Vulnerabilities > CVE-2019-1006 - Improper Certificate Validation vulnerability in Microsoft products

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
microsoft
CWE-295
nessus

Summary

An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys, aka 'WCF/WIF SAML Token Authentication Bypass Vulnerability'.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Creating a Rogue Certificate Authority Certificate
    An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JUL_4507450.NASL
    descriptionThe remote Windows host is missing security update 4507450. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-0999) - A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1113) - A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2019-0880) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1062, CVE-2019-1092, CVE-2019-1103, CVE-2019-1106, CVE-2019-1107) - An information disclosure vulnerability exists when the Windows RDP client improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1108) - An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1096) - A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system. (CVE-2019-0966) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1001) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1063) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1104) - An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory. (CVE-2019-1093, CVE-2019-1097) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2019-1094, CVE-2019-1095) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2019-1071) - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1067) - An elevation of privilege exists in Windows Audio Service. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1086, CVE-2019-1087, CVE-2019-1088) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1004, CVE-2019-1056, CVE-2019-1059) - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an authenticated attacker abuses clipboard redirection. An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-0887) - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1085) - A denial of service vulnerability exists when Microsoft Common Object Runtime Library improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET web application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET application. The update addresses the vulnerability by correcting how the .NET web application handles web requests. (CVE-2019-1083) - An elevation of privilege vulnerability exists in rpcss.dll when the RPC service Activation Kernel improperly handles an RPC request. (CVE-2019-1089) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1073) - A denial of service vulnerability exists when SymCrypt improperly handles a specially crafted digital signature. An attacker could exploit the vulnerability by creating a specially crafted connection or message. The security update addresses the vulnerability by correcting the way SymCrypt handles digital signatures. (CVE-2019-0865) - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1102) - An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys. This vulnerability allows an attacker to impersonate another user, which can lead to elevation of privileges. The vulnerability exists in WCF, WIF 3.5 and above in .NET Framework, WIF 1.0 component in Windows, WIF Nuget package, and WIF implementation in SharePoint. An unauthenticated attacker can exploit this by signing a SAML token with any arbitrary symmetric key. This security update addresses the issue by ensuring all versions of WCF and WIF validate the key used to sign SAML tokens correctly. (CVE-2019-1006) - An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2019-1129, CVE-2019-1130) - An information disclosure vulnerability exists when Unistore.dll fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process. (CVE-2019-1091) - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2019-1125)
    last seen2020-06-01
    modified2020-06-02
    plugin id126572
    published2019-07-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126572
    titleKB4507450: Windows 10 Version 1703 July 2019 Security Update (SWAPGS)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(126572);
      script_version("1.7");
      script_cvs_date("Date: 2019/10/18 23:14:15");
    
      script_cve_id(
        "CVE-2019-0865",
        "CVE-2019-0880",
        "CVE-2019-0887",
        "CVE-2019-0966",
        "CVE-2019-0999",
        "CVE-2019-1001",
        "CVE-2019-1004",
        "CVE-2019-1006",
        "CVE-2019-1056",
        "CVE-2019-1059",
        "CVE-2019-1062",
        "CVE-2019-1063",
        "CVE-2019-1067",
        "CVE-2019-1071",
        "CVE-2019-1073",
        "CVE-2019-1083",
        "CVE-2019-1085",
        "CVE-2019-1086",
        "CVE-2019-1087",
        "CVE-2019-1088",
        "CVE-2019-1089",
        "CVE-2019-1091",
        "CVE-2019-1092",
        "CVE-2019-1093",
        "CVE-2019-1094",
        "CVE-2019-1095",
        "CVE-2019-1096",
        "CVE-2019-1097",
        "CVE-2019-1102",
        "CVE-2019-1103",
        "CVE-2019-1104",
        "CVE-2019-1106",
        "CVE-2019-1107",
        "CVE-2019-1108",
        "CVE-2019-1113",
        "CVE-2019-1125",
        "CVE-2019-1129",
        "CVE-2019-1130"
      );
      script_xref(name:"MSKB", value:"4507450");
      script_xref(name:"MSFT", value:"MS19-4507450");
    
      script_name(english:"KB4507450: Windows 10 Version 1703 July 2019 Security Update (SWAPGS)");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4507450.
    It is, therefore, affected by multiple vulnerabilities :
    
      - An elevation of privilege vulnerability exists when
        DirectX improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could run arbitrary code in kernel mode. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with full user rights.
        (CVE-2019-0999)
    
      - A remote code execution vulnerability exists in .NET
        software when the software fails to check the source
        markup of a file. An attacker who successfully exploited
        the vulnerability could run arbitrary code in the
        context of the current user. If the current user is
        logged on with administrative user rights, an attacker
        could take control of the affected system. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with full user rights.
        (CVE-2019-1113)
    
      - A local elevation of privilege vulnerability exists in
        how splwow64.exe handles certain calls. An attacker who
        successfully exploited the vulnerability could elevate
        privileges on an affected system from low-integrity to
        medium-integrity. This vulnerability by itself does not
        allow arbitrary code execution; however, it could allow
        arbitrary code to be run if the attacker uses it in
        combination with another vulnerability (such as a remote
        code execution vulnerability or another elevation of
        privilege vulnerability) that is capable of leveraging
        the elevated privileges when code execution is
        attempted. (CVE-2019-0880)
    
