Vulnerabilities > CVE-2015-0005 - 7PK - Security Features vulnerability in Microsoft products

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(81741);
  script_version("1.13");
  script_cvs_date("Date: 2019/11/22");

  script_cve_id("CVE-2015-0005");
  script_bugtraq_id(72933);
  script_xref(name:"MSFT", value:"MS15-027");
  script_xref(name:"MSKB", value:"3002657");

  script_name(english:"MS15-027: Vulnerability in NETLOGON Could Allow Spoofing (3002657)");
  script_summary(english:"Checks the version of Netlogon.dll");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a spoofing vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is affected by a spoofing vulnerability due to
the Netlogon service improperly establishing a secure communications
channel to a different machine with a spoofed computer name. A remote
attacker, on a domain-joined system with the ability to observe
network traffic, can exploit this vulnerability to obtain
session-related data of the spoofed computer. This information can be
used to mount further attacks.

Note that this vulnerability only affects a server if it is configured
as a domain controller.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-027");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2003, 2008, 2008
R2, 2012, 2012 R2.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-0005");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/03/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/03/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/03/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("smb_reg_query.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS15-027';
kb  = "3002657";

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);

if (hotfix_check_sp_range(win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
if ("Server" >!< productname) audit(AUDIT_OS_SP_NOT_VULN); # non-server OSes are not affected

share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

# Unless paranoid, check if the server is a DC
if (report_paranoia < 2)
{
  registry_init();
  hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
  res = get_registry_value(handle:hklm, item:"SYSTEM\CurrentControlSet\Control\ProductOptions\ProductType");
  RegCloseKey(handle:hklm);
  if (res != 'LanmanNT')
  {
    close_registry();
    audit(AUDIT_HOST_NOT, 'configured as a domain controller');
  }

  NetUseDel(close:FALSE);
}

if (
  # Windows Server 2012 R2
  hotfix_is_vulnerable(os:"6.3", sp:0, file:"netlogon.dll", version:"6.3.9600.17678", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows Server 2012
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"netlogon.dll", version:"6.2.9200.21391", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"netlogon.dll", version:"6.2.9200.17273", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Server 2008 R2
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"netlogon.dll", version:"6.1.7601.22966", min_version:"6.1.7601.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"netlogon.dll", version:"6.1.7601.18759", min_version:"6.1.7600.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows Server 2008
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"netlogon.dll", version:"6.0.6002.23629", min_version:"6.0.6002.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"netlogon.dll", version:"6.0.6002.19319", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows Server 2003
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"netlogon.dll", version:"5.2.3790.5551", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_warning();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-3548. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(90515);
  script_version("2.16");
  script_cvs_date("Date: 2019/07/15 14:20:30");

  script_cve_id("CVE-2015-5370", "CVE-2016-2110", "CVE-2016-2111", "CVE-2016-2112", "CVE-2016-2113", "CVE-2016-2114", "CVE-2016-2115", "CVE-2016-2118");
  script_xref(name:"DSA", value:"3548");

  script_name(english:"Debian DSA-3548-1 : samba - security update (Badlock)");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Several vulnerabilities have been discovered in Samba, a SMB/CIFS
file, print, and login server for Unix. The Common Vulnerabilities and
Exposures project identifies the following issues :

  - CVE-2015-5370
    Jouni Knuutinen from Synopsys discovered flaws in the
    Samba DCE-RPC code which can lead to denial of service
    (crashes and high cpu consumption) and man-in-the-middle
    attacks.

  - CVE-2016-2110
    Stefan Metzmacher of SerNet and the Samba Team
    discovered that the feature negotiation of NTLMSSP does
    not protect against downgrade attacks.

  - CVE-2016-2111
    When Samba is configured as domain controller, it allows
    remote attackers to spoof the computer name of a secure
    channel's endpoint, and obtain sensitive session
    information. This flaw corresponds to the same
    vulnerability as CVE-2015-0005 for Windows, discovered
    by Alberto Solino from Core Security.

  - CVE-2016-2112
    Stefan Metzmacher of SerNet and the Samba Team
    discovered that a man-in-the-middle attacker can
    downgrade LDAP connections to avoid integrity
    protection.

  - CVE-2016-2113
    Stefan Metzmacher of SerNet and the Samba Team
    discovered that man-in-the-middle attacks are possible
    for client triggered LDAP connections and ncacn_http
    connections.

  - CVE-2016-2114
    Stefan Metzmacher of SerNet and the Samba Team
    discovered that Samba does not enforce required smb
    signing even if explicitly configured.

  - CVE-2016-2115
    Stefan Metzmacher of SerNet and the Samba Team
    discovered that SMB connections for IPC traffic are not
    integrity-protected.

