(0Day) Fuji Electric Tellus Lite V-Simulator 6 V9 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability
2020-09-08T00:00:00
ID ZDI-20-1115 Type zdi Reporter kimiya Modified 2020-09-08T00:00:00
Description
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Fuji Electric Tellus Lite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of V9 files by the V-Simulator 6 program. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.
{"id": "ZDI-20-1115", "bulletinFamily": "info", "title": "(0Day) Fuji Electric Tellus Lite V-Simulator 6 V9 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Fuji Electric Tellus Lite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of V9 files by the V-Simulator 6 program. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.", "published": "2020-09-08T00:00:00", "modified": "2020-09-08T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-1115/", "reporter": "kimiya", "references": [], "cvelist": [], "type": "zdi", "lastseen": "2020-09-08T16:41:46", "edition": 1, "viewCount": 7, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["ITUNES_10_5.NASL", "ITUNES_10_5_BANNER.NASL"]}], "modified": "2020-09-08T16:41:46", "rev": 2}, "score": {"value": 5.1, "vector": "NONE", "modified": "2020-09-08T16:41:46", "rev": 2}, "vulnersScore": 5.1}}
{"avleonov": [{"lastseen": "2020-12-20T04:20:58", "bulletinFamily": "blog", "cvelist": ["CVE-2020-0648", "CVE-2020-0664", "CVE-2020-0718", "CVE-2020-0761", "CVE-2020-0766", "CVE-2020-0782", "CVE-2020-0790", "CVE-2020-0805", "CVE-2020-0836", "CVE-2020-0837", "CVE-2020-0838", "CVE-2020-0839", "CVE-2020-0856", "CVE-2020-0870", "CVE-2020-0875", "CVE-2020-0878", "CVE-2020-0886", "CVE-2020-0890", "CVE-2020-0904", "CVE-2020-0908", "CVE-2020-0911", "CVE-2020-0912", "CVE-2020-0914", "CVE-2020-0921", "CVE-2020-0922", "CVE-2020-0928", "CVE-2020-0941", "CVE-2020-0951", "CVE-2020-0989", "CVE-2020-0997", "CVE-2020-0998", "CVE-2020-1012", "CVE-2020-1013", "CVE-2020-1030", "CVE-2020-1031", "CVE-2020-1033", "CVE-2020-1034", "CVE-2020-1038", "CVE-2020-1039", "CVE-2020-1044", "CVE-2020-1045", "CVE-2020-1048", "CVE-2020-1052", "CVE-2020-1053", "CVE-2020-1057", "CVE-2020-1074", "CVE-2020-1083", "CVE-2020-1091", "CVE-2020-1097", "CVE-2020-1098", "CVE-2020-1115", "CVE-2020-1119", "CVE-2020-1122", "CVE-2020-1129", "CVE-2020-1130", "CVE-2020-1133", "CVE-2020-1146", "CVE-2020-1152", "CVE-2020-1159", "CVE-2020-1169", "CVE-2020-1172", "CVE-2020-1180", "CVE-2020-1193", "CVE-2020-1198", "CVE-2020-1200", "CVE-2020-1205", "CVE-2020-1210", "CVE-2020-1218", "CVE-2020-1224", "CVE-2020-1227", "CVE-2020-1228", "CVE-2020-1245", "CVE-2020-1250", "CVE-2020-1252", "CVE-2020-1256", "CVE-2020-1285", "CVE-2020-1303", "CVE-2020-1308", "CVE-2020-1313", "CVE-2020-1319", "CVE-2020-1332", "CVE-2020-1335", "CVE-2020-1338", "CVE-2020-1345", "CVE-2020-1376", "CVE-2020-1440", "CVE-2020-1452", "CVE-2020-1453", "CVE-2020-1460", "CVE-2020-1471", "CVE-2020-1472", "CVE-2020-1482", "CVE-2020-1491", "CVE-2020-1506", "CVE-2020-1507", "CVE-2020-1508", "CVE-2020-1514", "CVE-2020-1523", "CVE-2020-1532", "CVE-2020-1559", "CVE-2020-1575", "CVE-2020-1576", "CVE-2020-1589", "CVE-2020-1590", "CVE-2020-1592", "CVE-2020-1593", "CVE-2020-1594", "CVE-2020-1595", "CVE-2020-1596", "CVE-2020-1598", "CVE-2020-16851", "CVE-2020-16852", "CVE-2020-16853", "CVE-2020-16854", "CVE-2020-16855", "CVE-2020-16856", "CVE-2020-16857", "CVE-2020-16858", "CVE-2020-16859", "CVE-2020-16860", "CVE-2020-16861", "CVE-2020-16862", "CVE-2020-16864", "CVE-2020-16871", "CVE-2020-16872", "CVE-2020-16873", "CVE-2020-16874", "CVE-2020-16875", "CVE-2020-16878", "CVE-2020-16879", "CVE-2020-16881", "CVE-2020-16884"], "description": "I would like to start this post by talking about Microsoft vulnerabilities, which recently turned out to be much more serious than it seemed at first glance.\n\n\n\n## Older Vulnerabilities with exploits\n\n### "Zerologon" Netlogon RCE (CVE-2020-1472) \n\nOne of them is, of course, the Netlogon vulnerability from the August 2020 Patch Tuesday. It's called "Zerologon". I would not say that Vulnerability Management vendors completely ignored it. But none of them (well, maybe only ZDI) emphasized in their reports that this vulnerability would be a real disaster.\n\n\n\nWhy? Because there were no details and there were no public exploits back then. That started to change dramatically when the full review by [Secura](<https://www.secura.com/blog/zero-logon>) was published.\n\n\n\nIt became clear that this was not a privilege escalation. In fact, it was Remote Code Execution without authentication. Then an exploit appeared on [Github](<https://github.com/dirkjanm/CVE-2020-1472>). It was tested and approved by experts.