Vulnerabilities > CVE-2019-0541 - Command Injection vulnerability in Microsoft products

047910
CVSS 8.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
microsoft
CWE-77
nessus
exploit available

Summary

A remote code execution vulnerability exists in the way that the MSHTML engine inproperly validates input, aka "MSHTML Engine Remote Code Execution Vulnerability." This affects Microsoft Office, Microsoft Office Word Viewer, Internet Explorer 9, Internet Explorer 11, Microsoft Excel Viewer, Internet Explorer 10, Office 365 ProPlus.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Cause Web Server Misclassification
    An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process. This type of vulnerability has been found in many widely used servers including IIS, Lotus Domino, and Orion. The attacker's job in this case is straightforward, standard communication protocols and methods are used and are generally appended with malicious information at the tail end of an otherwise legitimate request. The attack payload varies, but it could be special characters like a period or simply appending a tag that has a special meaning for operations on the server side like .jsp for a java application server. The essence of this attack is that the attacker deceives the server into executing functionality based on the name of the request, i.e. login.jsp, not the contents.
  • LDAP Injection
    An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.
  • Command Delimiters
    An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
  • File System Function Injection, Content Based
    An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
  • Exploiting Multiple Input Interpretation Layers
    An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.

Exploit-Db

fileexploits/windows/local/46536.txt
idEDB-ID:46536
last seen2019-03-13
modified2019-03-13
platformwindows
port
published2019-03-13
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/46536
titleMicrosoft Windows MSHTML Engine - "Edit" Remote Code Execution
typelocal

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JAN_4480973.NASL
    descriptionThe remote Windows host is missing security update 4480973. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-0536, CVE-2019-0549, CVE-2019-0554) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-0539, CVE-2019-0567) - An information disclosure vulnerability exists when Windows Subsystem for Linux improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. A attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how Windows Subsystem for Linux handles objects in memory. (CVE-2019-0553) - An information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross- origin Resource Sharing (CORS) configurations. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application. The security update addresses the vulnerability by enforcing CORS configuration to prevent its bypass. (CVE-2019-0545) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-0538, CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584) - An elevation of privilege vulnerability exists in the Microsoft XmlDocument class that could allow an attacker to escape from the AppContainer sandbox in the browser. An attacker who successfully exploited this vulnerability could gain elevated privileges and break out of the Edge AppContainer sandbox. The vulnerability by itself does not allow arbitrary code to run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (for example a remote code execution vulnerability and another elevation of privilege vulnerability) to take advantage of the elevated privileges when running. The security update addresses the vulnerability by modifying how the Microsoft XmlDocument class enforces sandboxing. (CVE-2019-0555) - An elevation of privilege vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way Windows handles authentication requests. (CVE-2019-0543) - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. (CVE-2019-0570) - A remote code execution vulnerability exists in the way that the MSHTML engine inproperly validates input. An attacker could execute arbitrary code in the context of the current user. (CVE-2019-0541) - A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0551) - An elevation of privilege exists in Windows COM Desktop Broker. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-0552) - An elevation of privilege vulnerability exists in Microsoft Edge Browser Broker COM object. An attacker who successfully exploited the vulnerability could use the Browser Broker COM object to elevate privileges on an affected system. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2019-0566) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2019-0569) - An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Data Sharing Service handles file operations. (CVE-2019-0571, CVE-2019-0572, CVE-2019-0573, CVE-2019-0574)
    last seen2020-06-01
    modified2020-06-02
    plugin id121018
    published2019-01-08
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121018
    titleKB4480973: Windows 10 Version 1703 January 2019 Security Update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(121018);
      script_version("1.8");
      script_cvs_date("Date: 2019/04/30 14:30:16");
    
      script_cve_id(
        "CVE-2019-0536",
        "CVE-2019-0538",
        "CVE-2019-0539",
        "CVE-2019-0541",
        "CVE-2019-0543",
        "CVE-2019-0545",
        "CVE-2019-0549",
        "CVE-2019-0551",
        "CVE-2019-0552",
        "CVE-2019-0553",
        "CVE-2019-0554",
        "CVE-2019-0555",
        "CVE-2019-0566",
        "CVE-2019-0567",
        "CVE-2019-0569",
        "CVE-2019-0570",
        "CVE-2019-0571",
        "CVE-2019-0572",
        "CVE-2019-0573",
        "CVE-2019-0574",
        "CVE-2019-0575",
        "CVE-2019-0576",
        "CVE-2019-0577",
        "CVE-2019-0578",
        "CVE-2019-0579",
        "CVE-2019-0580",
        "CVE-2019-0581",
        "CVE-2019-0582",
        "CVE-2019-0583",
        "CVE-2019-0584"
      );
      script_xref(name:"MSKB", value:"4480973");
      script_xref(name:"MSFT", value:"MS19-4480973");
    
      script_name(english:"KB4480973: Windows 10 Version 1703 January 2019 Security Update");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4480973. 
    It is, therefore, affected by multiple vulnerabilities :
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-0536, CVE-2019-0549, CVE-2019-0554)
    
      - A remote code execution vulnerability exists in the way
        that the Chakra scripting engine handles objects in
        memory in Microsoft Edge. The vulnerability could
        corrupt memory in such a way that an attacker could
        execute arbitrary code in the context of the current
        user. An attacker who successfully exploited the
        vulnerability could gain the same user rights as the
        current user.  (CVE-2019-0539, CVE-2019-0567)
    
      - An information disclosure vulnerability exists when
        Windows Subsystem for Linux improperly handles objects
        in memory. An attacker who successfully exploited this
        vulnerability could obtain information to further
        compromise the users system. A attacker could exploit
        this vulnerability by running a specially crafted
        application. The update addresses the vulnerability by
        correcting how Windows Subsystem for Linux handles
        objects in memory. (CVE-2019-0553)
    
      - An information disclosure vulnerability exists in .NET
        Framework and .NET Core which allows bypassing Cross-
        origin Resource Sharing (CORS) configurations. An
        attacker who successfully exploited the vulnerability
        could retrieve content, that is normally restricted,
        from a web application. The security update addresses
        the vulnerability by enforcing CORS configuration to
        prevent its bypass. (CVE-2019-0545)
    
      - A remote code execution vulnerability exists when the
        Windows Jet Database Engine improperly handles objects
        in memory. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on a victim
        system. An attacker could exploit this vulnerability by
        enticing a victim to open a specially crafted file. The
        update addresses the vulnerability by correcting the way
        the Windows Jet Database Engine handles objects in
        memory. (CVE-2019-0538, CVE-2019-0575, CVE-2019-0576,
        CVE-2019-0577, CVE-2019-0578, CVE-2019-0579,
        CVE-2019-0580, CVE-2019-0581, CVE-2019-0582,
        CVE-2019-0583, CVE-2019-0584)
    
      - An elevation of privilege vulnerability exists in the
        Microsoft XmlDocument class that could allow an attacker
        to escape from the AppContainer sandbox in the browser.
        An attacker who successfully exploited this
        vulnerability could gain elevated privileges and break
        out of the Edge AppContainer sandbox. The vulnerability
        by itself does not allow arbitrary code to run. However,
        this vulnerability could be used in conjunction with one
        or more vulnerabilities (for example a remote code
        execution vulnerability and another elevation of
        privilege vulnerability) to take advantage of the
        elevated privileges when running. The security update
        addresses the vulnerability by modifying how the
        Microsoft XmlDocument class enforces sandboxing.
        (CVE-2019-0555)
    
      - An elevation of privilege vulnerability exists when
        Windows improperly handles authentication requests. An
        attacker who successfully exploited this vulnerability
        could run processes in an elevated context. An attacker
        could exploit this vulnerability by running a specially
        crafted application on the victim system. The update
        addresses the vulnerability by correcting the way
        Windows handles authentication requests. (CVE-2019-0543)
    
      - An elevation of privilege vulnerability exists when the
        Windows Runtime improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could run arbitrary code in an elevated context. An
        attacker could exploit this vulnerability by running a
        specially crafted application on the victim system. The
        update addresses the vulnerability by correcting the way
        the Windows Runtime handles objects in memory.
        (CVE-2019-0570)
    
      - A remote code execution vulnerability exists in the way
        that the MSHTML engine inproperly validates input. An
        attacker could execute arbitrary code in the context of
        the current user.  (CVE-2019-0541)
    
      - A remote code execution vulnerability exists when
        Windows Hyper-V on a host server fails to properly
        validate input from an authenticated user on a guest
        operating system.  (CVE-2019-0551)
    