      - A remote code execution vulnerability exists in the way
        that the Chakra scripting engine handles objects in
        memory in Microsoft Edge. The vulnerability could
        corrupt memory in such a way that an attacker could
        execute arbitrary code in the context of the current
        user. An attacker who successfully exploited the
        vulnerability could gain the same user rights as the
        current user.  (CVE-2019-1062, CVE-2019-1092,
        CVE-2019-1103, CVE-2019-1106, CVE-2019-1107)
    
      - An information disclosure vulnerability exists when the
        Windows RDP client improperly discloses the contents of
        its memory. An attacker who successfully exploited this
        vulnerability could obtain information to further
        compromise the users system.  (CVE-2019-1108)
    
      - An information disclosure vulnerability exists when the
        win32k component improperly provides kernel information.
        An attacker who successfully exploited the vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1096)
    
      - A denial of service vulnerability exists when Microsoft
        Hyper-V on a host server fails to properly validate
        input from a privileged user on a guest operating
        system.  (CVE-2019-0966)
    
      - A remote code execution vulnerability exists in the way
        the scripting engine handles objects in memory in
        Microsoft browsers. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1001)
    
      - A remote code execution vulnerability exists when
        Internet Explorer improperly accesses objects in memory.
        The vulnerability could corrupt memory in such a way
        that an attacker could execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1063)
    
      - A remote code execution vulnerability exists in the way
        that Microsoft browsers access objects in memory. The
        vulnerability could corrupt memory in a way that could
        allow an attacker to execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1104)
    
      - An information disclosure vulnerability exists when
        DirectWrite improperly discloses the contents of its
        memory. An attacker who successfully exploited the
        vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how DirectWrite handles objects in memory.
        (CVE-2019-1093, CVE-2019-1097)
    
      - An information disclosure vulnerability exists when the
        Windows GDI component improperly discloses the contents
        of its memory. An attacker who successfully exploited
        the vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how the Windows GDI component handles objects
        in memory. (CVE-2019-1094, CVE-2019-1095)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system. An authenticated attacker could exploit this
        vulnerability by running a specially crafted
        application. The update addresses the vulnerability by
        correcting how the Windows kernel handles objects in
        memory. (CVE-2019-1071)
    
      - An elevation of privilege vulnerability exists when the
        Windows kernel fails to properly handle objects in
        memory. An attacker who successfully exploited this
        vulnerability could run arbitrary code in kernel mode.
        An attacker could then install programs; view, change,
        or delete data; or create new accounts with full user
        rights.  (CVE-2019-1067)
    
      - An elevation of privilege exists in Windows Audio
        Service. An attacker who successfully exploited the
        vulnerability could run arbitrary code with elevated
        privileges.  (CVE-2019-1086, CVE-2019-1087,
        CVE-2019-1088)
    
      - A remote code execution vulnerability exists in the way
        that the scripting engine handles objects in memory in
        Internet Explorer. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1004, CVE-2019-1056, CVE-2019-1059)
    
      - A remote code execution vulnerability exists in Remote
        Desktop Services formerly known as Terminal Services
        when an authenticated attacker abuses clipboard
        redirection. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on the victim
        system. An attacker could then install programs; view,
        change, or delete data; or create new accounts with full
        user rights.  (CVE-2019-0887)
    
      - An elevation of privilege vulnerability exists in the
        way that the wlansvc.dll handles objects in memory. An
        attacker who successfully exploited the vulnerability
        could execute code with elevated permissions.
        (CVE-2019-1085)
    
      - A denial of service vulnerability exists when Microsoft
        Common Object Runtime Library improperly handles web
        requests. An attacker who successfully exploited this
        vulnerability could cause a denial of service against a
        .NET web application. A remote unauthenticated attacker
        could exploit this vulnerability by issuing specially
        crafted requests to the .NET application. The update
        addresses the vulnerability by correcting how the .NET
        web application handles web requests. (CVE-2019-1083)
    
      - An elevation of privilege vulnerability exists in
        rpcss.dll when the RPC service Activation Kernel
        improperly handles an RPC request.  (CVE-2019-1089)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1073)
    
      - A denial of service vulnerability exists when SymCrypt
        improperly handles a specially crafted digital
        signature. An attacker could exploit the vulnerability
        by creating a specially crafted connection or message.
        The security update addresses the vulnerability by
        correcting the way SymCrypt handles digital signatures.
        (CVE-2019-0865)
    
      - A remote code execution vulnerability exists in the way
        that the Windows Graphics Device Interface (GDI) handles
        objects in the memory. An attacker who successfully
        exploited this vulnerability could take control of the
        affected system. An attacker could then install
        programs; view, change, or delete data; or create new
        accounts with full user rights.  (CVE-2019-1102)
    