\n\n> We have reproduced the CVE-2020-1472 [#zerologon](<https://twitter.com/hashtag/zerologon?src=hash&ref_src=twsrc%5Etfw>) vulnerability! It's an unauth RCE for Domain Controllers. [pic.twitter.com/qFe45O7WPR](<https://t.co/qFe45O7WPR>)\n> \n> -- PT SWARM (@ptswarm) [September 14, 2020](<https://twitter.com/ptswarm/status/1305479737234599941?ref_src=twsrc%5Etfw>)\n\nAfter this all the Vulnerability Management vendors ([Qualys](<https://blog.qualys.com/vulnerabilities-research/2020/09/15/microsoft-netlogon-vulnerability-cve-2020-1472-zerologon-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>), [Tenable](<https://www.tenable.com/blog/cve-2020-1472-zerologon-vulnerability-in-netlogon-could-allow-attackers-to-hijack-windows>), [Rapid7](<https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-critical-privilege-escalation/>)) made their blog posts about this vulnerability. And CISA even [released an Emergency Directive](<https://cyber.dhs.gov/ed/20-04/>) to patch all the Domain Controllers of Federal Agencies in just 4 days!\n\n\n\nAn exploit for this vulnerability has become available in Mimikatz.\n\n> A new [#mimikatz](<https://twitter.com/hashtag/mimikatz?src=hash&ref_src=twsrc%5Etfw>) release with [#zerologon](<https://twitter.com/hashtag/zerologon?src=hash&ref_src=twsrc%5Etfw>) / CVE-2020-1472 detection, exploit, DCSync support and a lots of love inside  \n \nIt now uses direct RPC call (fast and supports unauthenticated on Windows) \n \n> <https://t.co/Wzb5GAfWfd> \n \nThank you: [@SecuraBV](<https://twitter.com/SecuraBV?ref_src=twsrc%5Etfw>) [pic.twitter.com/s7LRRLPRTP](<https://t.co/s7LRRLPRTP>)\n> \n> --  Benjamin Delpy (@gentilkiwi) [September 16, 2020](<https://twitter.com/gentilkiwi/status/1306178689630076929?ref_src=twsrc%5Etfw>)\n\nAnd so it was not surprising when Microsoft began to detect the real life exploitations all this vulnerability.\n\n> Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.\n> \n> \u2014 Microsoft Security Intelligence (@MsftSecIntel) [September 24, 2020](<https://twitter.com/MsftSecIntel/status/1308941504707063808?ref_src=twsrc%5Etfw>)\n\nAnd the story is far from over. For example there is an article about new methods of exploiting this vulnerability that [doesn't require the change of the password](<https://dirkjanm.io/a-different-way-of-abusing-zerologon/>), so it will be harder to detect such exploitation.\n\n### EoPs in Microsoft Spooler (CVE-2020-1048) and Windows Update Orchestrator (CVE-2020-1313)\n\nSome more examples without so much hype. It's about an appearance of public exploits for\n\n * Microsoft Spooler Elevation of Privilege (CVE 2020-1048, [MSF:EXPLOIT/WINDOWS/LOCAL/CVE_2020_1048_PRINTERDEMON](<https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/LOCAL/CVE_2020_1048_PRINTERDEMON>)) from _Microsoft Patch Tuesday May 2020_\n * Microsoft Windows Update Orchestrator Elevation of Privilege (CVE-2020-1313, [PACKETSTORM:159305](<https://vulners.com/packetstorm/PACKETSTORM:159305>)) from _Microsoft Patch Tuesday June 2020_\n\nThis is interesting because all the Vulnerability Management vendors simply ignored these vulnerabilities in their Patch Tuesday reviews.  Who could say that these two would be really exploitable among hundreds others?\n\n### Vulnerability prioritization is not a silver bullet\n\nI think it's just a good demonstration that vulnerability prioritization is not a silver bullet and if you want to protect your infrastructure, you should install all the patches on all the hosts or monitor security news carefully (and doing both is even better). For monitoring I use my own telegram channel [@avleonovnews](<https://t.me/avleonovnews>). It updates automatically, and the script not only shows news from different feeds, but also tries to highlight everything related to vulnerabilities, exploits, patches, etc. So, I invite you to check it out.\n\n## September 2020 Patch Tuesday\n\nNow let's finally look at the September vulnerabilities. There were 129 vulnerabilities: 23 of them were critical, 105 were important and 1 was moderate. There were no vulnerabilities with detected exploitation.\n\n### Exploitation more likely (7)\n\nThere were 7 vulnerabilities marked as "Exploitation more likely". But none of them were mentioned by Vulnerability Management vendors. Probably it's because there were no RCEs, only Elevation of Privilege and Information Disclosure. \n\n#### Elevation of Privilege\n\n * DirectX ([CVE-2020-1308](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1308>))\n * Windows Common Log File System Driver ([CVE-2020-1115](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1115>))\n * Windows Kernel ([CVE-2020-1245](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1245>))\n * Windows Win32k ([CVE-2020-1152](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1152>))\n\n#### Information Disclosure\n\n * Active Directory ([CVE-2020-0664](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0664>), [CVE-2020-0856](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0856>))\n * Windows Kernel ([CVE-2020-0941](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0941>))\n\n### Other