      - An elevation of privilege exists in Windows COM Desktop
        Broker. An attacker who successfully exploited the
        vulnerability could run arbitrary code with elevated
        privileges.  (CVE-2019-0552)
    
      - An elevation of privilege vulnerability exists in
        Microsoft Edge Browser Broker COM object. An attacker
        who successfully exploited the vulnerability could use
        the Browser Broker COM object to elevate privileges on
        an affected system. This vulnerability by itself does
        not allow arbitrary code execution; however, it could
        allow arbitrary code to be run if the attacker uses it
        in combination with another vulnerability (such as a
        remote code execution vulnerability or another elevation
        of privilege vulnerability) that is capable of
        leveraging the elevated privileges when code execution
        is attempted. (CVE-2019-0566)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system. An authenticated attacker could exploit this
        vulnerability by running a specially crafted
        application. The update addresses the vulnerability by
        correcting how the Windows kernel handles objects in
        memory. (CVE-2019-0569)
    
      - An elevation of privilege vulnerability exists when the
        Windows Data Sharing Service improperly handles file
        operations. An attacker who successfully exploited this
        vulnerability could run processes in an elevated
        context. An attacker could exploit this vulnerability by
        running a specially crafted application on the victim
        system. The update addresses the vulnerability by
        correcting the way the Windows Data Sharing Service
        handles file operations. (CVE-2019-0571, CVE-2019-0572,
        CVE-2019-0573, CVE-2019-0574)");
      # https://support.microsoft.com/en-us/help/4480973/windows-10-update-kb4480973
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a8bd0dec");
      script_set_attribute(attribute:"solution", value:
      "Apply Cumulative Update KB4480973.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0538");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-01";
    kbs = make_list('4480973');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"10",
                       sp:0,
                       os_build:"15063",
                       rollup_date:"01_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4480973])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JAN_4480970.NASL
    descriptionThe remote Windows host is missing security update 4480960 or cumulative update 4480970. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2019-0569) - An information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross- origin Resource Sharing (CORS) configurations. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application. The security update addresses the vulnerability by enforcing CORS configuration to prevent its bypass. (CVE-2019-0545) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-0538, CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584) - A remote code execution vulnerability exists in the way that the MSHTML engine improperly validates input. An attacker could execute arbitrary code in the context of the current user. (CVE-2019-0541) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-0536, CVE-2019-0549, CVE-2019-0554) - An elevation of privilege vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way Windows handles authentication requests. (CVE-2019-0543)
    last seen2020-06-01
    modified2020-06-02
    plugin id121017
    published2019-01-08
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121017
    titleKB4480960: Windows 7 and Windows Server 2008 R2 January 2019 Security Update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(121017);
      script_version("1.9");
      script_cvs_date("Date: 2019/04/30 14:30:16");
    
      script_cve_id(
        "CVE-2018-3639",
        "CVE-2019-0536",
        "CVE-2019-0538",
        "CVE-2019-0541",
        "CVE-2019-0543",
        "CVE-2019-0545",
        "CVE-2019-0549",
        "CVE-2019-0554",
        "CVE-2019-0569",
        "CVE-2019-0575",
        "CVE-2019-0576",
        "CVE-2019-0577",
        "CVE-2019-0578",
        "CVE-2019-0579",
        "CVE-2019-0580",
        "CVE-2019-0581",
        "CVE-2019-0582",
        "CVE-2019-0583",
        "CVE-2019-0584"
      );
      script_xref(name:"MSKB", value:"4480960");
      script_xref(name:"MSKB", value:"4480970");
      script_xref(name:"MSFT", value:"MS19-4480960");
      script_xref(name:"MSFT", value:"MS19-4480970");
    
      script_name(english:"KB4480960: Windows 7 and Windows Server 2008 R2 January 2019 Security Update");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4480960
    or cumulative update 4480970. It is, therefore, affected by
    multiple vulnerabilities :
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system. An authenticated attacker could exploit this
        vulnerability by running a specially crafted
        application. The update addresses the vulnerability by
        correcting how the Windows kernel handles objects in
        memory. (CVE-2019-0569)
    
      - An information disclosure vulnerability exists in .NET
        Framework and .NET Core which allows bypassing Cross-
        origin Resource Sharing (CORS) configurations. An
        attacker who successfully exploited the vulnerability
        could retrieve content, that is normally restricted,
        from a web application. The security update addresses
        the vulnerability by enforcing CORS configuration to
        prevent its bypass. (CVE-2019-0545)
    
      - A remote code execution vulnerability exists when the
        Windows Jet Database Engine improperly handles objects
        in memory. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on a victim
        system. An attacker could exploit this vulnerability by
        enticing a victim to open a specially crafted file. The
        update addresses the vulnerability by correcting the way
        the Windows Jet Database Engine handles objects in
        memory. (CVE-2019-0538, CVE-2019-0575, CVE-2019-0576,
        CVE-2019-0577, CVE-2019-0578, CVE-2019-0579,
        CVE-2019-0580, CVE-2019-0581, CVE-2019-0582,
        CVE-2019-0583, CVE-2019-0584)
    
      - A remote code execution vulnerability exists in the way
        that the MSHTML engine improperly validates input. An
        attacker could execute arbitrary code in the context of
        the current user.  (CVE-2019-0541)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-0536, CVE-2019-0549, CVE-2019-0554)
    
      - An elevation of privilege vulnerability exists when
        Windows improperly handles authentication requests. An
        attacker who successfully exploited this vulnerability
        could run processes in an elevated context. An attacker
        could exploit this vulnerability by running a specially
        crafted application on the victim system. The update
        addresses the vulnerability by correcting the way
        Windows handles authentication requests. (CVE-2019-0543)");
      # https://support.microsoft.com/en-us/help/4480960/windows-server-2008-kb4480960
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6bb1666d");
      # https://support.microsoft.com/en-us/help/4480970/windows-7-update-kb4480970
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?df36ff32");
      script_set_attribute(attribute:"solution", value:
    "Apply Security Only update KB4480960 or Cumulative Update KB4480970.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0538");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-01";
    kbs = make_list('4480960', '4480970');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"6.1",
                       sp:1,
                       rollup_date:"01_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4480960, 4480970])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JAN_OFFICE_VIEWERS.NASL
    descriptionThe Microsoft Office Viewer Products are missing security updates. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user. (CVE-2019-0585) - A remote code execution vulnerability exists in the way that the MSHTML engine inproperly validates input. An attacker could execute arbitrary code in the context of the current user. (CVE-2019-0541)
    last seen2020-06-01
    modified2020-06-02
    plugin id121025
    published2019-01-08
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121025
    titleSecurity Updates for Microsoft Office Viewer Products (January 2019)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(121025);
      script_version("1.6");
      script_cvs_date("Date: 2019/04/30 14:30:16");
    
      script_cve_id(
        "CVE-2019-0541",
        "CVE-2019-0585"
      );
      script_xref(name:"MSKB", value:"4461635");
      script_xref(name:"MSKB", value:"4462112");
      script_xref(name:"MSKB", value:"2596760");
      script_xref(name:"MSFT", value:"MS19-4461635");
      script_xref(name:"MSFT", value:"MS19-4462112");
      script_xref(name:"MSFT", value:"MS19-2596760");
    
      script_name(english:"Security Updates for Microsoft Office Viewer Products (January 2019)");
      script_summary(english:"Checks for Microsoft security updates.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The Microsoft Office Viewer Products are affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The Microsoft Office Viewer Products are missing security
    updates. It is, therefore, affected by multiple
    vulnerabilities :
    
      - A remote code execution vulnerability exists in
        Microsoft Word software when it fails to properly handle
        objects in memory. An attacker who successfully
        exploited the vulnerability could use a specially
        crafted file to perform actions in the security context
        of the current user. For example, the file could then
        take actions on behalf of the logged-on user with the
        same permissions as the current user.  (CVE-2019-0585)
    