      - An authentication bypass vulnerability exists in Windows
        Communication Foundation (WCF) and Windows Identity
        Foundation (WIF), allowing signing of SAML tokens with
        arbitrary symmetric keys. This vulnerability allows an
        attacker to impersonate another user, which can lead to
        elevation of privileges. The vulnerability exists in
        WCF, WIF 3.5 and above in .NET Framework, WIF 1.0
        component in Windows, WIF Nuget package, and WIF
        implementation in SharePoint. An unauthenticated
        attacker can exploit this by signing a SAML token with
        any arbitrary symmetric key. This security update
        addresses the issue by ensuring all versions of WCF and
        WIF validate the key used to sign SAML tokens correctly.
        (CVE-2019-1006)
    
      - An elevation of privilege vulnerability exists when
        Windows AppX Deployment Service (AppXSVC) improperly
        handles hard links. An attacker who successfully
        exploited this vulnerability could run processes in an
        elevated context. An attacker could then install
        programs; view, change or delete data.  (CVE-2019-1129,
        CVE-2019-1130)
    
      - An information disclosure vulnerability exists when
        Unistore.dll fails to properly handle objects in memory.
        An attacker who successfully exploited the vulnerability
        could potentially disclose memory contents of an
        elevated process.  (CVE-2019-1091)
        
      - An information disclosure vulnerability exists when
        certain central processing units (CPU) speculatively
        access memory. An attacker who successfully exploited
        the vulnerability could read privileged data across
        trust boundaries. (CVE-2019-1125)");
      # https://support.microsoft.com/en-us/help/4507450/windows-10-update-kb4507450
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f489340c");
      script_set_attribute(attribute:"solution", value:
    "Apply Cumulative Update KB4507450.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1102");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/09");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-07";
    kbs = make_list('4507450');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"10",
                       sp:0,
                       os_build:"15063",
                       rollup_date:"07_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4507450])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JUL_4507462.NASL
    descriptionThe remote Windows host is missing security update 4507464 or cumulative update 4507462. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1113) - A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2019-0880) - An information disclosure vulnerability exists when the Windows RDP client improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1108) - An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1096) - An elevation of privilege exists in Windows Audio Service. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1088) - An elevation of privilege vulnerability exists in Microsoft Windows where a certain dll, with Local Service privilege, is vulnerable to race planting a customized dll. An attacker who successfully exploited this vulnerability could potentially elevate privilege to SYSTEM. The update addresses this vulnerability by requiring system privileges for a certain DLL. (CVE-2019-1082) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1001) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1063) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1104) - An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory. (CVE-2019-1093, CVE-2019-1097) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2019-1094, CVE-2019-1095) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2019-1071) - An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2019-1130) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1004, CVE-2019-1056, CVE-2019-1059) - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an authenticated attacker abuses clipboard redirection. An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-0887) - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1085) - A denial of service vulnerability exists when Microsoft Common Object Runtime Library improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET web application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET application. The update addresses the vulnerability by correcting how the .NET web application handles web requests. (CVE-2019-1083) - A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker who successfully exploited the vulnerability could either run arbitrary code on the DHCP failover server or cause the DHCP service to become nonresponsive. (CVE-2019-0785) - An elevation of privilege vulnerability exists in rpcss.dll when the RPC service Activation Kernel improperly handles an RPC request. (CVE-2019-1089) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1073) - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1102) - An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys. This vulnerability allows an attacker to impersonate another user, which can lead to elevation of privileges. The vulnerability exists in WCF, WIF 3.5 and above in .NET Framework, WIF 1.0 component in Windows, WIF Nuget package, and WIF implementation in SharePoint. An unauthenticated attacker can exploit this by signing a SAML token with any arbitrary symmetric key. This security update addresses the issue by ensuring all versions of WCF and WIF validate the key used to sign SAML tokens correctly. (CVE-2019-1006) - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2019-1125)
    last seen2020-06-01
    modified2020-06-02
    plugin id126578
    published2019-07-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126578
    titleKB4507464: Windows Server 2012 July 2019 Security Update (SWAPGS)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(126578);
      script_version("1.7");
      script_cvs_date("Date: 2019/10/18 23:14:15");
    
      script_cve_id(
        "CVE-2019-0785",
        "CVE-2019-0880",
        "CVE-2019-0887",
        "CVE-2019-1001",
        "CVE-2019-1004",
        "CVE-2019-1006",
        "CVE-2019-1056",
        "CVE-2019-1059",
        "CVE-2019-1063",
        "CVE-2019-1071",
        "CVE-2019-1073",
        "CVE-2019-1082",
        "CVE-2019-1083",
        "CVE-2019-1085",
        "CVE-2019-1088",
        "CVE-2019-1089",
        "CVE-2019-1093",
        "CVE-2019-1094",
        "CVE-2019-1095",
        "CVE-2019-1096",
        "CVE-2019-1097",
        "CVE-2019-1102",
        "CVE-2019-1104",
        "CVE-2019-1108",
        "CVE-2019-1113",
        "CVE-2019-1125",
        "CVE-2019-1130"
      );
      script_xref(name:"MSKB", value:"4507462");
      script_xref(name:"MSKB", value:"4507464");
      script_xref(name:"MSFT", value:"MS19-4507462");
      script_xref(name:"MSFT", value:"MS19-4507464");
    
      script_name(english:"KB4507464: Windows Server 2012 July 2019 Security Update (SWAPGS)");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4507464
    or cumulative update 4507462. It is, therefore, affected by
    multiple vulnerabilities :
    
