Vulnerabilities > CVE-2015-2476 - Cryptographic Issues vulnerability in Microsoft products

047910
CVSS 2.6 - LOW
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
high complexity
microsoft
CWE-310
nessus

Summary

The WebDAV client in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 supports SSL 2.0, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and conducting a decryption attack, aka "WebDAV Client Information Disclosure Vulnerability."

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Msbulletin

bulletin_idMS15-089
bulletin_url
date2015-08-11T00:00:00
impactInformation Disclosure
knowledgebase_id3076949
knowledgebase_url
severityImportant
titleVulnerability in WebDAV Could Allow Information Disclosure

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS15-089.NASL
descriptionThe remote Windows host is affected by an information disclosure vulnerability in the Microsoft Web Distributed Authoring and Versioning (WebDAV) client due to explicitly allowing the use of Secure Socket Layer (SSL) 2.0. A remote attacker can exploit this to force an encrypted SSL 2.0 session with a WebDAV server that has SSL 2.0 enabled, and use a man-in-the-middle attack to decrypt portions of the encrypted traffic, resulting in the disclosure of sensitive information.
last seen2020-06-01
modified2020-06-02
plugin id85323
published2015-08-11
reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/85323
titleMS15-089: Vulnerability in WebDAV Could Allow Information Disclosure (3076949)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(85323);
  script_version("1.7");
  script_cvs_date("Date: 2019/11/22");

  script_cve_id("CVE-2015-2476");
  script_bugtraq_id(76234);
  script_xref(name:"MSFT", value:"MS15-089");
  script_xref(name:"MSKB", value:"3076949");
  script_xref(name:"IAVB", value:"2015-B-0096");

  script_name(english:"MS15-089: Vulnerability in WebDAV Could Allow Information Disclosure (3076949)");
  script_summary(english:"Checks the version of davclnt.dll / webclnt.dll.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by an information disclosure
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is affected by an information disclosure
vulnerability in the Microsoft Web Distributed Authoring and
Versioning (WebDAV) client due to explicitly allowing the use of
Secure Socket Layer (SSL) 2.0. A remote attacker can exploit this to
force an encrypted SSL 2.0 session with a WebDAV server that has SSL
2.0 enabled, and use a man-in-the-middle attack to decrypt portions of
the encrypted traffic, resulting in the disclosure of sensitive
information.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-089");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows Vista, 2008, 7,
2008 R2, 8, RT, 2012, 8.1, RT 8.1, and 2012 R2.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2476");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/08/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/08/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS15-089';
kbs = '3076949';

if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:make_list(kbs), severity:SECURITY_NOTE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);

share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # Windows 8.1 / Windows Server 2012 R2
  hotfix_is_vulnerable(os:"6.3", sp:0, file:"davclnt.dll", version:"6.3.9600.17923", min_version:"6.3.9600.16000", dir:"\system32", bulletin:bulletin, kb:3076949) ||

  # Windows 8 / Windows Server 2012
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"davclnt.dll", version:"6.2.9200.21538", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:3076949) ||
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"davclnt.dll", version:"6.2.9200.17428", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:3076949) ||

  # Windows 7 / Server 2008 R2
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"davclnt.dll", version:"6.1.7601.23115", min_version:"6.1.7601.20000", dir:"\system32", bulletin:bulletin, kb:3076949) ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"davclnt.dll", version:"6.1.7601.18912", min_version:"6.1.7600.18000", dir:"\system32", bulletin:bulletin, kb:3076949) ||

  # Vista / Windows Server 2008
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"webclnt.dll", version:"6.0.6002.23739", min_version:"6.0.6002.20000", dir:"\system32", bulletin:bulletin, kb:3076949) ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"webclnt.dll", version:"6.0.6002.19433", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:3076949)
)
{
  set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_note();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}