Product based (30)\n\nThe software products with the most vulnerabilities were Microsoft Dynamics 365 (On-Premise), Microsoft SharePoint and Windows Kernel. Vulnerability Management vendors focussed on Microsoft SharePoint Remote Code Execution vulnerabilities. There were 7 of them ([CVE-2020-1200](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1200>), [CVE-2020-1210](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1210>), [CVE-2020-1452](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1452>), [CVE-2020-1453](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1453>), [CVE-2020-1460](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1460>), [CVE-2020-1576](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1576>), [CVE-2020-1595](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1595>))! Only one, CVE-2020-1460, requires authentication. Rapid7 also mentions two rare "Tampering" SharePoint vulnerabilities ([CVE-2020-1440](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1440>), [CVE-2020-1523](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1523>)). "Fortunately, the description on this vulnerability does say prior authentication on an affected SharePoint Server is required, but with that in hand, an attacker can target specific users and alter the targets profile data."\n\n#### Microsoft Dynamics 365 (On-Premise)\n\n * Cross Site Scripting ([CVE-2020-16858](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16858>), [CVE-2020-16859](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16859>), [CVE-2020-16861](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16861>), [CVE-2020-16864](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16864>), [CVE-2020-16871](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16871>), [CVE-2020-16872](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16872>), [CVE-2020-16878](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16878>))\n\n#### Microsoft SharePoint\n\n * Remote Code Execution ([CVE-2020-1200](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1200>), [CVE-2020-1210](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1210>), [CVE-2020-1452](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1452>), [CVE-2020-1453](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1453>), [CVE-2020-1460](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1460>), [CVE-2020-1576](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1576>), [CVE-2020-1595](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1595>))\n * Cross Site Scripting ([CVE-2020-1198](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1198>), [CVE-2020-1227](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1227>), [CVE-2020-1345](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1345>), [CVE-2020-1482](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1482>), [CVE-2020-1514](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1514>), [CVE-2020-1575](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1575>))\n * Spoofing ([CVE-2020-1205](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1205>))\n * Tampering ([CVE-2020-1440](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1440>), [CVE-2020-1523](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1523>))\n\n#### Windows Kernel\n\n * Elevation of Privilege ([CVE-2020-1034](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1034>))\n * Information Disclosure ([CVE-2020-0928](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0928>), [CVE-2020-1033](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1033>), [CVE-2020-1250](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1250>), [CVE-2020-1589](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1589>), [CVE-2020-1592](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1592>), [CVE-2020-16854](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16854>))\n\n### Other Vulnerability Type based (92)\n\nAmong other vulnerabilities, the most interesting, of course, are various Remote Code Executions. \n\nA funny story happened with RCE in Microsoft Exchange Server ([CVE-2020-16875](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16875>)). All Vulnerability Management vendors marked it as top priority. But Microsoft later changed the description to indicate the bug can only be reached by an authenticated user. So, the risk became much lower. \n\nOther RCE groups mentioned by Vulnerability Management vendors:\n\n * Browser-related RCEs in Chakra Scripting Engine ([CVE-2020-1180](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1180>), [CVE-2020-1057](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1057>), [CVE-2020-1172](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1172>)), Microsoft Browser ([CVE-2020-0878](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0878>))\n * Office-related RCEs in Microsoft