      - A remote code execution vulnerability exists in .NET
        software when the software fails to check the source
        markup of a file. An attacker who successfully exploited
        the vulnerability could run arbitrary code in the
        context of the current user. If the current user is
        logged on with administrative user rights, an attacker
        could take control of the affected system. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with full user rights.
        (CVE-2019-1113)
    
      - A local elevation of privilege vulnerability exists in
        how splwow64.exe handles certain calls. An attacker who
        successfully exploited the vulnerability could elevate
        privileges on an affected system from low-integrity to
        medium-integrity. This vulnerability by itself does not
        allow arbitrary code execution; however, it could allow
        arbitrary code to be run if the attacker uses it in
        combination with another vulnerability (such as a remote
        code execution vulnerability or another elevation of
        privilege vulnerability) that is capable of leveraging
        the elevated privileges when code execution is
        attempted. (CVE-2019-0880)
    
      - An information disclosure vulnerability exists when the
        Windows RDP client improperly discloses the contents of
        its memory. An attacker who successfully exploited this
        vulnerability could obtain information to further
        compromise the users system.  (CVE-2019-1108)
    
      - An information disclosure vulnerability exists when the
        win32k component improperly provides kernel information.
        An attacker who successfully exploited the vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1096)
    
      - An elevation of privilege exists in Windows Audio
        Service. An attacker who successfully exploited the
        vulnerability could run arbitrary code with elevated
        privileges.  (CVE-2019-1088)
    
      - An elevation of privilege vulnerability exists in
        Microsoft Windows where a certain dll, with Local
        Service privilege, is vulnerable to race planting a
        customized dll. An attacker who successfully exploited
        this vulnerability could potentially elevate privilege
        to SYSTEM. The update addresses this vulnerability by
        requiring system privileges for a certain DLL.
        (CVE-2019-1082)
    
      - A remote code execution vulnerability exists in the way
        the scripting engine handles objects in memory in
        Microsoft browsers. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1001)
    
      - A remote code execution vulnerability exists when
        Internet Explorer improperly accesses objects in memory.
        The vulnerability could corrupt memory in such a way
        that an attacker could execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1063)
    
      - A remote code execution vulnerability exists in the way
        that Microsoft browsers access objects in memory. The
        vulnerability could corrupt memory in a way that could
        allow an attacker to execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1104)
    
      - An information disclosure vulnerability exists when
        DirectWrite improperly discloses the contents of its
        memory. An attacker who successfully exploited the
        vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how DirectWrite handles objects in memory.
        (CVE-2019-1093, CVE-2019-1097)
    
      - An information disclosure vulnerability exists when the
        Windows GDI component improperly discloses the contents
        of its memory. An attacker who successfully exploited
        the vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how the Windows GDI component handles objects
        in memory. (CVE-2019-1094, CVE-2019-1095)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system. An authenticated attacker could exploit this
        vulnerability by running a specially crafted
        application. The update addresses the vulnerability by
        correcting how the Windows kernel handles objects in
        memory. (CVE-2019-1071)
    
      - An elevation of privilege vulnerability exists when
        Windows AppX Deployment Service (AppXSVC) improperly
        handles hard links. An attacker who successfully
        exploited this vulnerability could run processes in an
        elevated context. An attacker could then install
        programs; view, change or delete data.  (CVE-2019-1130)
    
      - A remote code execution vulnerability exists in the way
        that the scripting engine handles objects in memory in
        Internet Explorer. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1004, CVE-2019-1056, CVE-2019-1059)
    
      - A remote code execution vulnerability exists in Remote
        Desktop Services formerly known as Terminal Services
        when an authenticated attacker abuses clipboard
        redirection. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on the victim
        system. An attacker could then install programs; view,
        change, or delete data; or create new accounts with full
        user rights.  (CVE-2019-0887)
    
      - An elevation of privilege vulnerability exists in the
        way that the wlansvc.dll handles objects in memory. An
        attacker who successfully exploited the vulnerability
        could execute code with elevated permissions.
        (CVE-2019-1085)
    
      - A denial of service vulnerability exists when Microsoft
        Common Object Runtime Library improperly handles web
        requests. An attacker who successfully exploited this
        vulnerability could cause a denial of service against a
        .NET web application. A remote unauthenticated attacker
        could exploit this vulnerability by issuing specially
        crafted requests to the .NET application. The update
        addresses the vulnerability by correcting how the .NET
        web application handles web requests. (CVE-2019-1083)
    
      - A memory corruption vulnerability exists in the Windows
        Server DHCP service when an attacker sends specially
        crafted packets to a DHCP failover server. An attacker
        who successfully exploited the vulnerability could
        either run arbitrary code on the DHCP failover server or
        cause the DHCP service to become nonresponsive.
        (CVE-2019-0785)
    
