input from a privileged user on a guest operating system.\n\n - Windows improperly handles objects in memory.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Windows font library improperly handles specially crafted embedded\n fonts.\n\n - Windows improperly handles calls to Advanced Local Procedure Call (ALPC).\n\n - Windows Jet Database Engine improperly handles objects in memory.\n\n - The Chakra scripting engine handles objects in memory in Microsoft Edge.\n\n - Windows RDP server improperly discloses the contents of its memory.\n\n - Windows kernel fails to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in the security context of the local system, cause the\n host server to crash, elevate permissions and obtain information to further\n compromise the user's system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1903 for x64-based Systems\n\n - Microsoft Windows 10 Version 1903 for 32-bit Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4512508\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer){\n exit(0);\n}\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.18362.0\", test_version2:\"11.0.18362.294\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.18362.0 - 11.0.18362.294\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-07-21T20:40:47", "description": "This host is missing a critical security\n update according to Microsoft KB4512501", "cvss3": {}, "published": "2019-08-14T00:00:00", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4512501)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-1157", "CVE-2019-1078", "CVE-2019-1057", "CVE-2019-1146", "CVE-2019-1145", "CVE-2019-1195", "CVE-2019-1177", "CVE-2019-1198", "CVE-2019-1164", "CVE-2019-1156", "CVE-2019-0720", "CVE-2019-1226", "CVE-2019-0723", "CVE-2019-1153", "CVE-2019-1163", "CVE-2019-1179", "CVE-2019-1188", "CVE-2019-1212", "CVE-2019-1171", "CVE-2019-1133", "CVE-2019-1158", "CVE-2019-1192", "CVE-2019-1175", "CVE-2019-1140", "CVE-2019-1227", "CVE-2019-1144", "CVE-2019-9506", "CVE-2019-9512", "CVE-2019-1182", "CVE-2019-1148", "CVE-2019-1139", "CVE-2019-9511", "CVE-2019-1225", "CVE-2019-0714", "CVE-2019-9518", "CVE-2019-1150", "CVE-2019-1222", "CVE-2019-1184", "CVE-2019-1151", "CVE-2019-0718", "CVE-2019-1197", "CVE-2019-1030", "CVE-2019-1194", "CVE-2019-0716", "CVE-2019-1173", "CVE-2019-0965", "CVE-2019-1152", "CVE-2019-9513", "CVE-2019-1193", "CVE-2019-1187", "CVE-2019-1180", "CVE-2019-1131", "CVE-2019-0715", "CVE-2019-1172", "CVE-2019-1147", "CVE-2019-1162", "CVE-2019-1206", "CVE-2019-1223", "CVE-2019-1176", "CVE-2019-1168", "CVE-2019-1196", "CVE-2019-9514", "CVE-2019-1155", "CVE-2019-1149", "CVE-2019-1224", "CVE-2019-0736", "CVE-2019-1181", "CVE-2019-1143", "CVE-2019-1178", "CVE-2019-1159", "CVE-2019-1186", "CVE-2019-1183"], "modified": "2020-07-17T00:00:00", "id": "OPENVAS:1361412562310815436", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815436", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815436\");\n script_version(\"2020-07-17T05:57:41+0000\");\n script_cve_id(\"CVE-2019-0714\", \"CVE-2019-0715\", \"CVE-2019-1168\", \"CVE-2019-1171\",\n \"CVE-2019-1172\", \"CVE-2019-0716\", \"CVE-2019-0718\", \"CVE-2019-0720\",\n \"CVE-2019-0723\", \"CVE-2019-1173\", \"CVE-2019-1175\", \"CVE-2019-1176\",\n \"CVE-2019-1177\", \"CVE-2019-0736\", \"CVE-2019-0965\", \"CVE-2019-1030\",\n \"CVE-2019-1057\", \"CVE-2019-1178\", \"CVE-2019-1179\", \"CVE-2019-1180\",\n \"CVE-2019-1078\", \"CVE-2019-1131\", \"CVE-2019-1133\", \"CVE-2019-1139\",\n \"CVE-2019-1140\", \"CVE-2019-1181\", \"CVE-2019-1182\", \"CVE-2019-1183\",\n \"CVE-2019-1184\", \"CVE-2019-1145\", \"CVE-2019-1146\", \"CVE-2019-1192\",\n \"CVE-2019-1193\", \"CVE-2019-1194\", \"CVE-2019-1147\", \"CVE-2019-1148\",\n \"CVE-2019-1149\", \"CVE-2019-1195\", \"CVE-2019-1196\", \"CVE-2019-1197\",\n \"CVE-2019-1198\", \"CVE-2019-1150\", \"CVE-2019-1151\", \"CVE-2019-1206\",\n \"CVE-2019-1212\", \"CVE-2019-1222\", \"CVE-2019-1223\", \"CVE-2019-1152\",\n \"CVE-2019-1153\", \"CVE-2019-1224\", \"CVE-2019-1225\", \"CVE-2019-1226\",\n \"CVE-2019-1227\", \"CVE-2019-9506\", \"CVE-2019-1155\", \"CVE-2019-1156\",\n \"CVE-2019-1157\", \"CVE-2019-9511\", \"CVE-2019-9512\", \"CVE-2019-9513\",\n \"CVE-2019-9514\", \"CVE-2019-9518\", \"CVE-2019-1158\", \"CVE-2019-1159\",\n \"CVE-2019-1162\", \"CVE-2019-1163\", \"CVE-2019-1164\", \"CVE-2019-1143\",\n \"CVE-2019-1144\", \"CVE-2019-1186\", \"CVE-2019-1187\", \"CVE-2019-1188\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-07-17 05:57:41 +0000 (Fri, 17 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-08-14 09:46:01 +0530 (Wed, 14 Aug 2019)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4512501)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4512501\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Windows improperly handles objects in memory.\n\n - Microsoft Hyper-V Network Switch on a host server fails to properly\n validate input from a privileged user on a guest operating system.\n\n - Windows DirectX improperly handles objects in memory.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Windows font library improperly handles specially crafted embedded\n fonts.\n\n - Windows improperly handles calls to Advanced Local Procedure Call (ALPC).\n\n - Windows Jet Database Engine improperly handles objects in memory.\n\n - The Chakra scripting engine improperly handles objects in memory in\n Microsoft Edge.\n\n - Windows RDP server improperly discloses the contents of its memory.\n\n - Windows kernel fails to properly handle objects in memory.\n\n Please see the references for more information about the vulnerabilities.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code on the client machine, obtain information to further\n compromise user's system, elevate privileges and create a denial of service\n condition causing the target system to become unresponsive.