      - A remote code execution vulnerability exists in the way
        that the MSHTML engine inproperly validates input. An
        attacker could execute arbitrary code in the context of
        the current user.  (CVE-2019-0541)");
      # https://support.microsoft.com/en-us/help/4461635/description-of-the-security-update-for-word-viewer-january-8-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b794a801");
      # https://support.microsoft.com/en-us/help/4462112/description-of-the-security-update-for-word-viewer-january-8-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cff48609");
      # https://support.microsoft.com/en-us/help/2596760/description-of-the-security-update-for-excel-viewer-2007-january
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?75ef963a");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released the following security updates to address this issue:  
      -KB4461635
      -KB4462112
      -KB2596760");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0541");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:word");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:excel_viewer");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("office_installed.nasl","microsoft_office_compatibility_pack_installed.nbin","smb_hotfixes.nasl","ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_reg_query.inc");
    include("misc_func.inc");
    include("install_func.inc");
    
    global_var vuln;
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-01";
    kbs = make_list(
      '2596760', # Excel Viewer 2007
      '4461635', # Word Viewer
      '4462112'  # Word Viewer
    );
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated", exit_code:1);
    
    vuln = FALSE;
    port = kb_smb_transport();
    
    ######################################################################
    # Excel Viewer
    ######################################################################
    function perform_excel_viewer_checks()
    {
      var prod_exel, path, install, installs, common_path;
      prod_exel = "Microsoft Excel Viewer";
      installs = get_kb_list("SMB/Office/ExcelViewer/*/ProductPath");
    
      foreach install (keys(installs))
      {
        common_path = installs[install];
        path = ereg_replace(pattern:"^([A-Za-z]:.*)\\Microsoft Office.*", replace:"\1\Microsoft Office\Office12", string:common_path);
    
        if (hotfix_check_fversion(file:"msohev.dll", version:"12.0.6806.5000", path:path, kb:"2596760", product:prod_exel) == HCF_OLDER) vuln = TRUE;
      }
    }
    
    ######################################################################
    # Word Viewer
    ######################################################################
    function perform_word_viewer_checks()
    {
      var install, installs, path, prod;
      prod = "Microsoft Word Viewer";
    
      installs = get_kb_list("SMB/Office/WordViewer/*/ProductPath");
      foreach install (keys(installs))
      {
        path = installs[install];
        path = ereg_replace(pattern:"^([A-Za-z]:.*)\\[wW]ordview.exe", replace:"\1", string:path);
    
        if (hotfix_check_fversion(file:"msohtmed.exe", version:"11.0.8453.0", path:path, kb:"4461635", product:prod) == HCF_OLDER)
          vuln = TRUE;
    
        if (hotfix_check_fversion(file:"Wordview.exe", version:"11.0.8454.0", path:path, kb:"4462112", product:prod) == HCF_OLDER)
          vuln = TRUE;
      }
    }
    
    
    ######################################################################
    # MAIN
    ######################################################################
    perform_excel_viewer_checks();
    perform_word_viewer_checks();
    
    if (vuln)
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JAN_INTERNET_EXPLORER.NASL
    descriptionThe Internet Explorer installation on the remote host is missing a security update. It is, therefore, affected by the following vulnerability : - A remote code execution vulnerability exists in the way that the MSHTML engine inproperly validates input. An attacker could execute arbitrary code in the context of the current user. (CVE-2019-0541)
    last seen2020-06-01
    modified2020-06-02
    plugin id121023
    published2019-01-08
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121023
    titleSecurity Updates for Internet Explorer (January 2019)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(121023);
      script_version("1.8");
      script_cvs_date("Date: 2019/04/30 14:30:16");
    
      script_cve_id("CVE-2019-0541");
      script_xref(name:"MSKB", value:"4480963");
      script_xref(name:"MSKB", value:"4480968");
      script_xref(name:"MSKB", value:"4480970");
      script_xref(name:"MSKB", value:"4480965");
      script_xref(name:"MSKB", value:"4480975");
      script_xref(name:"MSFT", value:"MS19-4480963");
      script_xref(name:"MSFT", value:"MS19-4480968");
      script_xref(name:"MSFT", value:"MS19-4480970");
      script_xref(name:"MSFT", value:"MS19-4480965");
      script_xref(name:"MSFT", value:"MS19-4480975");
    
      script_name(english:"Security Updates for Internet Explorer (January 2019)");
      script_summary(english:"Checks for Microsoft security updates.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The Internet Explorer installation on the remote host is
    missing a security update.");
      script_set_attribute(attribute:"description", value:
    "The Internet Explorer installation on the remote host is
    missing a security update. It is, therefore, affected by the
    following vulnerability :
    
      - A remote code execution vulnerability exists in the way
        that the MSHTML engine inproperly validates input. An
        attacker could execute arbitrary code in the context of
        the current user.  (CVE-2019-0541)");
      # https://support.microsoft.com/en-us/help/4480963/windows-8-1-update-kb4480963
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5fa9f1a3");
      # https://support.microsoft.com/en-us/help/4480968/windows-server-2008-update-kb4480968
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?be3b897d");
      # https://support.microsoft.com/en-us/help/4480970/windows-7-update-kb4480970
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?df36ff32");
      # https://support.microsoft.com/en-us/help/4480965/cumulative-security-update-for-internet-explorer
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9c55a9f6");
      # https://support.microsoft.com/en-us/help/4480975/windows-server-2012-update-kb4480975
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?14883957");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released the following security updates to address this issue:  
      -KB4480963
      -KB4480968
      -KB4480970
      -KB4480965
      -KB4480975");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0541");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS19-01';
    kbs = make_list(
      '4480963',
      '4480965',
      '4480968',
      '4480970',
      '4480975'
    );
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    os = get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0',  win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
    if ("Windows 8" >< productname && "8.1" >!< productname)
     audit(AUDIT_OS_SP_NOT_VULN);
    if ("Vista" >< productname) audit(AUDIT_OS_SP_NOT_VULN);
    
    if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      # Windows 8.1 / Windows Server 2012 R2
      # Internet Explorer 11
        hotfix_is_vulnerable(os:"6.3", sp:0, file:"mshtml.dll", version:"11.0.9600.19236", min_version:"11.0.9600.16000", dir:"\system32", bulletin:bulletin, kb:"4480965") ||
    
      # Windows Server 2012
      # Internet Explorer 10
        hotfix_is_vulnerable(os:"6.2", sp:0, file:"mshtml.dll", version:"10.0.9200.22644", min_version:"10.0.9200.16000", dir:"\system32", bulletin:bulletin, kb:"4480965") ||
    
      # Windows 7 / Server 2008 R2
      # Internet Explorer 11
        hotfix_is_vulnerable(os:"6.1", sp:1, file:"mshtml.dll", version:"11.0.9600.19236", min_version:"11.0.9600.16000", dir:"\system32", bulletin:bulletin, kb:"4480965") ||
    
      # Windows Server 2008
      # Internet Explorer 9
      hotfix_is_vulnerable(os:"6.0", sp:2, file:"mshtml.dll", version:"9.0.8112.21304", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:"4480965")
    )
    {
      report =  '\nNote: The fix for this issue is available in either of the following updates:\n';
      report += '  - KB4480965 : Cumulative Security Update for Internet Explorer\n';
      if(os == "6.3")
      {
        report += '  - KB4480963 : Windows 8.1 / Server 2012 R2 Monthly Rollup\n';
        hotfix_add_report(bulletin:'MS19-01', kb:'4480963', report);
      }
      else if(os == "6.2")
      {
        report += '  - KB4480975 : Windows Server 2012 Monthly Rollup\n';
        hotfix_add_report(bulletin:'MS19-01', kb:'4480975', report);
      }
      else if(os == "6.1")
      {
        report += '  - KB4480970 : Windows 7 / Server 2008 R2 Monthly Rollup\n';
        hotfix_add_report(bulletin:'MS19-01', kb:'4480970', report);
      }
      else if(os == "6.0")
      {
        report += '  - KB4480968 : Windows Server 2008 Monthly Rollup\n';
        hotfix_add_report(bulletin:'MS19-01', kb:'4480968', report);
      }
      set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JAN_OFFICE.NASL
    descriptionThe Microsoft Office Products are missing security updates. It is, therefore, affected by multiple vulnerabilities: - A remote code execution vulnerability exists in the way that the MSHTML engine improperly validates input. An attacker could execute arbitrary code in the context of the current user. (CVE-2019-0541) - An information disclosure vulnerability exists when Microsoft Outlook improperly handles certain types of messages. An attacker who successfully exploited this vulnerability could gather information about the victim. An attacker could exploit this vulnerability by sending a specially crafted email to the victim. The update addresses the vulnerability by correcting the way Microsoft Outlook handles these types of messages. (CVE-2019-0559) - An information disclosure vulnerability exists when Microsoft Office improperly discloses the contents of its memory. An attacker who exploited the vulnerability could use the information to compromise the users computer or data. (CVE-2019-0560) - An information disclosure vulnerability exists when Microsoft Office improperly discloses the contents of its memory. An attacker who exploited the vulnerability could use the information to compromise the users computer or data. (CVE-2019-0560) - A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user. (CVE-2019-0585)
    last seen2020-06-01
    modified2020-06-02
    plugin id121024
    published2019-01-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121024
    titleSecurity Updates for Microsoft Office Products (January 2019)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include('compat.inc');
    