      - An elevation of privilege vulnerability exists in
        rpcss.dll when the RPC service Activation Kernel
        improperly handles an RPC request.  (CVE-2019-1089)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1073)
    
      - A remote code execution vulnerability exists in the way
        that the Windows Graphics Device Interface (GDI) handles
        objects in the memory. An attacker who successfully
        exploited this vulnerability could take control of the
        affected system. An attacker could then install
        programs; view, change, or delete data; or create new
        accounts with full user rights.  (CVE-2019-1102)
    
      - An authentication bypass vulnerability exists in Windows
        Communication Foundation (WCF) and Windows Identity
        Foundation (WIF), allowing signing of SAML tokens with
        arbitrary symmetric keys. This vulnerability allows an
        attacker to impersonate another user, which can lead to
        elevation of privileges. The vulnerability exists in
        WCF, WIF 3.5 and above in .NET Framework, WIF 1.0
        component in Windows, WIF Nuget package, and WIF
        implementation in SharePoint. An unauthenticated
        attacker can exploit this by signing a SAML token with
        any arbitrary symmetric key. This security update
        addresses the issue by ensuring all versions of WCF and
        WIF validate the key used to sign SAML tokens correctly.
        (CVE-2019-1006)
        
      - An information disclosure vulnerability exists when
        certain central processing units (CPU) speculatively
        access memory. An attacker who successfully exploited
        the vulnerability could read privileged data across
        trust boundaries. (CVE-2019-1125)");
      # https://support.microsoft.com/en-us/help/4507462/windows-server-2012-update-kb4507462
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?94506c02");
      # https://support.microsoft.com/en-us/help/4507464/windows-server-2012-update-kb4507464
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?12c153e6");
      script_set_attribute(attribute:"solution", value:
    "Apply Security Only update KB4507464 or Cumulative Update KB4507462.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1102");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/09");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-07";
    kbs = make_list('4507462', '4507464');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    # Windows 8 EOL
    productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
    if ("Windows 8" >< productname) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"6.2",
                       sp:0,
                       rollup_date:"07_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4507462, 4507464])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JUL_4507458.NASL
    descriptionThe remote Windows host is missing security update 4507458. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-0999) - A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1113) - A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2019-0880) - An elevation of privilege vulnerability exists in rpcss.dll when the RPC service Activation Kernel improperly handles an RPC request. (CVE-2019-1089) - An information disclosure vulnerability exists when the Windows RDP client improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1108) - An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1096) - An elevation of privilege vulnerability exists in Microsoft Windows where a certain dll, with Local Service privilege, is vulnerable to race planting a customized dll. An attacker who successfully exploited this vulnerability could potentially elevate privilege to SYSTEM. The update addresses this vulnerability by requiring system privileges for a certain DLL. (CVE-2019-1082) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1001) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1063) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1104) - An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory. (CVE-2019-1093, CVE-2019-1097) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2019-1094, CVE-2019-1095) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2019-1071) - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1067) - An elevation of privilege exists in Windows Audio Service. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1086, CVE-2019-1087, CVE-2019-1088) - An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2019-1130) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1004, CVE-2019-1056, CVE-2019-1059) - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an authenticated attacker abuses clipboard redirection. An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-0887) - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1085) - A denial of service vulnerability exists when Microsoft Common Object Runtime Library improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET web application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET application. The update addresses the vulnerability by correcting how the .NET web application handles web requests. (CVE-2019-1083) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1062, CVE-2019-1092, CVE-2019-1103, CVE-2019-1107) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1073) - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1102) - An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys. This vulnerability allows an attacker to impersonate another user, which can lead to elevation of privileges. The vulnerability exists in WCF, WIF 3.5 and above in .NET Framework, WIF 1.0 component in Windows, WIF Nuget package, and WIF implementation in SharePoint. An unauthenticated attacker can exploit this by signing a SAML token with any arbitrary symmetric key. This security update addresses the issue by ensuring all versions of WCF and WIF validate the key used to sign SAML tokens correctly. (CVE-2019-1006) - An information disclosure vulnerability exists when Unistore.dll fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process. (CVE-2019-1091) - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2019-1125)
    last seen2020-06-01
    modified2020-06-02
    plugin id126576
    published2019-07-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126576
    titleKB4507458: Windows 10 July 2019 Security Update (SWAPGS)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(126576);
      script_version("1.7");
      script_cvs_date("Date: 2019/10/18 23:14:15");
    
      script_cve_id(
        "CVE-2019-0880",
        "CVE-2019-0887",
        "CVE-2019-0999",
        "CVE-2019-1001",
        "CVE-2019-1004",
        "CVE-2019-1006",
        "CVE-2019-1056",
        "CVE-2019-1059",
        "CVE-2019-1062",
        "CVE-2019-1063",
        "CVE-2019-1067",
        "CVE-2019-1071",
        "CVE-2019-1073",
        "CVE-2019-1082",
        "CVE-2019-1083",
        "CVE-2019-1085",
        "CVE-2019-1086",
        "CVE-2019-1087",
        "CVE-2019-1088",
        "CVE-2019-1089",
        "CVE-2019-1091",
        "CVE-2019-1092",
        "CVE-2019-1093",
        "CVE-2019-1094",
        "CVE-2019-1095",
        "CVE-2019-1096",
        "CVE-2019-1097",
        "CVE-2019-1102",
        "CVE-2019-1103",
        "CVE-2019-1104",
        "CVE-2019-1107",
        "CVE-2019-1108",
        "CVE-2019-1113",
        "CVE-2019-1125",
        "CVE-2019-1130"
      );
      script_xref(name:"MSKB", value:"4507458");
      script_xref(name:"MSFT", value:"MS19-4507458");
    