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 Version 1803 for x64-based Systems\n\n - Microsoft Windows 10 Version 1803 for 32-bit Systems\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see\n the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4512501\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath)\n exit(0);\n\nedgeVer = fetch_file_version(sysPath:sysPath, file_name:\"edgehtml.dll\");\nif(!edgeVer)\n exit(0);\n\nif(version_in_range(version:edgeVer, test_version:\"11.0.17134.0\", test_version2:\"11.0.17134.949\")) {\n report = report_fixed_ver(file_checked:sysPath + \"\\Edgehtml.dll\",\n file_version:edgeVer, vulnerable_range:\"11.0.17134.0 - 11.0.17134.949\");\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2023-06-13T15:20:33", "description": "### *Detect date*:\n08/13/2019\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Office. Malicious users can exploit these vulnerabilities to spoof user interface, execute arbitrary code, gain privileges, obtain sensitive information.\n\n### *Affected products*:\nMicrosoft SharePoint Enterprise Server 2016 \nMicrosoft SharePoint Enterprise Server 2013 Service Pack 1 \nMicrosoft SharePoint Server 2019 \nOutlook for iOS \nMicrosoft Office 2019 for 64-bit editions \nMicrosoft Office 2019 for Mac \nMicrosoft Office Online Server \nOffice 365 ProPlus for 32-bit Systems \nMicrosoft Office 2019 for 32-bit editions \nMicrosoft Office 2016 for Mac \nOffice 365 ProPlus for 64-bit Systems \nMicrosoft Outlook 2016 (64-bit edition) \nMicrosoft Outlook 2013 Service Pack 1 (32-bit editions) \nMicrosoft Outlook 2016 (32-bit edition) \nMicrosoft Outlook 2010 Service Pack 2 (64-bit editions) \nMicrosoft Outlook 2013 RT Service Pack 1 \nMicrosoft Outlook 2013 Service Pack 1 (64-bit editions) \nMicrosoft Outlook 2010 Service Pack 2 (32-bit editions) \nMicrosoft SharePoint Foundation 2010 Service Pack 2 \nMicrosoft SharePoint Foundation 2013 Service Pack 1 \nWindows Server 2012 \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows Server 2016 (Server Core installation) \nWindows 10 Version 1803 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1703 for x64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows Server, version 1903 (Server Core installation) \nWindows 10 Version 1903 for 32-bit Systems \nWindows 10 Version 1709 for 32-bit Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1903 for ARM64-based Systems \nWindows Server 2012 R2 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1803 for ARM64-based Systems \nWindows RT 8.1 \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server, version 1803 (Server Core Installation) \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2016 \nWindows 8.1 for x64-based systems \nWindows 10 Version 1709 for 64-based Systems \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 1709 for ARM64-based Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows 10 Version 1703 for 32-bit Systems \nWindows 10 for 32-bit Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2012 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2019 \nMicrosoft Office 2013 Service Pack 1 (32-bit editions) \nMicrosoft Office 2016 (64-bit edition) \nMicrosoft Office 2013 RT Service Pack 1 \nMicrosoft Office 2010 Service Pack 2 (32-bit editions) \nMicrosoft Office 2013 Service Pack 1 (64-bit editions) \nMicrosoft Office 2010 Service Pack 2 (64-bit editions) \nMicrosoft Office 2016 (32-bit edition) \nMicrosoft Office Web Apps 2010 Service Pack 2 \nMicrosoft Office Web Apps Server 2013 Service Pack 1 \nMicrosoft Word 2010 Service Pack 2 (32-bit editions) \nMicrosoft Word 2013 Service Pack 1 (32-bit editions) \nMicrosoft Word 2013 Service Pack 1 (64-bit editions) \nMicrosoft Word 2016 (32-bit edition) \nMicrosoft Word 2016 (64-bit edition) \nMicrosoft SharePoint Server 2010 Service Pack 2 \nMicrosoft Word 2013 RT Service Pack 1 \nMicrosoft Word 2010 Service Pack 2 (64-bit editions)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2019-1203](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1203>) \n[CVE-2019-1218](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1218>) \n[CVE-2019-1205](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1205>) \n[CVE-2019-1204](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1204>) \n[CVE-2019-1199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1199>) \n[CVE-2019-1200](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1200>) \n[CVE-2019-1202](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1202>) \n[CVE-2019-1153](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1153>) \n[CVE-2019-1155](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1155>) \n[CVE-2019-1201](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1201>) \n[CVE-2019-1149](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1149>) \n[CVE-2019-1148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1148>) \n[CVE-2019-1151](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1151>) \n[ADV190014](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190014>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Office](<https://threats.kaspersky.com/en/product/Microsoft-Office/>)\n\n### *CVE-IDS*:\n[CVE-2019-1153](<https://vulners.com/cve/CVE-2019-1153>)2.1Warning \n[CVE-2019-1151](<https://vulners.com/cve/CVE-2019-1151>)9.3Critical \n[CVE-2019-1148](<https://vulners.com/cve/CVE-2019-1148>)2.1Warning \n[CVE-2019-1155](<https://vulners.com/cve/CVE-2019-1155>)9.3Critical \n[CVE-2019-1149](<https://vulners.com/cve/CVE-2019-1149>)9.3Critical \n[CVE-2019-1203](<https://vulners.com/cve/CVE-2019-1203>)3.5Warning \n[CVE-2019-1218](<https://vulners.com/cve/CVE-2019-1218>)3.5Warning \n[CVE-2019-1205](<https://vulners.com/cve/CVE-2019-1205>)9.3Critical \n[CVE-2019-1204](<https://vulners.com/cve/CVE-2019-1204>)4.3Warning \n[CVE-2019-1199](<https://vulners.com/cve/CVE-2019-1199>)9.3Critical \n[CVE-2019-1200](<https://vulners.com/cve/CVE-2019-1200>)9.3Critical \n[CVE-2019-1202](<https://vulners.com/cve/CVE-2019-1202>)3.6Warning \n[CVE-2019-1201](<https://vulners.com/cve/CVE-2019-1201>)9.3Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4475506](<http://support.microsoft.com/kb/4475506>) \n[4475538](<http://support.microsoft.com/kb/4475538>) \n[4464599](<http://support.microsoft.com/kb/4464599>) \n[4475555](<http://support.microsoft.com/kb/4475555>) \n[4475549](<http://support.microsoft.com/kb/4475549>) \n[4475557](<http://support.microsoft.com/kb/4475557>) \n[4475528](<http://support.microsoft.com/kb/4475528>) \n[4475563](<http://support.microsoft.com/kb/4475563>) \n[4475573](<http://support.microsoft.com/kb/4475573>) \n[4475553](<http://support.microsoft.com/kb/4475553>) \n[4475565](<http://support.microsoft.com/kb/4475565>) \n[4475575](<http://support.microsoft.com/kb/4475575>) \n[4475530](<http://support.microsoft.com/kb/4475530>) \n[4475540](<http://support.microsoft.com/kb/4475540>) \n[4475547](<http://support.microsoft.com/kb/4475547>) \n[4462137](<http://support.microsoft.com/kb/4462137>) \n[4475531](<http://support.microsoft.com/kb/4475531>) \n[4462216](<http://support.microsoft.com/kb/4462216>) \n[4475534](<http://support.microsoft.com/kb/4475534>) \n[4475533](<http://support.microsoft.com/kb/4475533>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2019-08-13T00:00:00", "type": "kaspersky", "title": "KLA11536 Multiple vulnerabilities in Microsoft Office", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-1148", "CVE-2019-1149", "CVE-2019-1151", "CVE-2019-1153", "CVE-2019-1155", "CVE-2019-1199", "CVE-2019-1200", "CVE-2019-1201", "CVE-2019-1202", "CVE-2019-1203", "CVE-2019-1204", "CVE-2019-1205", "CVE-2019-1218"], "modified": "2020-06-03T00:00:00", "id": "KLA11536", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11536/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-09T12:03:54", "description": "### *Detect date*:\n08/13/2019\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Support Update). Malicious users can exploit these vulnerabilities to cause denial of service, execute arbitrary code, gain privileges, obtain sensitive information, spoof user interface.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1903 for ARM64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nMicrosoft Office 2016 (32-bit edition) \nInternet Explorer 11 \nWindows Server, version 1803 (Server Core Installation) \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 8.1 for x64-based systems \nInternet Explorer 10 \nWindows 10 Version 1709 for 32-bit Systems \nMicrosoft Office 2016 (64-bit edition) \nWindows 10 Version 1607 for 32-bit Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1809 for x64-based Systems \nMicrosoft Office 2019 for 64-bit editions \nWindows 7 for 32-bit Systems Service Pack 1 \nMicrosoft Office 2019 for Mac \nOffice 365 ProPlus for 32-bit Systems \nWindows Server 2019 \nOffice 365 ProPlus for 64-bit Systems \nWindows Server 2019 (Server Core installation) \nMicrosoft Office 2010 Service Pack 2 (64-bit editions) \nWindows Server 2016 \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nMicrosoft Office 2013 RT Service Pack 1 \nMicrosoft Office 2013 Service Pack 1 (32-bit editions) \nWindows 10 for x64-based Systems \nWindows 10 Version 1703 for x64-based Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 1903 for x64-based Systems \nWindows 10 Version 1803 for ARM64-based Systems \nMicrosoft Office 2010 Service Pack 2 (32-bit editions) \nWindows Server, version 1903 (Server Core installation) \nWindows 10 for 32-bit Systems \nWindows Server 2012 \nWindows Server, version 1709 (Server Core Installation) \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 1803 for 32-bit Systems \nWindows 10 Version 1703 for 32-bit Systems \nWindows Server 2012 (Server Core installation) \nMicrosoft Office 2019 for 32-bit editions \nWindows 10 Version 1709 for x64-based Systems \nWindows 10 Version 1903 for 32-bit Systems \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nMicrosoft Office 2013 Service Pack 1 (64-bit editions) \nWindows 10 Version 1607 for x64-based Systems \nInternet Explorer 9 \nWindows RT 8.1 \nWindows 10 Version 1709 for ARM64-based Systems \nWindows 8.1 for 32-bit systems \nWindows Server 2016 (Server Core installation) \nWindows Server 2012 R2\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2019-0716](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-0716>) \n[CVE-2019-0715](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-0715>) \n[CVE-2019-0714](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-0714>) \n[CVE-2019-0736](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-0736>) \n[CVE-2019-1145](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1145>) \n[CVE-2019-1162](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1162>) \n[CVE-2019-1147](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1147>) \n[CVE-2019-1212](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1212>) \n[CVE-2019-1143](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1143>) \n[CVE-2019-1164](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1164>) \n[CVE-2019-1169](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1169>) \n[CVE-2019-1168](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1168>) \n[CVE-2019-1149](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1149>) \n[CVE-2019-1148](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1148>) \n[CVE-2019-1187](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1187>) \n[CVE-2019-9506](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-9506>) \n[CVE-2019-1228](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1228>) \n[CVE-2019-1133](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1133>) \n[CVE-2019-1178](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1178>) \n[CVE-2019-0723](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-0723>) \n[CVE-2019-0720](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-0720>) \n[CVE-2019-1177](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1177>) \n[CVE-2019-1156](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1156>) \n[CVE-2019-1157](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1157>) \n[CVE-2019-1