    if (description)
    {
      script_id(121024);
      script_version("1.11");
      script_cvs_date("Date: 2020/01/30");
    
      script_cve_id(
        "CVE-2019-0541",
        "CVE-2019-0559",
        "CVE-2019-0560",
        "CVE-2019-0561",
        "CVE-2019-0585"
      );
      script_xref(name:"MSKB", value:"2553332");
      script_xref(name:"MSKB", value:"3172522");
      script_xref(name:"MSKB", value:"4022162");
      script_xref(name:"MSKB", value:"4461535");
      script_xref(name:"MSKB", value:"4461537");
      script_xref(name:"MSKB", value:"4461614");
      script_xref(name:"MSKB", value:"4461617");
      script_xref(name:"MSFT", value:"MS19-2553332");
      script_xref(name:"MSFT", value:"MS19-3172522");
      script_xref(name:"MSFT", value:"MS19-4022162");
      script_xref(name:"MSFT", value:"MS19-4461535");
      script_xref(name:"MSFT", value:"MS19-4461537");
      script_xref(name:"MSFT", value:"MS19-4461614");
      script_xref(name:"MSFT", value:"MS19-4461617");
    
      script_name(english:"Security Updates for Microsoft Office Products (January 2019)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The Microsoft Office Products are affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The Microsoft Office Products are missing security updates.
    It is, therefore, affected by multiple vulnerabilities:
    
      - A remote code execution vulnerability exists in the way
        that the MSHTML engine improperly validates input. An
        attacker could execute arbitrary code in the context of
        the current user. (CVE-2019-0541)
    
      - An information disclosure vulnerability exists when
        Microsoft Outlook improperly handles certain types of
        messages. An attacker who successfully exploited this
        vulnerability could gather information about the victim.
        An attacker could exploit this vulnerability by sending
        a specially crafted email to the victim. The update
        addresses the vulnerability by correcting the way
        Microsoft Outlook handles these types of messages.
        (CVE-2019-0559)
    
      - An information disclosure vulnerability exists when
        Microsoft Office improperly discloses the contents of
        its memory. An attacker who exploited the vulnerability
        could use the information to compromise the users
        computer or data. (CVE-2019-0560)
    
      - An information disclosure vulnerability exists when
        Microsoft Office improperly discloses the contents of
        its memory. An attacker who exploited the vulnerability
        could use the information to compromise the users
        computer or data. (CVE-2019-0560)
    
      - A remote code execution vulnerability exists in
        Microsoft Word software when it fails to properly handle
        objects in memory. An attacker who successfully
        exploited the vulnerability could use a specially
        crafted file to perform actions in the security context
        of the current user. For example, the file could then
        take actions on behalf of the logged-on user with the
        same permissions as the current user. (CVE-2019-0585)");
      # https://support.microsoft.com/en-us/help/2553332/description-of-the-security-update-for-office-2010-january-8-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9755a441");
      # https://support.microsoft.com/en-us/help/3172522/description-of-the-security-update-for-office-2013-january-8-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?968583fb");
      # https://support.microsoft.com/en-us/help/4022162/description-of-the-security-update-for-office-2016-january-8-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?17ce5756");
      # https://support.microsoft.com/en-us/help/4461535/description-of-the-security-update-for-office-2016-january-8-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4972ec37");
      # https://support.microsoft.com/en-us/help/4461537/description-of-the-security-update-for-office-2013-january-8-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b66be4d2");
      # https://support.microsoft.com/en-us/help/4461614/description-of-the-security-update-for-office-2010-january-8-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3f0fcaba");
      # https://support.microsoft.com/en-us/help/4461617/description-of-the-security-update-for-office-2010-january-8-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?99556f38");
      # https://docs.microsoft.com/en-us/officeupdates/update-history-office365-proplus-by-date
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c6fc9b1b");
      # https://docs.microsoft.com/en-us/officeupdates/update-history-office-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?42ab6861");
      # https://support.office.com/en-us/article/install-office-updates-2ab296f3-7f03-43a2-8e50-46de917611c5
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7b126882");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released the following security updates to address this issue:
      -KB2553332
      -KB3172522
      -KB4022162
      -KB4461535
      -KB4461537
      -KB4461614
      -KB4461617
    
    For Office 365, Office 2016 C2R, or Office 2019, ensure automatic
    updates are enabled or open any office app and manually perform an
    update.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0585");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:office");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("office_installed.nasl","smb_hotfixes.nasl","ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_reg_query.inc");
    include("misc_func.inc");
    include("install_func.inc");
    
    global_var vuln;
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-01";
    kbs = make_list(
      '2553332', # Office 2010 SP2
      '3172522', # Office 2013 SP1
      '4022162', # Office 2016
      '4461535', # Office 2016
      '4461537', # Office 2013 SP1
      '4461614', # Office 2010 SP2
      '4461617'  # Office 2010 SP2
    );
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated", exit_code:1);
    
    vuln = FALSE;
    port = kb_smb_transport();
    
    office_vers = hotfix_check_office_version();
    
    # Office 2010 SP2
    if (office_vers["14.0"])
    {
      office_sp = get_kb_item("SMB/Office/2010/SP");
      if (!isnull(office_sp) && office_sp == 2)
      {
        prod = "Microsoft Office 2010 SP2";
    
        path = hotfix_get_officeprogramfilesdir(officever:"14.0");
        path = hotfix_append_path(path:path, value:"Microsoft Office\Office14");
        kb = "2553332";
        file = "msohev.dll";
        version = "14.0.7227.5000";
        if (hotfix_check_fversion(file:file, version:version, path:path, kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER)
          vuln = TRUE;
    
        path = hotfix_get_officecommonfilesdir(officever:"14.0");
        path = hotfix_append_path(path:path, value:"Microsoft Shared\Office14");
        kb = "4461614";
        file = "mso.dll";
        version = "14.0.7227.5000";
        if (hotfix_check_fversion(file:file, version:version, path:path, kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER)
          vuln = TRUE;
    
        # wwlibcxm.dll only exists if KB2428677 is installed
        path = hotfix_get_officeprogramfilesdir(officever:"14.0");
        kb = "4461617";
        file = "wwlibcxm.dll";
        version = "14.0.7228.5000";
        if (hotfix_check_fversion(file:file, version:version, path:path, kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER)
          vuln = TRUE;
      }
    }
    
    # Office 2013 SP1
    if (office_vers["15.0"])
    {
      office_sp = get_kb_item("SMB/Office/2013/SP");
      if (!isnull(office_sp) && office_sp == 1)
      {
        prod = "Microsoft Office 2013 SP1";
    
        path = hotfix_get_officeprogramfilesdir(officever:"15.0");
        path = hotfix_append_path(path:path, value:"Microsoft Office\Office15");
        kb = "3172522";
        file = "msohev.dll";
        version = "15.0.5101.1000";
        if (hotfix_check_fversion(file:file, version:version, path:path, kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER )
          vuln = TRUE;
    
        path = hotfix_get_officecommonfilesdir(officever:"15.0");
        path = hotfix_append_path(path:path, value:"Microsoft Shared\Office15");
        kb = "4461537";
        file = "mso.dll";
        version = "15.0.5101.1000";
        if (hotfix_check_fversion(file:file, version:version, path:path, kb:kb, bulletin:bulletin, product:prod) == HCF_OLDER)
          vuln = TRUE;
      }
    }
    
    # Office 2016
    if (office_vers["16.0"])
    {
      office_sp = get_kb_item("SMB/Office/2016/SP");
      if (!isnull(office_sp) && office_sp == 0)
      {
        prod = "Microsoft Office 2016";
        prod2019 = "Microsoft Office 2019";
    
        path = hotfix_get_officecommonfilesdir(officever:"16.0");
        mso_dll_path = hotfix_append_path(path:path, value:"Microsoft Shared\Office16");
    
        path = hotfix_get_officeprogramfilesdir(officever:"16.0");
        msohev_dll_path = hotfix_append_path(path:path, value:"Microsoft Office\Office16");
    
        c2r_path = mso_dll_path;
    