      script_name(english:"KB4507458: Windows 10 July 2019 Security Update (SWAPGS)");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4507458.
    It is, therefore, affected by multiple vulnerabilities :
    
      - An elevation of privilege vulnerability exists when
        DirectX improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could run arbitrary code in kernel mode. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with full user rights.
        (CVE-2019-0999)
    
      - A remote code execution vulnerability exists in .NET
        software when the software fails to check the source
        markup of a file. An attacker who successfully exploited
        the vulnerability could run arbitrary code in the
        context of the current user. If the current user is
        logged on with administrative user rights, an attacker
        could take control of the affected system. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with full user rights.
        (CVE-2019-1113)
    
      - A local elevation of privilege vulnerability exists in
        how splwow64.exe handles certain calls. An attacker who
        successfully exploited the vulnerability could elevate
        privileges on an affected system from low-integrity to
        medium-integrity. This vulnerability by itself does not
        allow arbitrary code execution; however, it could allow
        arbitrary code to be run if the attacker uses it in
        combination with another vulnerability (such as a remote
        code execution vulnerability or another elevation of
        privilege vulnerability) that is capable of leveraging
        the elevated privileges when code execution is
        attempted. (CVE-2019-0880)
    
      - An elevation of privilege vulnerability exists in
        rpcss.dll when the RPC service Activation Kernel
        improperly handles an RPC request.  (CVE-2019-1089)
    
      - An information disclosure vulnerability exists when the
        Windows RDP client improperly discloses the contents of
        its memory. An attacker who successfully exploited this
        vulnerability could obtain information to further
        compromise the users system.  (CVE-2019-1108)
    
      - An information disclosure vulnerability exists when the
        win32k component improperly provides kernel information.
        An attacker who successfully exploited the vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1096)
    
      - An elevation of privilege vulnerability exists in
        Microsoft Windows where a certain dll, with Local
        Service privilege, is vulnerable to race planting a
        customized dll. An attacker who successfully exploited
        this vulnerability could potentially elevate privilege
        to SYSTEM. The update addresses this vulnerability by
        requiring system privileges for a certain DLL.
        (CVE-2019-1082)
    
      - A remote code execution vulnerability exists in the way
        the scripting engine handles objects in memory in
        Microsoft browsers. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1001)
    
      - A remote code execution vulnerability exists when
        Internet Explorer improperly accesses objects in memory.
        The vulnerability could corrupt memory in such a way
        that an attacker could execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1063)
    
      - A remote code execution vulnerability exists in the way
        that Microsoft browsers access objects in memory. The
        vulnerability could corrupt memory in a way that could
        allow an attacker to execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1104)
    
      - An information disclosure vulnerability exists when
        DirectWrite improperly discloses the contents of its
        memory. An attacker who successfully exploited the
        vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how DirectWrite handles objects in memory.
        (CVE-2019-1093, CVE-2019-1097)
    
      - An information disclosure vulnerability exists when the
        Windows GDI component improperly discloses the contents
        of its memory. An attacker who successfully exploited
        the vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how the Windows GDI component handles objects
        in memory. (CVE-2019-1094, CVE-2019-1095)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system. An authenticated attacker could exploit this
        vulnerability by running a specially crafted
        application. The update addresses the vulnerability by
        correcting how the Windows kernel handles objects in
        memory. (CVE-2019-1071)
    
      - An elevation of privilege vulnerability exists when the
        Windows kernel fails to properly handle objects in
        memory. An attacker who successfully exploited this
        vulnerability could run arbitrary code in kernel mode.
        An attacker could then install programs; view, change,
        or delete data; or create new accounts with full user
        rights.  (CVE-2019-1067)
    
      - An elevation of privilege exists in Windows Audio
        Service. An attacker who successfully exploited the
        vulnerability could run arbitrary code with elevated
        privileges.  (CVE-2019-1086, CVE-2019-1087,
        CVE-2019-1088)
    
      - An elevation of privilege vulnerability exists when
        Windows AppX Deployment Service (AppXSVC) improperly
        handles hard links. An attacker who successfully
        exploited this vulnerability could run processes in an
        elevated context. An attacker could then install
        programs; view, change or delete data.  (CVE-2019-1130)
    
      - A remote code execution vulnerability exists in the way
        that the scripting engine handles objects in memory in
        Internet Explorer. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1004, CVE-2019-1056, CVE-2019-1059)
    