Excel ([CVE-2020-1193](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1193>), [CVE-2020-1332](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1332>), [CVE-2020-1335](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1335>), [CVE-2020-1594](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1594>)), Microsoft Word ([CVE-2020-1218](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1218>), [CVE-2020-1338](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1338>))\n * Microsoft Dynamics 365 (on-premises) ([CVE-2020-16860](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16860>), [CVE-2020-16862](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16862>), [CVE-2020-16857](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16857>)) \n * Windows systems components: Microsoft COM for Windows ([CVE-2020-0922](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0922>)), Microsoft Windows Codecs Library ([CVE-2020-1129](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1129>), [CVE-2020-1319](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1319>)), and simply Windows ([CVE-2020-1252](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1252>))\n\n#### Remote Code Execution\n\n * Active Directory ([CVE-2020-0718](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0718>), [CVE-2020-0761](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0761>))\n * Chakra Scripting Engine ([CVE-2020-1180](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1180>), [CVE-2020-1057](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1057>), [CVE-2020-1172](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1172>))\n * GDI+ ([CVE-2020-1285](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1285>))\n * Internet Explorer Browser Helper Object (BHO) ([CVE-2020-16884](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16884>))\n * Jet Database Engine ([CVE-2020-1039](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1039>), [CVE-2020-1074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1074>))\n * Microsoft Browser ([CVE-2020-0878](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0878>))\n * Microsoft COM for Windows ([CVE-2020-0922](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0922>))\n * Microsoft Dynamics 365 (on-premises) ([CVE-2020-16860](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16860>), [CVE-2020-16862](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16862>))\n * Microsoft Dynamics 365 for Finance and Operations (on-premises) ([CVE-2020-16857](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16857>))\n * Microsoft Excel ([CVE-2020-1193](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1193>), [CVE-2020-1332](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1332>), [CVE-2020-1335](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1335>), [CVE-2020-1594](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1594>))\n * Microsoft Exchange Server ([CVE-2020-16875](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16875>))\n * Microsoft Windows Codecs Library ([CVE-2020-1129](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1129>), [CVE-2020-1319](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1319>))\n * Microsoft Word ([CVE-2020-1218](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1218>), [CVE-2020-1338](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1338>))\n * Visual Studio ([CVE-2020-16856](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16856>), [CVE-2020-16874](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16874>))\n * Visual Studio JSON ([CVE-2020-16881](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16881>))\n * Windows ([CVE-2020-1252](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1252>))\n * Windows Camera Codec Pack ([CVE-2020-0997](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0997>))\n * Windows Media Audio Decoder ([CVE-2020-1508](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1508>), [CVE-2020-1593](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1593>))\n * Windows Text Service Module ([CVE-2020-0908](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0908>))\n\n#### Denial of Service\n\n * Windows DNS ([CVE-2020-0836](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0836>), [CVE-2020-1228](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1228>))\n * Windows Hyper-V ([CVE-2020-0890](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0890>), [CVE-2020-0904](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0904>))\n * Windows Routing Utilities ([CVE-2020-1038](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1038>))\n\n#### Elevation of Privilege\n\n * Connected User Experiences and Telemetry Service ([CVE-2020-1590](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1590>))\n * Diagnostics Hub Standard Collector ([CVE-2020-1130](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1130>), [CVE-2020-1133](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1133>))\n * DirectX ([CVE-2020-1053](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1053>))\n * Group Policy ([CVE-2020-1013](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1013>))\n * Microsoft COM for Windows ([CVE-2020-1507](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1507>))\n * Microsoft Store Runtime ([CVE-2020-0766](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0766>), [CVE-2020-1146](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1146>))\n * Microsoft splwow64 ([CVE-2020-0790](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0790>))\n * NTFS ([CVE-2020-0838](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0838>))\n * OneDrive for Windows ([CVE-2020-16851](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16851>), [CVE-2020-16852](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16852>), [CVE-2020-16853](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16853>))\n * Shell infrastructure component ([CVE-2020-0870](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0870>))\n * WinINet API ([CVE-2020-1012](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1012>))\n * Windows ([CVE-2020-1052](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1052>), [CVE-2020-1159](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1159>), [CVE-2020-1376](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1376>))\n * Windows CloudExperienceHost ([CVE-2020-1471](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1471>))\n * Windows Cryptographic Catalog Services ([CVE-2020-0782](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0782>))\n * Windows Function Discovery SSDP Provider ([CVE-2020-0912](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0912>))\n * Windows Function Discovery Service ([CVE-2020-1491](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1491>))\n * Windows Graphics Component ([CVE-2020-0998](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0998>))\n * Windows InstallService ([CVE-2020-1532](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1532>))\n * Windows Language Pack Installer ([CVE-2020-1122](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1122>))\n * Windows Modules Installer ([CVE-2020-0911](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0911>))\n * Windows Print Spooler ([CVE-2020-1030](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1030>))\n * Windows RSoP Service Application ([CVE-2020-0648](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0648>))\n * Windows Runtime ([CVE-2020-1169](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1169>), [CVE-2020-1303](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1303>))\n * Windows Shell Infrastructure Component ([CVE-2020-1098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1098>))\n * Windows Start-Up Application ([CVE-2020-1506](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1506>))\n * Windows Storage Services ([CVE-2020-0886](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0886>), [CVE-2020-1559](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1559>))\n * Windows UPnP Service ([CVE-2020-1598](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1598>))\n * Windows dnsrslvr.dll ([CVE-2020-0839](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0839>))\n\n#### Security Feature Bypass\n\n * Microsoft ASP.NET Core ([CVE-2020-1045](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1045>))\n * Projected Filesystem ([CVE-2020-0805](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0805>))\n * SQL Server Reporting Services ([CVE-2020-1044](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1044>))\n * Windows Defender Application Control ([CVE-2020-0951](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0951>))\n\n#### Information Disclosure\n\n * Microsoft Excel ([CVE-2020-1224](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1224>))\n * Microsoft Graphics Component ([CVE-2020-0921](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0921>), [CVE-2020-1083](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1083>))\n * Microsoft Office ([CVE-2020-16855](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16855>))\n * Microsoft splwow64 ([CVE-2020-0875](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0875>))\n * Projected Filesystem ([CVE-2020-16879](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16879>))\n * TLS ([CVE-2020-1596](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1596>))\n * Windows ([CVE-2020-1119](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1119>))\n * Windows DHCP Server ([CVE-2020-1031](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1031>))\n * Windows GDI ([CVE-2020-1256](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1256>))\n * Windows Graphics Component ([CVE-2020-1091](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1091>), [CVE-2020-1097](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1097>))\n * Windows Mobile Device Management Diagnostics ([CVE-2020-0989](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0989>))\n * Windows State Repository Service ([CVE-2020-0914](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0914>))\n\n#### Spoofing\n\n * ADFS ([CVE-2020-0837](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0837>))\n * Xamarin.Forms ([CVE-2020-16873](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16873>))\n\nWhat vulnerabilities of other types do VM vendors mention in their report?