        # MSI msohev.dll
        if (hotfix_check_fversion(file:"msohev.dll", version:"16.0.4795.1000", channel:"MSI", channel_product:"Office", path:msohev_dll_path, kb:"4022162", bulletin:bulletin, product:prod) == HCF_OLDER)
          vuln = TRUE;
    
        if (
          # MSI mso.dll
          hotfix_check_fversion(file:"mso.dll", version:"16.0.4795.1000", channel:"MSI", channel_product:"Office", path:mso_dll_path, kb:"4461535", bulletin:bulletin, product:prod) == HCF_OLDER ||
          # C2R
          hotfix_check_fversion(file:"mso.dll", version:"16.0.8431.2366", channel:"Deferred", channel_product:"Office", path:c2r_path, bulletin:bulletin, product:prod) == HCF_OLDER ||
          hotfix_check_fversion(file:"mso.dll", version:"16.0.9126.2351", channel:"Deferred", channel_version:"1803", channel_product:"Office", path:c2r_path, bulletin:bulletin, product:prod) == HCF_OLDER ||
          hotfix_check_fversion(file:"mso.dll", version:"16.0.10730.20264", channel:"Deferred", channel_version:"1808", channel_product:"Office", path:c2r_path, bulletin:bulletin, product:prod) == HCF_OLDER ||
          hotfix_check_fversion(file:"mso.dll", version:"16.0.10730.20264", channel:"First Release for Deferred", channel_product:"Office", path:c2r_path, bulletin:bulletin, product:prod) == HCF_OLDER ||
          hotfix_check_fversion(file:"mso.dll", version:"16.0.11126.20192", channel:"Current", channel_product:"Office", path:c2r_path, bulletin:bulletin, product:prod) == HCF_OLDER ||
          # 2019
          hotfix_check_fversion(file:"mso.dll", version:"16.0.11126.20192", channel:"2019 Retail", channel_product:"Office", path:c2r_path, bulletin:bulletin, product:prod2019) == HCF_OLDER ||
          hotfix_check_fversion(file:"mso.dll", version:"16.0.10340.20017", channel:"2019 Volume", channel_product:"Office", path:c2r_path, bulletin:bulletin, product:prod2019) == HCF_OLDER
        )
        vuln = TRUE;
      }
    }
    
    if (vuln)
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JAN_4480961.NASL
    descriptionThe remote Windows host is missing security update 4480961. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-0536, CVE-2019-0549, CVE-2019-0554) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-0539, CVE-2019-0567) - An information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross- origin Resource Sharing (CORS) configurations. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application. The security update addresses the vulnerability by enforcing CORS configuration to prevent its bypass. (CVE-2019-0545) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-0538, CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584) - An elevation of privilege vulnerability exists in the Microsoft XmlDocument class that could allow an attacker to escape from the AppContainer sandbox in the browser. An attacker who successfully exploited this vulnerability could gain elevated privileges and break out of the Edge AppContainer sandbox. The vulnerability by itself does not allow arbitrary code to run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (for example a remote code execution vulnerability and another elevation of privilege vulnerability) to take advantage of the elevated privileges when running. The security update addresses the vulnerability by modifying how the Microsoft XmlDocument class enforces sandboxing. (CVE-2019-0555) - An elevation of privilege vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way Windows handles authentication requests. (CVE-2019-0543) - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. (CVE-2019-0570) - A remote code execution vulnerability exists in the way that the MSHTML engine inproperly validates input. An attacker could execute arbitrary code in the context of the current user. (CVE-2019-0541) - A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0551) - An elevation of privilege exists in Windows COM Desktop Broker. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-0552) - An elevation of privilege vulnerability exists in Microsoft Edge Browser Broker COM object. An attacker who successfully exploited the vulnerability could use the Browser Broker COM object to elevate privileges on an affected system. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2019-0566) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2019-0569) - An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Data Sharing Service handles file operations. (CVE-2019-0571, CVE-2019-0572, CVE-2019-0573, CVE-2019-0574)
    last seen2020-06-01
    modified2020-06-02
    plugin id121012
    published2019-01-08
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121012
    titleKB4480961: Windows 10 Version 1607 and Windows Server 2016 January 2019 Security Update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(121012);
      script_version("1.8");
      script_cvs_date("Date: 2019/04/30 14:30:16");
    
      script_cve_id(
        "CVE-2019-0536",
        "CVE-2019-0538",
        "CVE-2019-0539",
        "CVE-2019-0541",
        "CVE-2019-0543",
        "CVE-2019-0545",
        "CVE-2019-0549",
        "CVE-2019-0551",
        "CVE-2019-0552",
        "CVE-2019-0554",
        "CVE-2019-0555",
        "CVE-2019-0566",
        "CVE-2019-0567",
        "CVE-2019-0569",
        "CVE-2019-0570",
        "CVE-2019-0571",
        "CVE-2019-0572",
        "CVE-2019-0573",
        "CVE-2019-0574",
        "CVE-2019-0575",
        "CVE-2019-0576",
        "CVE-2019-0577",
        "CVE-2019-0578",
        "CVE-2019-0579",
        "CVE-2019-0580",
        "CVE-2019-0581",
        "CVE-2019-0582",
        "CVE-2019-0583",
        "CVE-2019-0584"
      );
      script_xref(name:"MSKB", value:"4480961");
      script_xref(name:"MSFT", value:"MS19-4480961");
    
      script_name(english:"KB4480961: Windows 10 Version 1607 and Windows Server 2016 January 2019 Security Update");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4480961. 
    It is, therefore, affected by multiple vulnerabilities :
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-0536, CVE-2019-0549, CVE-2019-0554)
    
      - A remote code execution vulnerability exists in the way
        that the Chakra scripting engine handles objects in
        memory in Microsoft Edge. The vulnerability could
        corrupt memory in such a way that an attacker could
        execute arbitrary code in the context of the current
        user. An attacker who successfully exploited the
        vulnerability could gain the same user rights as the
        current user.  (CVE-2019-0539, CVE-2019-0567)
    
      - An information disclosure vulnerability exists in .NET
        Framework and .NET Core which allows bypassing Cross-
        origin Resource Sharing (CORS) configurations. An
        attacker who successfully exploited the vulnerability
        could retrieve content, that is normally restricted,
        from a web application. The security update addresses
        the vulnerability by enforcing CORS configuration to
        prevent its bypass. (CVE-2019-0545)
    
      - A remote code execution vulnerability exists when the
        Windows Jet Database Engine improperly handles objects
        in memory. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on a victim
        system. An attacker could exploit this vulnerability by
        enticing a victim to open a specially crafted file. The
        update addresses the vulnerability by correcting the way
        the Windows Jet Database Engine handles objects in
        memory. (CVE-2019-0538, CVE-2019-0575, CVE-2019-0576,
        CVE-2019-0577, CVE-2019-0578, CVE-2019-0579,
        CVE-2019-0580, CVE-2019-0581, CVE-2019-0582,
        CVE-2019-0583, CVE-2019-0584)
    
      - An elevation of privilege vulnerability exists in the
        Microsoft XmlDocument class that could allow an attacker
        to escape from the AppContainer sandbox in the browser.
        An attacker who successfully exploited this
        vulnerability could gain elevated privileges and break
        out of the Edge AppContainer sandbox. The vulnerability
        by itself does not allow arbitrary code to run. However,
        this vulnerability could be used in conjunction with one
        or more vulnerabilities (for example a remote code
        execution vulnerability and another elevation of
        privilege vulnerability) to take advantage of the
        elevated privileges when running. The security update
        addresses the vulnerability by modifying how the
        Microsoft XmlDocument class enforces sandboxing.
        (CVE-2019-0555)
    
      - An elevation of privilege vulnerability exists when
        Windows improperly handles authentication requests. An
        attacker who successfully exploited this vulnerability
        could run processes in an elevated context. An attacker
        could exploit this vulnerability by running a specially
        crafted application on the victim system. The update
        addresses the vulnerability by correcting the way
        Windows handles authentication requests. (CVE-2019-0543)
    
      - An elevation of privilege vulnerability exists when the
        Windows Runtime improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could run arbitrary code in an elevated context. An
        attacker could exploit this vulnerability by running a
        specially crafted application on the victim system. The
        update addresses the vulnerability by correcting the way
        the Windows Runtime handles objects in memory.
        (CVE-2019-0570)
    
      - A remote code execution vulnerability exists in the way
        that the MSHTML engine inproperly validates input. An
        attacker could execute arbitrary code in the context of
        the current user.  (CVE-2019-0541)
    