      - A remote code execution vulnerability exists in Remote
        Desktop Services formerly known as Terminal Services
        when an authenticated attacker abuses clipboard
        redirection. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on the victim
        system. An attacker could then install programs; view,
        change, or delete data; or create new accounts with full
        user rights.  (CVE-2019-0887)
    
      - An elevation of privilege vulnerability exists in the
        way that the wlansvc.dll handles objects in memory. An
        attacker who successfully exploited the vulnerability
        could execute code with elevated permissions.
        (CVE-2019-1085)
    
      - A denial of service vulnerability exists when Microsoft
        Common Object Runtime Library improperly handles web
        requests. An attacker who successfully exploited this
        vulnerability could cause a denial of service against a
        .NET web application. A remote unauthenticated attacker
        could exploit this vulnerability by issuing specially
        crafted requests to the .NET application. The update
        addresses the vulnerability by correcting how the .NET
        web application handles web requests. (CVE-2019-1083)
    
      - A remote code execution vulnerability exists in the way
        that the Chakra scripting engine handles objects in
        memory in Microsoft Edge. The vulnerability could
        corrupt memory in such a way that an attacker could
        execute arbitrary code in the context of the current
        user. An attacker who successfully exploited the
        vulnerability could gain the same user rights as the
        current user.  (CVE-2019-1062, CVE-2019-1092,
        CVE-2019-1103, CVE-2019-1107)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1073)
    
      - A remote code execution vulnerability exists in the way
        that the Windows Graphics Device Interface (GDI) handles
        objects in the memory. An attacker who successfully
        exploited this vulnerability could take control of the
        affected system. An attacker could then install
        programs; view, change, or delete data; or create new
        accounts with full user rights.  (CVE-2019-1102)
    
      - An authentication bypass vulnerability exists in Windows
        Communication Foundation (WCF) and Windows Identity
        Foundation (WIF), allowing signing of SAML tokens with
        arbitrary symmetric keys. This vulnerability allows an
        attacker to impersonate another user, which can lead to
        elevation of privileges. The vulnerability exists in
        WCF, WIF 3.5 and above in .NET Framework, WIF 1.0
        component in Windows, WIF Nuget package, and WIF
        implementation in SharePoint. An unauthenticated
        attacker can exploit this by signing a SAML token with
        any arbitrary symmetric key. This security update
        addresses the issue by ensuring all versions of WCF and
        WIF validate the key used to sign SAML tokens correctly.
        (CVE-2019-1006)
    
      - An information disclosure vulnerability exists when
        Unistore.dll fails to properly handle objects in memory.
        An attacker who successfully exploited the vulnerability
        could potentially disclose memory contents of an
        elevated process.  (CVE-2019-1091)
        
      - An information disclosure vulnerability exists when
        certain central processing units (CPU) speculatively
        access memory. An attacker who successfully exploited
        the vulnerability could read privileged data across
        trust boundaries. (CVE-2019-1125)");
      # https://support.microsoft.com/en-us/help/4507458/windows-10-update-kb4507458
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dfda1841");
      script_set_attribute(attribute:"solution", value:
    "Apply Cumulative Update KB4507458.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1102");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/09");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-07";
    kbs = make_list('4507458');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"10",
                       sp:0,
                       os_build:"10240",
                       rollup_date:"07_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4507458])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JUL_4507460.NASL
    descriptionThe remote Windows host is missing security update 4507460. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-0999) - A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1113) - A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2019-0880) - An elevation of privilege vulnerability exists in rpcss.dll when the RPC service Activation Kernel improperly handles an RPC request. (CVE-2019-1089) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1062, CVE-2019-1092, CVE-2019-1103, CVE-2019-1106, CVE-2019-1107) - An information disclosure vulnerability exists when the Windows RDP client improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1108) - An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1096) - A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system. (CVE-2019-0966) - An elevation of privilege vulnerability exists in Microsoft Windows where a certain dll, with Local Service privilege, is vulnerable to race planting a customized dll. An attacker who successfully exploited this vulnerability could potentially elevate privilege to SYSTEM. The update addresses this vulnerability by requiring system privileges for a certain DLL. (CVE-2019-1082) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1001) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1063) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1104) - An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory. (CVE-2019-1093, CVE-2019-1097) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2019-1094, CVE-2019-1095) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2019-1071) - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1067) - An elevation of privilege exists in Windows Audio Service. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1086, CVE-2019-1087, CVE-2019-1088) - An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2019-1130) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1004, CVE-2019-1056, CVE-2019-1059) - A security feature bypass vulnerability exists in Active Directory Federation Services (ADFS) which could allow an attacker to bypass the extranet lockout policy. (CVE-2019-1126) - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an authenticated attacker abuses clipboard redirection. An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-0887) - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1085) - A denial of service vulnerability exists when Microsoft Common Object Runtime Library improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET web application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET application. The update addresses the vulnerability by correcting how the .NET web application handles web requests. (CVE-2019-1083) - A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker who successfully exploited the vulnerability could either run arbitrary code on the DHCP failover server or cause the DHCP service to become nonresponsive. (CVE-2019-0785) - A security feature bypass vulnerability exists when Active Directory Federation Services (ADFS) improperly updates its list of banned IP addresses. (CVE-2019-0975) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1073) - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1102) - An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys. This vulnerability allows an attacker to impersonate another user, which can lead to elevation of privileges. The vulnerability exists in WCF, WIF 3.5 and above in .NET Framework, WIF 1.0 component in Windows, WIF Nuget package, and WIF implementation in SharePoint. An unauthenticated attacker can exploit this by signing a SAML token with any arbitrary symmetric key. This security update addresses the issue by ensuring all versions of WCF and WIF validate the key used to sign SAML tokens correctly. (CVE-2019-1006) - An information disclosure vulnerability exists when Unistore.dll fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process. (CVE-2019-1091) - A denial of service vulnerability exists in Windows DNS Server when it fails to properly handle DNS queries. An attacker who successfully exploited this vulnerability could cause the DNS Server service to become nonresponsive. (CVE-2019-0811) - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2019-1125)
    last seen2020-06-01
    modified2020-06-02
    plugin id126577
    published2019-07-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126577
    titleKB4507460: Windows 10 Version 1607 and Windows Server 2016 July 2019 Security Update (SWAPGS)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(126577);
      script_version("1.7");
      script_cvs_date("Date: 2019/10/18 23:14:15");
    