\n\nDenial of Service in Windows DNS ([CVE-2020-0836](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0836>), [CVE-2020-1228](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1228>)). "In order to exploit this issue, an authenticated attacker would need to send a crafted, malicious DNS query to an affected host, resulting in an exhaustion of resources causing the device to become unresponsive."\n\nSecurity Feature Bypass in Windows Defender Application Control ([CVE-2020-0951](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0951>)). Comment from ZDI expert: "An attacker with administrative privileges on a local machine could connect to a PowerShell session and send commands to execute arbitrary code. However, what\u2019s really interesting is that this is getting patched at all. Vulnerabilities that require administrative access to exploit typically do not get patches. I\u2019m curious about what makes this one different."\n\n", "modified": "2020-09-30T23:46:21", "published": "2020-09-30T23:46:21", "id": "AVLEONOV:93A5CCFA19B815AE15942F533FFD65C4", "href": "http://feedproxy.google.com/~r/avleonov/~3/dRwfLxvx9zU/", "type": "avleonov", "title": "Microsoft Patch Tuesday September 2020: Zerologon and other exploits, RCEs in SharePoint and Exchange", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-02-01T03:31:12", "description": "The version of Apple iTunes on the remote host is prior to version\n10.5. It is, therefore, affected by multiple vulnerabilities in the\nCoreAudio, CoreFoundation, CoreMedia, ColorSync, ImageIO, and WebKit\ncomponents. Note that these only affect iTunes for Windows.", "edition": 26, "published": "2011-10-12T00:00:00", "title": "Apple iTunes < 10.5 Multiple Vulnerabilities (uncredentialed check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-2827", "CVE-2011-1293", "CVE-2011-0221", "CVE-2011-2790", "CVE-2011-0234", "CVE-2011-0225", "CVE-2011-0259", "CVE-2011-2352", "CVE-2011-2792", "CVE-2010-1823", "CVE-2011-0215", "CVE-2011-2339", "CVE-2011-3234", "CVE-2011-1462", "CVE-2011-1451", "CVE-2011-0238", "CVE-2011-3233", "CVE-2011-0204", "CVE-2011-0223", "CVE-2011-1440", "CVE-2011-2359", "CVE-2011-1109", "CVE-2011-1457", "CVE-2011-2351", "CVE-2011-2818", "CVE-2011-3241", "CVE-2011-0240", "CVE-2011-1204", "CVE-2011-2820", "CVE-2011-0218", "CVE-2011-0164", "CVE-2011-0254", "CVE-2011-2797", "CVE-2011-0255", "CVE-2011-1296", "CVE-2011-0981", "CVE-2011-2811", "CVE-2011-2788", "CVE-2011-3239", "CVE-2011-1115", "CVE-2011-3252", "CVE-2011-3244", "CVE-2011-1114", "CVE-2011-3236", "CVE-2011-2338", "CVE-2011-3238", "CVE-2011-1203", "CVE-2011-2356", "CVE-2011-0983", "CVE-2011-0222", "CVE-2011-2354", "CVE-2011-2799", "CVE-2011-2817", "CVE-2011-2831", "CVE-2011-1453", "CVE-2011-0233", "CVE-2011-0237", "CVE-2011-3232", "CVE-2011-1797", "CVE-2011-1288", "CVE-2011-2815", "CVE-2011-3237", "CVE-2011-3219", "CVE-2011-0253", "CVE-2011-1117", "CVE-2011-0200", "CVE-2011-0232", "CVE-2011-2814", "CVE-2011-1449", "CVE-2011-1121", "CVE-2011-2813", "CVE-2011-2816", "CVE-2011-1774", "CVE-2011-2823", "CVE-2011-3235", "CVE-2011-1188", "CVE-2011-0235", "CVE-2011-2809", "CVE-2011-2341"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:apple:itunes"], "id": "ITUNES_10_5_BANNER.NASL", "href": "https://www.tenable.com/plugins/nessus/56470", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0); # Avoid problems with large number of xrefs.\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(56470);\n script_version(\"1.48\");\n script_cvs_date(\"Date: 2018/11/15 20:50:24\");\n\n script_cve_id(\n \"CVE-2010-1823\",\n \"CVE-2011-0164\",\n \"CVE-2011-0200\",\n \"CVE-2011-0204\",\n \"CVE-2011-0215\",\n \"CVE-2011-0218\",\n \"CVE-2011-0221\",\n \"CVE-2011-0222\",\n \"CVE-2011-0223\",\n \"CVE-2011-0225\",\n \"CVE-2011-0232\",\n \"CVE-2011-0233\",\n \"CVE-2011-0234\",\n \"CVE-2011-0235\",\n \"CVE-2011-0237\",\n \"CVE-2011-0238\",\n \"CVE-2011-0240\",\n \"CVE-2011-0253\",\n \"CVE-2011-0254\",\n \"CVE-2011-0255\",\n \"CVE-2011-0259\",\n \"CVE-2011-0981\",\n \"CVE-2011-0983\",\n \"CVE-2011-1109\",\n \"CVE-2011-1114\",\n \"CVE-2011-1115\",\n \"CVE-2011-1117\",\n \"CVE-2011-1121\",\n \"CVE-2011-1188\",\n \"CVE-2011-1203\",\n \"CVE-2011-1204\",\n \"CVE-2011-1288\",\n \"CVE-2011-1293\",\n \"CVE-2011-1296\",\n \"CVE-2011-1440\",\n \"CVE-2011-1449\",\n \"CVE-2011-1451\",\n \"CVE-2011-1453\",\n \"CVE-2011-1457\",\n \"CVE-2011-1462\",\n \"CVE-2011-1774\",\n \"CVE-2011-1797\",\n \"CVE-2011-2338\",\n \"CVE-2011-2339\",\n \"CVE-2011-2341\",\n \"CVE-2011-2351\",\n \"CVE-2011-2352\",\n \"CVE-2011-2354\",\n \"CVE-2011-2356\",\n \"CVE-2011-2359\",\n \"CVE-2011-2788\",\n \"CVE-2011-2790\",\n \"CVE-2011-2792\",\n \"CVE-2011-2797\",\n \"CVE-2011-2799\",\n \"CVE-2011-2809\",\n \"CVE-2011-2811\",\n \"CVE-2011-2813\",\n \"CVE-2011-2814\",\n \"CVE-2011-2815\",\n \"CVE-2011-2816\",\n \"CVE-2011-2817\",\n \"CVE-2011-2818\",\n \"CVE-2011-2820\",\n \"CVE-2011-2823\",\n \"CVE-2011-2827\",\n \"CVE-2011-2831\",\n \"CVE-2011-3219\",\n \"CVE-2011-3232\",\n \"CVE-2011-3233\",\n \"CVE-2011-3234\",\n \"CVE-2011-3235\",\n \"CVE-2011-3236\",\n \"CVE-2011-3237\",\n \"CVE-2011-3238\",\n \"CVE-2011-3239\",\n \"CVE-2011-3241\",\n \"CVE-2011-3244\",\n \"CVE-2011-3252\"\n );\n script_bugtraq_id(\n 46262,\n 46614,\n 46785,\n 47029,\n 47604,\n 48437,\n 48479,\n 48840,\n 48856,\n 48960,\n 49279,\n 49658,\n 49850,\n 50065,\n 50066,\n 50067,\n 50068\n );\n script_xref(name:\"MSVR\", value:\"MSVR11-001\");\n\n script_name(english:\"Apple iTunes < 10.5 Multiple Vulnerabilities (uncredentialed check)\");\n script_summary(english:\"Checks the version of iTunes.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host contains a multimedia application that has multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apple iTunes on the remote host is prior to version\n10.5. It is, therefore, affected by multiple vulnerabilities in the\nCoreAudio, CoreFoundation, CoreMedia, ColorSync, ImageIO, and WebKit\ncomponents. Note that these only affect iTunes for Windows.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-11-303/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-11-304/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT4981\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.apple.com/archives/security-announce/2011/Oct/msg00000.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Apple iTunes 10.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-678\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apple Safari Webkit libxslt Arbitrary File Creation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'White_Phosphorus');\n\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/10/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/10/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:itunes\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_family(english:\"Peer-To-Peer File Sharing\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"itunes_sharing.nasl\");\n script_require_keys(\"iTunes/sharing\");\n script_require_ports(\"Services/www\", 3689);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:3689, embedded:TRUE, ignore_broken:TRUE);\n\nget_kb_item_or_exit(\"iTunes/\" + port + \"/enabled\");\n\ntype = get_kb_item_or_exit(\"iTunes/\" + port + \"/type\");\nsource = get_kb_item_or_exit(\"iTunes/\" + port + \"/source\");\nversion = get_kb_item_or_exit(\"iTunes/\" + port + \"/version\");\n\nif (type != 'Windows') audit(AUDIT_OS_NOT, \"Windows\");\n\nfixed_version = \"10.5\";\n\nif (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)\n{\n if (report_verbosity > 0)\n {\n report = '\\n Version source : ' + source +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"iTunes\", port, version);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T03:31:09", "description": "The version of Apple iTunes installed on the remote Windows host is\nolder than 10.5. Thus, it is reportedly affected by numerous issues in\nthe following components :\n\n - CoreFoundation\n - ColorSync\n - CoreAudio\n - CoreMedia\n - ImageIO\n - WebKit", "edition": 26, "published": "2011-10-12T00:00:00", "title": "Apple iTunes < 10.5 Multiple Vulnerabilities (credentialed check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-2827", "CVE-2011-1293", "CVE-2011-0221", "CVE-2011-2790", "CVE-2011-0234", "CVE-2011-0225", "CVE-2011-0259", "CVE-2011-2352", "CVE-2011-2792", "CVE-2010-1823", "CVE-2011-0215", "CVE-2011-2339", "CVE-2011-3234", "CVE-2011-1462", "CVE-2011-1451", "CVE-2011-0238", "CVE-2011-3233", "CVE-2011-0204", "CVE-2011-0223", "CVE-2011-1440", "CVE-2011-2359", "CVE-2011-1109", "CVE-2011-1457", "CVE-2011-2351", "CVE-2011-2818", "CVE-2011-3241", "CVE-2011-0240", "CVE-2011-1204", "CVE-2011-2820", "CVE-2011-0218", "CVE-2011-0164", "CVE-2011-0254", "CVE-2011-2797", "CVE-2011-0255", "CVE-2011-1296", "CVE-2011-0981", "CVE-2011-2811", "CVE-2011-2788", "CVE-2011-3239", "CVE-2011-1115", "CVE-2011-3252", "CVE-2011-3244", "CVE-2011-1114", "CVE-2011-3236", "CVE-2011-2338", "CVE-2011-3238", "CVE-2011-1203", "CVE-2011-2356", "CVE-2011-0983", "CVE-2011-0222", "CVE-2011-2354", "CVE-2011-2799", "CVE-2011-2817", "CVE-2011-2831", "CVE-2011-1453", "CVE-2011-0233", "CVE-2011-0237", "CVE-2011-3232", "CVE-2011-1797", "CVE-2011-1288", "CVE-2011-2815", "CVE-2011-3237", "CVE-2011-3219", "CVE-2011-0253", "CVE-2011-1117", "CVE-2011-0200", "CVE-2011-0232", "CVE-2011-2814", "CVE-2011-1449", "CVE-2011-1121", "CVE-2011-2813", "CVE-2011-2816", "CVE-2011-1774", "CVE-2011-2823", "CVE-2011-3235", "CVE-2011-1188", "CVE-2011-0235", "CVE-2011-2809", "CVE-2011-2341"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:apple:itunes"], "id": "ITUNES_10_5.NASL", "href": "https://www.tenable.com/plugins/nessus/56469", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0); # Avoid problems with large number of xrefs.