154](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1154>) \n[CVE-2019-1155](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1155>) \n[CVE-2019-1057](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1057>) \n[CVE-2019-1153](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1153>) \n[CVE-2019-1150](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1150>) \n[CVE-2019-1151](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1151>) \n[CVE-2019-1078](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1078>) \n[CVE-2019-1158](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1158>) \n[CVE-2019-1159](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1159>) \n[CVE-2019-1194](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1194>) \n[CVE-2019-1144](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1144>) \n[CVE-2019-1213](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1213>) \n[CVE-2019-1146](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1146>) \n[CVE-2019-1152](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1152>) \n[ADV190023](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *KB list*:\n[4512506](<http://support.microsoft.com/kb/4512506>) \n[4511872](<http://support.microsoft.com/kb/4511872>) \n[4512476](<http://support.microsoft.com/kb/4512476>) \n[4512486](<http://support.microsoft.com/kb/4512486>) \n[4512491](<http://support.microsoft.com/kb/4512491>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-13T00:00:00", "type": "kaspersky", "title": "KLA11989 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0714", "CVE-2019-0715", "CVE-2019-0716", "CVE-2019-0720", "CVE-2019-0723", "CVE-2019-0736", "CVE-2019-1057", "CVE-2019-1078", "CVE-2019-1133", "CVE-2019-1143", "CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1146", "CVE-2019-1147", "CVE-2019-1148", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152", "CVE-2019-1153", "CVE-2019-1154", "CVE-2019-1155", "CVE-2019-1156", "CVE-2019-1157", "CVE-2019-1158", "CVE-2019-1159", "CVE-2019-1162", "CVE-2019-1164", "CVE-2019-1168", "CVE-2019-1169", "CVE-2019-1177", "CVE-2019-1178", "CVE-2019-1187", "CVE-2019-1194", "CVE-2019-1212", "CVE-2019-1213", "CVE-2019-1228", "CVE-2019-9506"], "modified": "2023-08-09T00:00:00", "id": "KLA11989", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11989/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-25T12:34:56", "description": "### *Detect date*:\n08/13/2019\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code, gain privileges, cause denial of service, spoof user interface, bypass security restrictions.\n\n### *Exploitation*:\nPublic exploits exist for this vulnerability.\n\n### *Affected products*:\nWindows 10 Version 1903 for 32-bit Systems \nWindows RT 8.1 \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2019 \nWindows 10 Version 1803 for ARM64-based Systems \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows Server 2012 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows Server, version 1903 (Server Core installation) \nWindows 10 Version 1709 for ARM64-based Systems \nWindows 8.1 for x64-based systems \nWindows Server 2012 R2 \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 for 32-bit Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1703 for x64-based Systems \nWindows 10 Version 1703 for 32-bit Systems \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows 10 Version 1803 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows Server 2016 \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2012 \nWindows 10 Version 1903 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 10 Version 1709 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 7 for x64-based Systems Service Pack 1 \nMicrosoft Office 2019 for Mac \nMicrosoft Office 2010 Service Pack 2 (64-bit editions) \nMicrosoft Office 2019 for 32-bit editions \nOffice 365 ProPlus for 32-bit Systems \nMicrosoft Office 2019 for 64-bit editions \nOffice 365 ProPlus for 64-bit Systems \nMicrosoft Office 2016 (64-bit edition) \nMicrosoft Office 2016 (32-bit edition) \nMicrosoft Office 2013 RT Service Pack 1 \nMicrosoft Office 2010 Service Pack 2 (32-bit editions) \nMicrosoft Office 2013 Service Pack 1 (64-bit editions) \nMicrosoft Office 2013 Service Pack 1 (32-bit editions) \nWindows Server, version 1909 (Server Core installation) \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 10 Version 1709 for x64-based Systems \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server, version 1709 (Server Core Installation) \nWindows Server 2016 (Server Core installation) \nWindows Server, version 1803 (Server Core Installation) \nWindows Server 2019 (Server Core installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2019-1143](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1143>) \n[CVE-2019-0720](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-0720>) \n[CVE-2019-1179](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1179>) \n[CVE-2019-1175](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1175>) \n[CVE-2019-1190](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1190>) \n[CVE-2019-0715](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-0715>) \n[CVE-2019-1174](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1174>) \n[CVE-2019-1227](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1227>) \n[CVE-2019-0716](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-0716>) \n[CVE-2019-1176](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1176>) \n[CVE-2019-1144](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1144>) \n[CVE-2019-9506](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-9506>) \n[CVE-2019-9513](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-9513>) \n[CVE-2019-1226](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1226>) \n[CVE-2019-1177](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1177>) \n[CVE-2019-1186](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1186>) \n[CVE-2019-9511](