      - A remote code execution vulnerability exists when
        Windows Hyper-V on a host server fails to properly
        validate input from an authenticated user on a guest
        operating system.  (CVE-2019-0551)
    
      - An elevation of privilege exists in Windows COM Desktop
        Broker. An attacker who successfully exploited the
        vulnerability could run arbitrary code with elevated
        privileges.  (CVE-2019-0552)
    
      - An elevation of privilege vulnerability exists in
        Microsoft Edge Browser Broker COM object. An attacker
        who successfully exploited the vulnerability could use
        the Browser Broker COM object to elevate privileges on
        an affected system. This vulnerability by itself does
        not allow arbitrary code execution; however, it could
        allow arbitrary code to be run if the attacker uses it
        in combination with another vulnerability (such as a
        remote code execution vulnerability or another elevation
        of privilege vulnerability) that is capable of
        leveraging the elevated privileges when code execution
        is attempted. (CVE-2019-0566)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system. An authenticated attacker could exploit this
        vulnerability by running a specially crafted
        application. The update addresses the vulnerability by
        correcting how the Windows kernel handles objects in
        memory. (CVE-2019-0569)
    
      - An elevation of privilege vulnerability exists when the
        Windows Data Sharing Service improperly handles file
        operations. An attacker who successfully exploited this
        vulnerability could run processes in an elevated
        context. An attacker could exploit this vulnerability by
        running a specially crafted application on the victim
        system. The update addresses the vulnerability by
        correcting the way the Windows Data Sharing Service
        handles file operations. (CVE-2019-0571, CVE-2019-0572,
        CVE-2019-0573, CVE-2019-0574)");
      # https://support.microsoft.com/en-us/help/4480961/windows-10-update-kb4480961
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?108c06e5");
      script_set_attribute(attribute:"solution", value:
      "Apply Cumulative Update KB4480961.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0538");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-01";
    kbs = make_list('4480961');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"10",
                       sp:0,
                       os_build:"14393",
                       rollup_date:"01_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4480961])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JAN_4480116.NASL
    descriptionThe remote Windows host is missing security update 4480116. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-0536, CVE-2019-0549, CVE-2019-0554) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-0539, CVE-2019-0567, CVE-2019-0568) - An information disclosure vulnerability exists when Windows Subsystem for Linux improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. A attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how Windows Subsystem for Linux handles objects in memory. (CVE-2019-0553) - An information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross- origin Resource Sharing (CORS) configurations. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application. The security update addresses the vulnerability by enforcing CORS configuration to prevent its bypass. (CVE-2019-0545) - A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-0550, CVE-2019-0551) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-0538, CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584) - A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-0565) - An elevation of privilege vulnerability exists in the Microsoft XmlDocument class that could allow an attacker to escape from the AppContainer sandbox in the browser. An attacker who successfully exploited this vulnerability could gain elevated privileges and break out of the Edge AppContainer sandbox. The vulnerability by itself does not allow arbitrary code to run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (for example a remote code execution vulnerability and another elevation of privilege vulnerability) to take advantage of the elevated privileges when running. The security update addresses the vulnerability by modifying how the Microsoft XmlDocument class enforces sandboxing. (CVE-2019-0555) - An elevation of privilege vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way Windows handles authentication requests. (CVE-2019-0543) - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. (CVE-2019-0570) - A remote code execution vulnerability exists in the way that the MSHTML engine inproperly validates input. An attacker could execute arbitrary code in the context of the current user. (CVE-2019-0541) - An elevation of privilege exists in Windows COM Desktop Broker. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-0552) - An elevation of privilege vulnerability exists in Microsoft Edge Browser Broker COM object. An attacker who successfully exploited the vulnerability could use the Browser Broker COM object to elevate privileges on an affected system. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2019-0566) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2019-0569) - An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Data Sharing Service handles file operations. (CVE-2019-0571, CVE-2019-0572, CVE-2019-0573, CVE-2019-0574)
    last seen2020-06-01
    modified2020-06-02
    plugin id121011
    published2019-01-08
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121011
    titleKB4480116: Windows 10 Version 1809 and Windows Server 2019 January 2019 Security Update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(121011);
      script_version("1.8");
      script_cvs_date("Date: 2019/04/30 14:30:16");
    
      script_cve_id(
        "CVE-2019-0536",
        "CVE-2019-0538",
        "CVE-2019-0539",
        "CVE-2019-0541",
        "CVE-2019-0543",
        "CVE-2019-0545",
        "CVE-2019-0549",
        "CVE-2019-0550",
        "CVE-2019-0551",
        "CVE-2019-0552",
        "CVE-2019-0553",
        "CVE-2019-0554",
        "CVE-2019-0555",
        "CVE-2019-0565",
        "CVE-2019-0566",
        "CVE-2019-0567",
        "CVE-2019-0568",
        "CVE-2019-0569",
        "CVE-2019-0570",
        "CVE-2019-0571",
        "CVE-2019-0572",
        "CVE-2019-0573",
        "CVE-2019-0574",
        "CVE-2019-0575",
        "CVE-2019-0576",
        "CVE-2019-0577",
        "CVE-2019-0578",
        "CVE-2019-0579",
        "CVE-2019-0580",
        "CVE-2019-0581",
        "CVE-2019-0582",
        "CVE-2019-0583",
        "CVE-2019-0584"
      );
      script_xref(name:"MSKB", value:"4480116");
      script_xref(name:"MSFT", value:"MS19-4480116");
    
      script_name(english:"KB4480116: Windows 10 Version 1809 and Windows Server 2019 January 2019 Security Update");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4480116.
    It is, therefore, affected by multiple vulnerabilities :
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-0536, CVE-2019-0549, CVE-2019-0554)
    
      - A remote code execution vulnerability exists in the way
        that the Chakra scripting engine handles objects in
        memory in Microsoft Edge. The vulnerability could
        corrupt memory in such a way that an attacker could
        execute arbitrary code in the context of the current
        user. An attacker who successfully exploited the
        vulnerability could gain the same user rights as the
        current user.  (CVE-2019-0539, CVE-2019-0567,
        CVE-2019-0568)
    
      - An information disclosure vulnerability exists when
        Windows Subsystem for Linux improperly handles objects
        in memory. An attacker who successfully exploited this
        vulnerability could obtain information to further
        compromise the users system. A attacker could exploit
        this vulnerability by running a specially crafted
        application. The update addresses the vulnerability by
        correcting how Windows Subsystem for Linux handles
        objects in memory. (CVE-2019-0553)
    
      - An information disclosure vulnerability exists in .NET
        Framework and .NET Core which allows bypassing Cross-
        origin Resource Sharing (CORS) configurations. An
        attacker who successfully exploited the vulnerability
        could retrieve content, that is normally restricted,
        from a web application. The security update addresses
        the vulnerability by enforcing CORS configuration to
        prevent its bypass. (CVE-2019-0545)
    
      - A remote code execution vulnerability exists when
        Windows Hyper-V on a host server fails to properly
        validate input from an authenticated user on a guest
        operating system.  (CVE-2019-0550, CVE-2019-0551)
    
      - A remote code execution vulnerability exists when the
        Windows Jet Database Engine improperly handles objects
        in memory. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on a victim
        system. An attacker could exploit this vulnerability by
        enticing a victim to open a specially crafted file. The
        update addresses the vulnerability by correcting the way
        the Windows Jet Database Engine handles objects in
        memory. (CVE-2019-0538, CVE-2019-0575, CVE-2019-0576,
        CVE-2019-0577, CVE-2019-0578, CVE-2019-0579,
        CVE-2019-0580, CVE-2019-0581, CVE-2019-0582,
        CVE-2019-0583, CVE-2019-0584)
    
      - A remote code execution vulnerability exists when
        Microsoft Edge improperly accesses objects in memory.
        The vulnerability could corrupt memory in such a way
        that enables an attacker to execute arbitrary code in
        the context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-0565)
    
      - An elevation of privilege vulnerability exists in the
        Microsoft XmlDocument class that could allow an attacker
        to escape from the AppContainer sandbox in the browser.
        An attacker who successfully exploited this
        vulnerability could gain elevated privileges and break
        out of the Edge AppContainer sandbox. The vulnerability
        by itself does not allow arbitrary code to run. However,
        this vulnerability could be used in conjunction with one
        or more vulnerabilities (for example a remote code
        execution vulnerability and another elevation of
        privilege vulnerability) to take advantage of the
        elevated privileges when running. The security update
        addresses the vulnerability by modifying how the
        Microsoft XmlDocument class enforces sandboxing.
        (CVE-2019-0555)
    