\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(56469);\n script_version(\"1.45\");\n script_cvs_date(\"Date: 2018/11/15 20:50:27\");\n\n script_cve_id(\n \"CVE-2010-1823\",\n \"CVE-2011-0164\",\n \"CVE-2011-0200\",\n \"CVE-2011-0204\",\n \"CVE-2011-0215\",\n \"CVE-2011-0218\",\n \"CVE-2011-0221\",\n \"CVE-2011-0222\",\n \"CVE-2011-0223\",\n \"CVE-2011-0225\",\n \"CVE-2011-0232\",\n \"CVE-2011-0233\",\n \"CVE-2011-0234\",\n \"CVE-2011-0235\",\n \"CVE-2011-0237\",\n \"CVE-2011-0238\",\n \"CVE-2011-0240\",\n \"CVE-2011-0253\",\n \"CVE-2011-0254\",\n \"CVE-2011-0255\",\n \"CVE-2011-0259\",\n \"CVE-2011-0981\",\n \"CVE-2011-0983\",\n \"CVE-2011-1109\",\n \"CVE-2011-1114\",\n \"CVE-2011-1115\",\n \"CVE-2011-1117\",\n \"CVE-2011-1121\",\n \"CVE-2011-1188\",\n \"CVE-2011-1203\",\n \"CVE-2011-1204\",\n \"CVE-2011-1288\",\n \"CVE-2011-1293\",\n \"CVE-2011-1296\",\n \"CVE-2011-1440\",\n \"CVE-2011-1449\",\n \"CVE-2011-1451\",\n \"CVE-2011-1453\",\n \"CVE-2011-1457\",\n \"CVE-2011-1462\",\n \"CVE-2011-1774\",\n \"CVE-2011-1797\",\n \"CVE-2011-2338\",\n \"CVE-2011-2339\",\n \"CVE-2011-2341\",\n \"CVE-2011-2351\",\n \"CVE-2011-2352\",\n \"CVE-2011-2354\",\n \"CVE-2011-2356\",\n \"CVE-2011-2359\",\n \"CVE-2011-2788\",\n \"CVE-2011-2790\",\n \"CVE-2011-2792\",\n \"CVE-2011-2797\",\n \"CVE-2011-2799\",\n \"CVE-2011-2809\",\n \"CVE-2011-2811\",\n \"CVE-2011-2813\",\n \"CVE-2011-2814\",\n \"CVE-2011-2815\",\n \"CVE-2011-2816\",\n \"CVE-2011-2817\",\n \"CVE-2011-2818\",\n \"CVE-2011-2820\",\n \"CVE-2011-2823\",\n \"CVE-2011-2827\",\n \"CVE-2011-2831\",\n \"CVE-2011-3219\",\n \"CVE-2011-3232\",\n \"CVE-2011-3233\",\n \"CVE-2011-3234\",\n \"CVE-2011-3235\",\n \"CVE-2011-3236\",\n \"CVE-2011-3237\",\n \"CVE-2011-3238\",\n \"CVE-2011-3239\",\n \"CVE-2011-3241\",\n \"CVE-2011-3244\",\n \"CVE-2011-3252\"\n );\n script_bugtraq_id(\n 46262,\n 46614,\n 46785,\n 47029,\n 47604,\n 48437,\n 48479,\n 48840,\n 48856,\n 48960,\n 49279,\n 49658,\n 49850,\n 50065,\n 50066,\n 50067,\n 50068\n );\n script_xref(name:\"MSVR\", value:\"MSVR11-001\");\n\n script_name(english:\"Apple iTunes < 10.5 Multiple Vulnerabilities (credentialed check)\");\n script_summary(english:\"Checks version of iTunes on Windows\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote host contains a multimedia application that has multiple\nvulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Apple iTunes installed on the remote Windows host is\nolder than 10.5. Thus, it is reportedly affected by numerous issues in\nthe following components :\n\n - CoreFoundation\n - ColorSync\n - CoreAudio\n - CoreMedia\n - ImageIO\n - WebKit\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-11-303/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-11-304/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT4981\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.apple.com/archives/security-announce/2011/Oct/msg00000.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Apple iTunes 10.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-678\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apple Safari Webkit libxslt Arbitrary File Creation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'White_Phosphorus');\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/09/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/10/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/10/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apple:itunes\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"itunes_detect.nasl\");\n script_require_keys(\"SMB/iTunes/Version\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n\nversion = get_kb_item_or_exit(\"SMB/iTunes/Version\");\nfixed_version = \"10.5.0.142\";\n\nif (ver_compare(ver:version, fix:fixed_version) == -1)\n{\n if (report_verbosity > 0)\n {\n path = get_kb_item(\"SMB/iTunes/Path\");\n if (isnull(path)) path = 'n/a';\n\n report =\n '\\n Path : '+path+\n '\\n Installed version : '+version+\n '\\n Fixed version : '+fixed_version+'\\n';\n security_hole(port:get_kb_item(\"SMB/transport\"), extra:report);\n }\n else security_hole(get_kb_item(\"SMB/transport\"));\n}\nelse exit(0, \"The host is not affected since iTunes \"+version+\" is installed.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