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-9511>) \n[CVE-2019-1153](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1153>) \n[CVE-2019-1147](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1147>) \n[CVE-2019-1078](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1078>) \n[CVE-2019-1171](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1171>) \n[CVE-2019-0714](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-0714>) \n[CVE-2019-1145](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1145>) \n[CVE-2019-9514](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-9514>) \n[CVE-2019-1187](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1187>) \n[CVE-2019-1151](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1151>) \n[CVE-2019-9512](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-9512>) \n[CVE-2019-1146](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1146>) \n[CVE-2019-1148](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1148>) \n[CVE-2019-1178](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1178>) \n[CVE-2019-1180](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1180>) \n[CVE-2019-1181](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1181>) \n[CVE-2019-1157](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1157>) \n[CVE-2019-1163](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1163>) \n[CVE-2019-0718](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-0718>) \n[CVE-2019-1172](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1172>) \n[CVE-2019-1155](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1155>) \n[CVE-2019-0723](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-0723>) \n[CVE-2019-1185](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1185>) \n[CVE-2019-1149](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1149>) \n[CVE-2019-1206](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1206>) \n[CVE-2019-1159](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1159>) \n[CVE-2019-1188](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1188>) \n[CVE-2019-1173](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1173>) \n[CVE-2019-1162](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1162>) \n[CVE-2019-1150](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1150>) \n[CVE-2019-1164](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1164>) \n[CVE-2019-9518](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-9518>) \n[CVE-2019-1222](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1222>) \n[CVE-2019-1223](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1223>) \n[CVE-2019-1152](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1152>) \n[CVE-2019-1198](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1198>) \n[CVE-2019-1158](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1158>) \n[CVE-2019-1156](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1156>) \n[CVE-2019-1225](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1225>) \n[CVE-2019-1182](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1182>) \n[CVE-2019-1057](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1057>) \n[CVE-2019-1224](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1224>) \n[CVE-2019-0736](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-0736>) \n[CVE-2019-1168](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1168>) \n[CVE-2019-0965](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-0965>) \n[CVE-2019-0717](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-0717>) \n[CVE-2019-1184](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1184>) \n[CVE-2019-1183](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1183>) \n[CVE-2019-1212](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1212>) \n[CVE-2019-1170](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2019-1170>) \n[ADV190023](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/ADV190023>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Office](<https://threats.kaspersky.com/en/product/Microsoft-Office/>)\n\n### *CVE-IDS*:\n[CVE-2019-1143](<https://vulners.com/cve/CVE-2019-1143>)2.1Warning \n[CVE-2019-0720](<https://vulners.com/cve/CVE-2019-0720>)7.7Critical \n[CVE-2019-1179](<https://vulners.com/cve/CVE-2019-1179>)4.6Warning \n[CVE-2019-1175](<https://vulners.com/cve/CVE-2019-1175>)4.6Warning \n[CVE-2019-1190](<https://vulners.com/cve/CVE-2019-1190>)7.2High \n[CVE-2019-0715](<https://vulners.com/cve/CVE-2019-0715>)5.5High \n[CVE-2019-1174](<https://vulners.com/cve/CVE-2019-1174>)4.6Warning \n[CVE-2019-1227](<https://vulners.com/cve/CVE-2019-1227>)2.1Warning \n[CVE-2019-0716](<https://vulners.com/cve/CVE-2019-0716>)6.8High \n[CVE-2019-1176](<https://vulners.com/cve/CVE-2019-1176>)7.2High \n[CVE-2019-1144](<https://vulners.com/cve/CVE-2019-1144>)9.3Critical \n[CVE-2019-9506](<https://vulners.com/cve/CVE-2019-9506>)4.8Warning \n[CVE-2019-9513](<https://vulners.com/cve/CVE-2019-9513>)7.8Critical \n[CVE-2019-1177](<https://vulners.com/cve/CVE-2019-1177>)4.6Warning \n[CVE-2019-1186](<https://vulners.com/cve/CVE-2019-1186>)4.6Warning \n[CVE-2019-9511](<https://vulners.com/cve/CVE-2019-9511>)7.8Critical \n[CVE-2019-1153](<https://vulners.com/cve/CVE-2019-1153>)2.1Warning \n[CVE-2019-1147](<https://vulners.com/cve/CVE-2019-1147>)9.3Critical \n[CVE-2019-1078](<https://vulners.com/cve/CVE-2019-1078>)2.1Warning \n[CVE-2019-1171](<https://vulners.com/cve/CVE-2019-1171>)2.1Warning \n[CVE-2019-0714](<https://vulners.com/cve/CVE-2019-0714>)5.5High \n[CVE-2019-1145](<https://vulners.com/cve/CVE-2019-1145>)9.3Critical \n[CVE-2019-9514](<https://vulners.com/cve/CVE-2019-9514>)7.8Critical \n[CVE-2019-1170](<https://vulners.com/cve/CVE-2019-1170>)7.2High \n[CVE-2019-1187](<https://vulners.com/cve/CVE-2019-1187>)5.0Critical \n[CVE-2019-1151](<https://vulners.com/cve/CVE-2019-1151>)9.3Critical \n[CVE-2019-9512](<https://vulners.com/cve/CVE-2019-9512>)7.8Critical \n[CVE-2019-1146](<https://vulners.com/cve/CVE-2019-1146>)9.3Critical \n[CVE-2019-1148](<https://vulners.com/cve/CVE-2019-1148>)2.1Warning \n[CVE-2019-1178](<https://vulners.com/cve/CVE-2019-1178>)4.6Warning \n[CVE-2019-1180](<https://vulners.com/cve/CVE-2019-1180>)4.6Warning \n[CVE-2019-1157](<https://vulners.com/cve/CVE-2019-1157>)9.3Critical \n[CVE-2019-1163](<https://vulners.com/cve/CVE-2019-1163>)4.3Warning \n[CVE-2019-0718](<https://vulners.com/cve/CVE-2019-0718>)5.5High \n[CVE-2019-1172](<https://vulners.com/cve/CVE-2019-1172>)4.3Warning \n[CVE-2019-1155](<https://vulners.com/cve/CVE-2019-1155>)9.3Critical \n[CVE-2019-0723](<https://vulners.com/cve/CVE-2019-0723>)5.5High \n[CVE-2019-1185](<https://vulners.com/cve/CVE-2019-1185>)4.6Warning \n[CVE-2019-1149](<https://vulners.com/cve/CVE-2019-1149>)9.3Critical \n[CVE-2019-1206](<https://vulners.com/cve/CVE-2019-1206>)5.0Critical \n[CVE-2019-1159](<https://vulners.com/cve/CVE-2019-1159>)7.2High \n[CVE-2019-1188](<https://vulners.com/cve/CVE-2019-1188>)9.3Critical \n[CVE-2019-1173](<https://vulners.com/cve/CVE-2019-1173>)4.6Warning \n[CVE-2019-1212](<https://vulners.com/cve/CVE-2019-1212>)7.8Critical \n[CVE-2019-1162](<https://vulners.com/cve/CVE-2019-1162>)7.2High \n[CVE-2019-1150](<https://vulners.com/cve/CVE-2019-1150>)9.3Critical \n[CVE-2019-1164](<https://vulners.com/cve/CVE-2019-1164>)7.2High \n[CVE-2019-9518](<https://vulners.com/cve/CVE-2019-9518>)7.8Critical \n[CVE-2019-1223](<https://vulners.com/cve/CVE-2019-1223>)5.0Critical \n[CVE-2019-1152](<https://vulners.com/cve/CVE-2019-1152>)9.3Critical \n[CVE-2019-1198](<https://vulners.com/cve/CVE-2019-1198>)7.5Critical \n[CVE-2019-1158](<https://vulners.com/cve/CVE-2019-1158>)2.1Warning \n[CVE-2019-1183](<https://vulners.com/cve/CVE-2019-1183>)9.3Critical \n[CVE-2019-1156](<https://vulners.com/cve/CVE-2019-1156>)9.3Critical \n[CVE-2019-1225](<https://vulners.com/cve/CVE-2019-1225>)5.0Critical \n[CVE-2019-1057](<https://vulners.com/cve/CVE-2019-1057>)9.3Critical \n[CVE-2019-1224](<https://vulners.com/cve/CVE-2019-1224>)5.0Critical \n[CVE-2019-0736](<https://vulners.com/cve/CVE-2019-0736>)7.5Critical \n[CVE-2019-1168](<https://vulners.com/cve/CVE-2019-1168>)7.2High \n[CVE-2019-0965](<https://vulners.com/cve/CVE-2019-0965>)7.7Critical \n[CVE-2019-0717](<https://vulners.com/cve/CVE-2019-0717>)5.5High \n[CVE-2019-1184](<https://vulners.com/cve/CVE-2019-1184>)7.2High\n\n### *KB list*:\n[4512516](<http://support.microsoft.com/kb/4512516>) \n[4511553](<http://support.microsoft.com/kb/4511553>) \n[4512501](<http://support.microsoft.com/kb/4512501>) \n[4512497](<http://support.microsoft.com/kb/4512497>) \n[4512517](<http://support.microsoft.com/kb/4512517>) \n[4512518](<http://support.microsoft.com/kb/4512518>) \n[4512488](<http://support.microsoft.com/kb/4512488>) \n[4512508](<http://support.microsoft.com/kb/4512508>) \n[4512507](<http://support.microsoft.com/kb/4512507>) \n[4512482](<http://support.microsoft.com/kb/4512482>) \n[4512489](<http://support.microsoft.com/kb/4512489>) \n[4540673](<http://support.microsoft.com/kb/4540673>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-08-13T00:00:00", "type": "kaspersky", "title": "KLA11534 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0714", "CVE-2019-0715", "CVE-2019-0716", "CVE-2019-0717", "CVE-2019-0718", "CVE-2019-0720", "CVE-2019-0723", "CVE-2019-0736", "CVE-2019-0965", "CVE-2019-1057", "CVE-2019-1078", "CVE-2019-1143", "CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1146", "CVE-2019-1147", "CVE-2019-1148", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152", "CVE-2019-1153", "CVE-2019-1155", "CVE-2019-1156", "CVE-2019-1157", "CVE-2019-1158", "CVE-2019-1159", "CVE-2019-1162", "CVE-2019-1163", "CVE-2019-1164", "CVE-2019-1168", "CVE-2019-1170", "CVE-2019-1171", "CVE-2019-1172", "CVE-2019-1173", "CVE-2019-1174", "CVE-2019-1175", "CVE-2019-1176", "CVE-2019-1177", "CVE-2019-1178", "CVE-2019-1179", "CVE-2019-1180", "CVE-2019-1181", "CVE-2019-1182", "CVE-2019-1183", "CVE-2019-1184", "CVE-2019-1185", "CVE-2019-1186", "CVE-2019-1187", "CVE-2019-1188", "CVE-2019-1190", "CVE-2019-1198", "CVE-2019-1206", "CVE-2019-1212", "CVE-2019-1222", "CVE-2019-1223", "CVE-2019-1224", "CVE-2019-1225", "CVE-2019-1226", "CVE-2019-1227", "CVE-2019-9506", "CVE-2019-9511", "CVE-2019-9512", "CVE-2019-9513", "CVE-2019-9514", "CVE-2019-9518"], "modified": "2023-09-21T00:00:00", "id": "KLA11534", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11534/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2019-08-20T14:20:20", "description": "[![](https://3.bp.blogspot.com/-bIERk6jqSvs/XKypl8tltSI/AAAAAAAAFxU/d9l6_EW1Czs7DzBngmhg8pjdPfhPAZ3yACK4BGAYYCw/s1600/recurring%2Bblog%2Bimages_patch%2Btuesday.jpg)](<http://3.bp.blogspot.com/-bIERk6jqSvs/XKypl8tltSI/AAAAAAAAFxU/d9l6_EW1Czs7DzBngmhg8pjdPfhPAZ3yACK4BGAYYCw/s1600/recurring%2Bblog%2Bimages_patch%2Btuesday.jpg>) \nMicrosoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 97 vulnerabilities, 31 of which are rated \u201ccritical,\" 65 that are considered \"important\" and one \"moderate.\" \n \nThis month\u2019s security update covers security issues in a variety of Microsoft services and software, including certain graphics components, Outlook and the Chakra Scripting Engine. For more on our coverage of these bugs, check out our Snort advisories [here](<https://snort.org/advisories>), covering all of the new rules we have for this release. \n \n\n\n### Critical vulnerabilities\n\nMicrosoft disclosed 31 critical vulnerabilities this month, three of which we will highlight below. \n \n[CVE-2019-1181](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181>) and [CVE-2019-1182](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182>) are both remote code execution vulnerabilities in Remote Desktop Protocol. The vulnerabilities arise when an attacker connects to the target system using RDP and sends certain specially crafted requests. These bugs require no user interaction and do not require any authentication on the part of the attacker. An attacker could gain the ability to execute arbitrary code by exploiting these