  - CVE-2016-2118
    Stefan Metzmacher of SerNet and the Samba Team
    discovered that a man-in-the-middle attacker can
    intercept any DCERPC traffic between a client and a
    server in order to impersonate the client and obtain the
    same privileges as the authenticated user account."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-5370"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-2110"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-2111"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2015-0005"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-2112"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-2113"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-2114"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-2115"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-2118"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-2113"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/CVE-2016-2114"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.samba.org/samba/latest_news.html#4.4.2"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.samba.org/samba/history/samba-4.2.0.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.samba.org/samba/history/samba-4.2.10.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/wheezy/samba"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/jessie/samba"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2016/dsa-3548"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the samba packages.

For the oldstable distribution (wheezy), these problems have been
fixed in version 2:3.6.6-6+deb7u9. The oldstable distribution is not
affected by CVE-2016-2113 and CVE-2016-2114.

For the stable distribution (jessie), these problems have been fixed
in version 2:4.2.10+dfsg-0+deb8u1. The issues were addressed by
upgrading to the new upstream version 4.2.10, which includes
additional changes and bugfixes. The depending libraries ldb, talloc,
tdb and tevent required as well an update to new upstream versions for
this update.

Please refer to

  - https://www.samba.org/samba/latest_news.html#4.4.2
  - https://www.samba.org/samba/history/samba-4.2.0.html

  - https://www.samba.org/samba/history/samba-4.2.10.html

for further details (in particular for new options and defaults).


We'd like to thank Andreas Schneider and Guenther Deschner (Red Hat),
Stefan Metzmacher and Ralph Boehme (SerNet) and Aurelien Aptel (SUSE)
for the massive backporting work required to support Samba 3.6 and
Samba 4.2 and Andrew Bartlett (Catalyst), Jelmer Vernooij and Mathieu
Parent for their help in preparing updates of Samba and the underlying
infrastructure libraries."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:samba");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/04/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/14");
  script_set_attribute(attribute:"in_the_news", value:"true");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"7.0", prefix:"libnss-winbind", reference:"2:3.6.6-6+deb7u9")) flag++;
if (deb_check(release:"7.0", prefix:"libpam-smbpass", reference:"2:3.6.6-6+deb7u9")) flag++;
if (deb_check(release:"7.0", prefix:"libpam-winbind", reference:"2:3.6.6-6+deb7u9")) flag++;
if (deb_check(release:"7.0", prefix:"libsmbclient", reference:"2:3.6.6-6+deb7u9")) flag++;
if (deb_check(release:"7.0", prefix:"libsmbclient-dev", reference:"2:3.6.6-6+deb7u9")) flag++;
if (deb_check(release:"7.0", prefix:"libwbclient-dev", reference:"2:3.6.6-6+deb7u9")) flag++;
if (deb_check(release:"7.0", prefix:"libwbclient0", reference:"2:3.6.6-6+deb7u9")) flag++;
if (deb_check(release:"7.0", prefix:"samba", reference:"2:3.6.6-6+deb7u9")) flag++;
if (deb_check(release:"7.0", prefix:"samba-common", reference:"2:3.6.6-6+deb7u9")) flag++;
if (deb_check(release:"7.0", prefix:"samba-common-bin", reference:"2:3.6.6-6+deb7u9")) flag++;
if (deb_check(release:"7.0", prefix:"samba-dbg", reference:"2:3.6.6-6+deb7u9")) flag++;
if (deb_check(release:"7.0", prefix:"samba-doc", reference:"2:3.6.6-6+deb7u9")) flag++;
if (deb_check(release:"7.0", prefix:"samba-doc-pdf", reference:"2:3.6.6-6+deb7u9")) flag++;
if (deb_check(release:"7.0", prefix:"samba-tools", reference:"2:3.6.6-6+deb7u9")) flag++;
if (deb_check(release:"7.0", prefix:"smbclient", reference:"2:3.6.6-6+deb7u9")) flag++;
if (deb_check(release:"7.0", prefix:"swat", reference:"2:3.6.6-6+deb7u9")) flag++;
if (deb_check(release:"7.0", prefix:"winbind", reference:"2:3.6.6-6+deb7u9")) flag++;
if (deb_check(release:"8.0", prefix:"libnss-winbind", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libpam-smbpass", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libpam-winbind", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libparse-pidl-perl", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libsmbclient", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libsmbclient-dev", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libsmbsharemodes-dev", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libsmbsharemodes0", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libwbclient-dev", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libwbclient0", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"python-samba", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"registry-tools", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"samba", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"samba-common", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"samba-common-bin", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"samba-dbg", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"samba-dev", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"samba-doc", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"samba-dsdb-modules", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"samba-libs", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"samba-testsuite", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"samba-vfs-modules", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"smbclient", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"winbind", reference:"2:4.2.10+dfsg-0+deb8u1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");