      - An elevation of privilege vulnerability exists when
        Windows improperly handles authentication requests. An
        attacker who successfully exploited this vulnerability
        could run processes in an elevated context. An attacker
        could exploit this vulnerability by running a specially
        crafted application on the victim system. The update
        addresses the vulnerability by correcting the way
        Windows handles authentication requests. (CVE-2019-0543)
    
      - An elevation of privilege vulnerability exists when the
        Windows Runtime improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could run arbitrary code in an elevated context. An
        attacker could exploit this vulnerability by running a
        specially crafted application on the victim system. The
        update addresses the vulnerability by correcting the way
        the Windows Runtime handles objects in memory.
        (CVE-2019-0570)
    
      - A remote code execution vulnerability exists in the way
        that the MSHTML engine inproperly validates input. An
        attacker could execute arbitrary code in the context of
        the current user.  (CVE-2019-0541)
    
      - An elevation of privilege exists in Windows COM Desktop
        Broker. An attacker who successfully exploited the
        vulnerability could run arbitrary code with elevated
        privileges.  (CVE-2019-0552)
    
      - An elevation of privilege vulnerability exists in
        Microsoft Edge Browser Broker COM object. An attacker
        who successfully exploited the vulnerability could use
        the Browser Broker COM object to elevate privileges on
        an affected system. This vulnerability by itself does
        not allow arbitrary code execution; however, it could
        allow arbitrary code to be run if the attacker uses it
        in combination with another vulnerability (such as a
        remote code execution vulnerability or another elevation
        of privilege vulnerability) that is capable of
        leveraging the elevated privileges when code execution
        is attempted. (CVE-2019-0566)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system. An authenticated attacker could exploit this
        vulnerability by running a specially crafted
        application. The update addresses the vulnerability by
        correcting how the Windows kernel handles objects in
        memory. (CVE-2019-0569)
    
      - An elevation of privilege vulnerability exists when the
        Windows Data Sharing Service improperly handles file
        operations. An attacker who successfully exploited this
        vulnerability could run processes in an elevated
        context. An attacker could exploit this vulnerability by
        running a specially crafted application on the victim
        system. The update addresses the vulnerability by
        correcting the way the Windows Data Sharing Service
        handles file operations. (CVE-2019-0571, CVE-2019-0572,
        CVE-2019-0573, CVE-2019-0574)");
      # https://support.microsoft.com/en-us/help/4480116/windows-10-update-kb4480116
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b3a1f686");
      script_set_attribute(attribute:"solution", value:
      "Apply Cumulative Update KB4480116.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0538");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-01";
    kbs = make_list('4480116');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"10",
                       sp:0,
                       os_build:"17763",
                       rollup_date:"01_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4480116])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JAN_4480975.NASL
    descriptionThe remote Windows host is missing security update 4480972 or cumulative update 4480975. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2019-0569) - An information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross- origin Resource Sharing (CORS) configurations. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application. The security update addresses the vulnerability by enforcing CORS configuration to prevent its bypass. (CVE-2019-0545) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-0538, CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584) - An elevation of privilege vulnerability exists in the Microsoft XmlDocument class that could allow an attacker to escape from the AppContainer sandbox in the browser. An attacker who successfully exploited this vulnerability could gain elevated privileges and break out of the Edge AppContainer sandbox. The vulnerability by itself does not allow arbitrary code to run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (for example a remote code execution vulnerability and another elevation of privilege vulnerability) to take advantage of the elevated privileges when running. The security update addresses the vulnerability by modifying how the Microsoft XmlDocument class enforces sandboxing. (CVE-2019-0555) - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. (CVE-2019-0570) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-0536, CVE-2019-0549, CVE-2019-0554) - A remote code execution vulnerability exists in the way that the MSHTML engine inproperly validates input. An attacker could execute arbitrary code in the context of the current user. (CVE-2019-0541) - An elevation of privilege vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way Windows handles authentication requests. (CVE-2019-0543)
    last seen2020-06-01
    modified2020-06-02
    plugin id121019
    published2019-01-08
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121019
    titleKB4480972: Windows Server 2012 January 2019 Security Update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(121019);
      script_version("1.8");
      script_cvs_date("Date: 2019/04/30 14:30:16");
    
      script_cve_id(
        "CVE-2019-0536",
        "CVE-2019-0538",
        "CVE-2019-0541",
        "CVE-2019-0543",
        "CVE-2019-0545",
        "CVE-2019-0549",
        "CVE-2019-0554",
        "CVE-2019-0555",
        "CVE-2019-0569",
        "CVE-2019-0570",
        "CVE-2019-0575",
        "CVE-2019-0576",
        "CVE-2019-0577",
        "CVE-2019-0578",
        "CVE-2019-0579",
        "CVE-2019-0580",
        "CVE-2019-0581",
        "CVE-2019-0582",
        "CVE-2019-0583",
        "CVE-2019-0584"
      );
      script_xref(name:"MSKB", value:"4480972");
      script_xref(name:"MSKB", value:"4480975");
      script_xref(name:"MSFT", value:"MS19-4480972");
      script_xref(name:"MSFT", value:"MS19-4480975");
    
      script_name(english:"KB4480972: Windows Server 2012 January 2019 Security Update");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4480972
    or cumulative update 4480975. It is, therefore, affected by
    multiple vulnerabilities :
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system. An authenticated attacker could exploit this
        vulnerability by running a specially crafted
        application. The update addresses the vulnerability by
        correcting how the Windows kernel handles objects in
        memory. (CVE-2019-0569)
    
      - An information disclosure vulnerability exists in .NET
        Framework and .NET Core which allows bypassing Cross-
        origin Resource Sharing (CORS) configurations. An
        attacker who successfully exploited the vulnerability
        could retrieve content, that is normally restricted,
        from a web application. The security update addresses
        the vulnerability by enforcing CORS configuration to
        prevent its bypass. (CVE-2019-0545)
    
      - A remote code execution vulnerability exists when the
        Windows Jet Database Engine improperly handles objects
        in memory. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on a victim
        system. An attacker could exploit this vulnerability by
        enticing a victim to open a specially crafted file. The
        update addresses the vulnerability by correcting the way
        the Windows Jet Database Engine handles objects in
        memory. (CVE-2019-0538, CVE-2019-0575, CVE-2019-0576,
        CVE-2019-0577, CVE-2019-0578, CVE-2019-0579,
        CVE-2019-0580, CVE-2019-0581, CVE-2019-0582,
        CVE-2019-0583, CVE-2019-0584)
    
      - An elevation of privilege vulnerability exists in the
        Microsoft XmlDocument class that could allow an attacker
        to escape from the AppContainer sandbox in the browser.
        An attacker who successfully exploited this
        vulnerability could gain elevated privileges and break
        out of the Edge AppContainer sandbox. The vulnerability
        by itself does not allow arbitrary code to run. However,
        this vulnerability could be used in conjunction with one
        or more vulnerabilities (for example a remote code
        execution vulnerability and another elevation of
        privilege vulnerability) to take advantage of the
        elevated privileges when running. The security update
        addresses the vulnerability by modifying how the
        Microsoft XmlDocument class enforces sandboxing.
        (CVE-2019-0555)
    
      - An elevation of privilege vulnerability exists when the
        Windows Runtime improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could run arbitrary code in an elevated context. An
        attacker could exploit this vulnerability by running a
        specially crafted application on the victim system. The
        update addresses the vulnerability by correcting the way
        the Windows Runtime handles objects in memory.
        (CVE-2019-0570)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-0536, CVE-2019-0549, CVE-2019-0554)
    
      - A remote code execution vulnerability exists in the way
        that the MSHTML engine inproperly validates input. An
        attacker could execute arbitrary code in the context of
        the current user.  (CVE-2019-0541)
    