vulnerabilities. RDP has gained notoriety recently for being a part of the infamous BlueKeep vulnerability, a wormable bug in Microsoft that has yet to be exploited in the wild. \n \n[CVE-2019-1200](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1200>) is a remote code execution vulnerability in Microsoft Outlook that occurs when the software fails to properly handle objects in memory. An attacker could use a specially crafted file to exploit this bug and be able to perform actions at the same security level as the current user. A user can exploit this vulnerability by tricking the user into opening a specially crafted file with a vulnerable version of Microsoft Outlook. However, this attack vector only works if the user opens the email itself \u2014 it does not work in preview mode. \n \nThe other critical vulnerabilities are: \n \n\n\n * [CVE-2019-0719](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0719>)\n * [CVE-2019-0720](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0720>)\n * [CVE-2019-0736](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0736>)\n * [CVE-2019-0965](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0965>)\n * [CVE-2019-1131](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1131>)\n * [CVE-2019-1133](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1133>)\n * [CVE-2019-1139](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1139>)\n * [CVE-2019-1140](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1140>)\n * [CVE-2019-1141](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1141>)\n * [CVE-2019-1144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1144>)\n * [CVE-2019-1145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1145>)\n * [CVE-2019-1149](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1149>)\n * [CVE-2019-1150](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1150>)\n * [CVE-2019-1151](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1151>)\n * [CVE-2019-1152](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1152>)\n * [CVE-2019-1181](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181>)\n * [CVE-2019-1182](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182>)\n * [CVE-2019-1183](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1183>)\n * [CVE-2019-1188](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1188>)\n * [CVE-2019-1194](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1194>)\n * [CVE-2019-1195](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1195>)\n * [CVE-2019-1196](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1196>)\n * [CVE-2019-1197](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1197>)\n * [CVE-2019-1199](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1199>)\n * [CVE-2019-1200](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1200>)\n * [CVE-2019-1201](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1201>)\n * [CVE-2019-1204](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1204>)\n * [CVE-2019-1205](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1205>)\n * [CVE-2019-1213](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1213>)\n * [CVE-2019-1222](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1222>)\n * [CVE-2019-1226](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1226>)\n\n### Important vulnerabilities\n\nThis release also contains 65 important vulnerabilities, one of which we will highlight below. \n \n[CVE-2019-9506](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-9506>) is a vulnerability in Bluetooth that could allow an attacker to change the size of a device's encryption key. While it is not directly a Microsoft vulnerability, the company has released a fix for it. An attacker could use a special device to change the encryption key size of a Bluetooth-enabled device to become as small as one. This method only works if the attacker is within an appropriate range fo the targeted device. Microsoft released a software update that enforces a 7-octet minimum key length by default to ensure that a smaller encryption key does not allow an attacker to bypass encryption. \n \nThe other important vulnerabilities are: \n\n\n * [CVE-2019-0712](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0712>)\n * [CVE-2019-0714](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0714>)\n * [CVE-2019-0715](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0715>)\n * [CVE-2019-0716](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0716>)\n * [CVE-2019-0717](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0717>)\n * [CVE-2019-0718](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0718>)\n * [CVE-2019-0723](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0723>)\n * [CVE-2019-1030](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1030>)\n * [CVE-2019-1057](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1057>)\n * [CVE-2019-1078](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1078>)\n * [CVE-2019-1143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1143>)\n * [CVE-2019-1146](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1146>)\n * [CVE-2019-1147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1147>)\n * [CVE-2019-1148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1148>)\n * [CVE-2019-1153](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1153>)\n * [CVE-2019-1154](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1154>)\n * [CVE-2019-1155](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1155>)\n * [CVE-2019-1156](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1156>)\n * [CVE-2019-1157](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1157>)\n * [CVE-2019-1158](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1158>)\n * [CVE-2019-1159](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1159>)\n * [CVE-2019-1160](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1160>)\n * [CVE-2019-1161](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1161>)\n * [CVE-2019-1162](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1162>)\n * [CVE-2019-1163](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1163>)\n * [CVE-2019-1164](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1164>)\n * [CVE-2019-1168](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1168>)\n * [CVE-2019-1169](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1169>)\n * [CVE-2019-1170](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1170>)\n * [CVE-2019-1171](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1171>)\n * [CVE-2019-1172](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1172>)\n * [CVE-2019-1173](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1173>)\n * [CVE-2019-1174](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1174>)\n * [CVE-2019-1175](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1175>)\n * [CVE-2019-1176](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1176>)\n * [CVE-2019-1177](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1177>)\n * [CVE-2019-1178](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1178>)\n * [CVE-2019-1179](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1179>)\n * [CVE-2019-1180](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1180>)\n * [CVE-2019-1184](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1184>)\n * [CVE-2019-1185](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1185>)\n * [CVE-2019-1186](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1186>)\n * [CVE-2019-1187](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1187>)\n * [CVE-2019-1190](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1190>)\n * [CVE-2019-1192](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1192>)\n * [CVE-2019-1193](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1193>)\n * [CVE-2019-1198](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1198>)\n * [CVE-2019-1202](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1202>)\n * [CVE-2019-1203](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1203>)\n * [CVE-2019-1206](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1206>)\n * [CVE-2019-1211](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1211>)\n * [CVE-2019-1212](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1212>)\n * [CVE-2019-1218](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1218>)\n * [CVE-2019-1223](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1223>)\n * [CVE-2019-1224](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1224>)\n * [CVE-2019-1225](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1225>)\n * [CVE-2019-1227](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1227>)\n * [CVE-2019-1228](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1228>)\n * [CVE-2019-1229](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1229>)\n * [CVE-2019-9511](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-9511>)\n * [CVE-2019-9512](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-9512>)\n * [CVE-2019-9513](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-9514>)\n * [CVE-2019-9514](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-9514>)\n * [CVE-2019-9518](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-9518>)\n\n### Moderate vulnerability\n\nThere is one moderate vulnerability, [CVE-2019-1185](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1185>), an elevation of privilege vulnerability in Windows Subsystem for Linux. \n\n\n### Coverage \n\nIn response to these vulnerability disclosures, Talos is releasing a [new SNORT\u24c7 rule](<https://snort.org/advisories/talos-rules-2019-08-13>) set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org. \n \nThese rules are: 35190, 35191, 40851, 40852, 45142, 45143, 50936 - 50939, 50969 - 50974, 50987, 50988, 50940, 50941, 50998, 50999, 51001 - 51006\n\n![](http://feeds.feedburner.com/~r/feedburner/Talos/~4/ztSCwF-b7VI)", "cvss3": {}, "published": "2019-08-14T09:55:35", "type": "talosblog", "title": "Microsoft Patch Tuesday \u2014 Aug. 2019: Vulnerability disclosures and Snort coverage", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0712", "CVE-2019-0714", "CVE-2019-0715", "CVE-2019-0716", "CVE-2019-0717", "CVE-2019-0718", "CVE-2019-0719", "CVE-2019-0720", "CVE-2019-0723", "CVE-2019-0736", "CVE-2019-0965", "CVE-2019-1030", "CVE-2019-1057", "CVE-2019-1078", "CVE-2019-1131", "CVE-2019-1133", "CVE-2019-1139", "CVE-2019-1140", "CVE-2019-1141", "CVE-2019-1143", "CVE-2019-1144", "CVE-2019-1145", "CVE-2019-1146", "CVE-2019-1147", "CVE-2019-1148", "CVE-2019-1149", "CVE-2019-1150", "CVE-2019-1151", "CVE-2019-1152", "CVE-2019-1153", "CVE-2019-1154", "CVE-2019-1155", "CVE-2019-1156", "CVE-2019-1157", "CVE-2019-1158", "CVE-2019-1159", "CVE-2019-1160", "CVE-2019-1161", "CVE-2019-1162", "CVE-2019-1163", "CVE-2019-1164", "CVE-2019-1168", "CVE-2019-1169", "CVE-2019-1170", "CVE-2019-1171", "CVE-2019-1172", "CVE-2019-1173", "CVE-2019-1174", "CVE-2019-1175", "CVE-2019-1176", "CVE-2019-1177", "CVE-2019-1178", "CVE-2019-1179", "CVE-2019-1180", "CVE-2019-1181", "CVE-2019-1182", "CVE-2019-1183", "CVE-2019-1184", "CVE-2019-1185", "CVE-2019-1186", "CVE-2019-1187", "CVE-2019-1188", "CVE-2019-1190", "CVE-2019-1192", "CVE-2019-1193", "CVE-2019-1194", "CVE-2019-1195", "CVE-2019-1196", "CVE-2019-1197", "CVE-2019-1198", "CVE-2019-1199", "CVE-2019-1200", "CVE-2019-1201", "CVE-2019-1202", "CVE-2019-1203", "CVE-2019-1204", "CVE-2019-1205", "CVE-2019-1206", "CVE-2019-1211", "CVE-2019-1212", "CVE-2019-1213", "CVE-2019-1218", "CVE-2019-1222", "CVE-2019-1223", "CVE-2019-1224", "CVE-2019-1225", "CVE-2019-1226", "CVE-2019-1227", "CVE-2019-1228", "CVE-2019-1229", "CVE-2019-9506", "CVE-2019-9511", "CVE-2019-9512", "CVE-2019-9513", "CVE-2019-9514", "CVE-2019-9518"], "modified": "2019-08-14T09:55:35", "id": "TALOSBLOG:F543D5FEAB2BB1C90B9699F8AE8757F4", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/ztSCwF-b7VI/microsoft-patch-tuesday-aug-2019.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}