      - An elevation of privilege vulnerability exists when
        Windows improperly handles authentication requests. An
        attacker who successfully exploited this vulnerability
        could run processes in an elevated context. An attacker
        could exploit this vulnerability by running a specially
        crafted application on the victim system. The update
        addresses the vulnerability by correcting the way
        Windows handles authentication requests. (CVE-2019-0543)");
      # https://support.microsoft.com/en-us/help/4480972/windows-server-2012-kb4480972
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?28d14e98");
      # https://support.microsoft.com/en-us/help/4480975/windows-server-2012-update-kb4480975
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?14883957");
      script_set_attribute(attribute:"solution", value:
    "Apply Security Only update KB4480972 or Cumulative Update KB4480975.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0538");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-01";
    kbs = make_list('4480972', '4480975');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    # Windows 8 EOL
    productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
    if ("Windows 8" >< productname) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"6.2",
                       sp:0,
                       rollup_date:"01_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4480972, 4480975])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JAN_4480968.NASL
    descriptionThe remote Windows host is missing security update 4480957 or cumulative update 4480968. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2019-0569) - An information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross- origin Resource Sharing (CORS) configurations. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application. The security update addresses the vulnerability by enforcing CORS configuration to prevent its bypass. (CVE-2019-0545) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-0538, CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584) - A remote code execution vulnerability exists in the way that the MSHTML engine inproperly validates input. An attacker could execute arbitrary code in the context of the current user. (CVE-2019-0541) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-0536, CVE-2019-0549, CVE-2019-0554) - An elevation of privilege vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way Windows handles authentication requests. (CVE-2019-0543)
    last seen2020-06-01
    modified2020-06-02
    plugin id121016
    published2019-01-08
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121016
    titleKB4480957: Windows Server 2008 January 2019 Security Update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(121016);
      script_version("1.9");
      script_cvs_date("Date: 2019/04/30 14:30:16");
    
      script_cve_id(
        "CVE-2019-0536",
        "CVE-2019-0538",
        "CVE-2019-0541",
        "CVE-2019-0543",
        "CVE-2019-0545",
        "CVE-2019-0549",
        "CVE-2019-0554",
        "CVE-2019-0569",
        "CVE-2019-0575",
        "CVE-2019-0576",
        "CVE-2019-0577",
        "CVE-2019-0578",
        "CVE-2019-0579",
        "CVE-2019-0580",
        "CVE-2019-0581",
        "CVE-2019-0582",
        "CVE-2019-0583",
        "CVE-2019-0584"
      );
      script_xref(name:"MSKB", value:"4480968");
      script_xref(name:"MSKB", value:"4480957");
      script_xref(name:"MSFT", value:"MS19-4480968");
      script_xref(name:"MSFT", value:"MS19-4480957");
    
      script_name(english:"KB4480957: Windows Server 2008 January 2019 Security Update");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4480957
    or cumulative update 4480968. It is, therefore, affected by
    multiple vulnerabilities :
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system. An authenticated attacker could exploit this
        vulnerability by running a specially crafted
        application. The update addresses the vulnerability by
        correcting how the Windows kernel handles objects in
        memory. (CVE-2019-0569)
    
      - An information disclosure vulnerability exists in .NET
        Framework and .NET Core which allows bypassing Cross-
        origin Resource Sharing (CORS) configurations. An
        attacker who successfully exploited the vulnerability
        could retrieve content, that is normally restricted,
        from a web application. The security update addresses
        the vulnerability by enforcing CORS configuration to
        prevent its bypass. (CVE-2019-0545)
    
      - A remote code execution vulnerability exists when the
        Windows Jet Database Engine improperly handles objects
        in memory. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on a victim
        system. An attacker could exploit this vulnerability by
        enticing a victim to open a specially crafted file. The
        update addresses the vulnerability by correcting the way
        the Windows Jet Database Engine handles objects in
        memory. (CVE-2019-0538, CVE-2019-0575, CVE-2019-0576,
        CVE-2019-0577, CVE-2019-0578, CVE-2019-0579,
        CVE-2019-0580, CVE-2019-0581, CVE-2019-0582,
        CVE-2019-0583, CVE-2019-0584)
    
      - A remote code execution vulnerability exists in the way
        that the MSHTML engine inproperly validates input. An
        attacker could execute arbitrary code in the context of
        the current user.  (CVE-2019-0541)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-0536, CVE-2019-0549, CVE-2019-0554)
    
      - An elevation of privilege vulnerability exists when
        Windows improperly handles authentication requests. An
        attacker who successfully exploited this vulnerability
        could run processes in an elevated context. An attacker
        could exploit this vulnerability by running a specially
        crafted application on the victim system. The update
        addresses the vulnerability by correcting the way
        Windows handles authentication requests. (CVE-2019-0543)");
      # https://support.microsoft.com/en-us/help/4480968/windows-server-2008-update-kb4480968
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?be3b897d");
      # https://support.microsoft.com/en-us/help/4480957/windows-server-2008-update-kb4480957
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?25cf74de");
      script_set_attribute(attribute:"solution", value:
    "Apply Security Only update KB4480957 or Cumulative Update KB4480968.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0538");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-01";
    kbs = make_list('4480957', '4480968');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
    if ("Vista" >< productname) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"6.0",
                       sp:2,
                       rollup_date:"01_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4480957, 4480968])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JAN_4480963.NASL
    descriptionThe remote Windows host is missing security update 4480964 or cumulative update 4480963. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-0536, CVE-2019-0549, CVE-2019-0554) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-0538, CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584) - An information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross- origin Resource Sharing (CORS) configurations. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application. The security update addresses the vulnerability by enforcing CORS configuration to prevent its bypass. (CVE-2019-0545) - An elevation of privilege vulnerability exists in the Microsoft XmlDocument class that could allow an attacker to escape from the AppContainer sandbox in the browser. An attacker who successfully exploited this vulnerability could gain elevated privileges and break out of the Edge AppContainer sandbox. The vulnerability by itself does not allow arbitrary code to run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (for example a remote code execution vulnerability and another elevation of privilege vulnerability) to take advantage of the elevated privileges when running. The security update addresses the vulnerability by modifying how the Microsoft XmlDocument class enforces sandboxing. (CVE-2019-0555) - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. (CVE-2019-0570) - A remote code execution vulnerability exists in the way that the MSHTML engine improperly validates input. An attacker could execute arbitrary code in the context of the current user. (CVE-2019-0541) - An elevation of privilege exists in Windows COM Desktop Broker. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-0552) - An elevation of privilege vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way Windows handles authentication requests. (CVE-2019-0543) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2019-0569)
    last seen2020-06-01
    modified2020-06-02
    plugin id121014
    published2019-01-08
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121014
    titleKB4480964: Windows 8.1 and Windows Server 2012 R2 January 2019 Security Update
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JAN_4480962.NASL
    descriptionThe remote Windows host is missing security update 4480962. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-0536, CVE-2019-0549, CVE-2019-0554) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-0539, CVE-2019-0567) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-0538, CVE-2019-0575, CVE-2019-0576, CVE-2019-0577, CVE-2019-0578, CVE-2019-0579, CVE-2019-0580, CVE-2019-0581, CVE-2019-0582, CVE-2019-0583, CVE-2019-0584) - An information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross- origin Resource Sharing (CORS) configurations. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application. The security update addresses the vulnerability by enforcing CORS configuration to prevent its bypass. (CVE-2019-0545) - An elevation of privilege vulnerability exists in the Microsoft XmlDocument class that could allow an attacker to escape from the AppContainer sandbox in the browser. An attacker who successfully exploited this vulnerability could gain elevated privileges and break out of the Edge AppContainer sandbox. The vulnerability by itself does not allow arbitrary code to run. However, this vulnerability could be used in conjunction with one or more vulnerabilities (for example a remote code execution vulnerability and another elevation of privilege vulnerability) to take advantage of the elevated privileges when running. The security update addresses the vulnerability by modifying how the Microsoft XmlDocument class enforces sandboxing. (CVE-2019-0555) - An elevation of privilege vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way Windows handles authentication requests. (CVE-2019-0543) - An elevation of privilege vulnerability exists when the Windows Runtime improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Runtime handles objects in memory. (CVE-2019-0570) - A remote code execution vulnerability exists in the way that the MSHTML engine inproperly validates input. An attacker could execute arbitrary code in the context of the current user. (CVE-2019-0541) - An elevation of privilege exists in Windows COM Desktop Broker. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-0552) - An elevation of privilege vulnerability exists in Microsoft Edge Browser Broker COM object. An attacker who successfully exploited the vulnerability could use the Browser Broker COM object to elevate privileges on an affected system. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2019-0566) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2019-0569) - An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way the Windows Data Sharing Service handles file operations. (CVE-2019-0571, CVE-2019-0572, CVE-2019-0573, CVE-2019-0574)
    last seen2020-06-01
    modified2020-06-02
    plugin id121013
    published2019-01-08
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121013
    titleKB4480962: Windows 10 January 2019 Security Update