      script_cve_id(
        "CVE-2019-0785",
        "CVE-2019-0811",
        "CVE-2019-0880",
        "CVE-2019-0887",
        "CVE-2019-0966",
        "CVE-2019-0975",
        "CVE-2019-0999",
        "CVE-2019-1001",
        "CVE-2019-1004",
        "CVE-2019-1006",
        "CVE-2019-1056",
        "CVE-2019-1059",
        "CVE-2019-1062",
        "CVE-2019-1063",
        "CVE-2019-1067",
        "CVE-2019-1071",
        "CVE-2019-1073",
        "CVE-2019-1082",
        "CVE-2019-1083",
        "CVE-2019-1085",
        "CVE-2019-1086",
        "CVE-2019-1087",
        "CVE-2019-1088",
        "CVE-2019-1089",
        "CVE-2019-1091",
        "CVE-2019-1092",
        "CVE-2019-1093",
        "CVE-2019-1094",
        "CVE-2019-1095",
        "CVE-2019-1096",
        "CVE-2019-1097",
        "CVE-2019-1102",
        "CVE-2019-1103",
        "CVE-2019-1104",
        "CVE-2019-1106",
        "CVE-2019-1107",
        "CVE-2019-1108",
        "CVE-2019-1113",
        "CVE-2019-1125",
        "CVE-2019-1126",
        "CVE-2019-1130"
      );
      script_xref(name:"MSKB", value:"4507460");
      script_xref(name:"MSFT", value:"MS19-4507460");
    
      script_name(english:"KB4507460: Windows 10 Version 1607 and Windows Server 2016 July 2019 Security Update (SWAPGS)");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4507460.
    It is, therefore, affected by multiple vulnerabilities :
    
      - An elevation of privilege vulnerability exists when
        DirectX improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could run arbitrary code in kernel mode. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with full user rights.
        (CVE-2019-0999)
    
      - A remote code execution vulnerability exists in .NET
        software when the software fails to check the source
        markup of a file. An attacker who successfully exploited
        the vulnerability could run arbitrary code in the
        context of the current user. If the current user is
        logged on with administrative user rights, an attacker
        could take control of the affected system. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with full user rights.
        (CVE-2019-1113)
    
      - A local elevation of privilege vulnerability exists in
        how splwow64.exe handles certain calls. An attacker who
        successfully exploited the vulnerability could elevate
        privileges on an affected system from low-integrity to
        medium-integrity. This vulnerability by itself does not
        allow arbitrary code execution; however, it could allow
        arbitrary code to be run if the attacker uses it in
        combination with another vulnerability (such as a remote
        code execution vulnerability or another elevation of
        privilege vulnerability) that is capable of leveraging
        the elevated privileges when code execution is
        attempted. (CVE-2019-0880)
    
      - An elevation of privilege vulnerability exists in
        rpcss.dll when the RPC service Activation Kernel
        improperly handles an RPC request.  (CVE-2019-1089)
    
      - A remote code execution vulnerability exists in the way
        that the Chakra scripting engine handles objects in
        memory in Microsoft Edge. The vulnerability could
        corrupt memory in such a way that an attacker could
        execute arbitrary code in the context of the current
        user. An attacker who successfully exploited the
        vulnerability could gain the same user rights as the
        current user.  (CVE-2019-1062, CVE-2019-1092,
        CVE-2019-1103, CVE-2019-1106, CVE-2019-1107)
    
      - An information disclosure vulnerability exists when the
        Windows RDP client improperly discloses the contents of
        its memory. An attacker who successfully exploited this
        vulnerability could obtain information to further
        compromise the users system.  (CVE-2019-1108)
    
      - An information disclosure vulnerability exists when the
        win32k component improperly provides kernel information.
        An attacker who successfully exploited the vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1096)
    
      - A denial of service vulnerability exists when Microsoft
        Hyper-V on a host server fails to properly validate
        input from a privileged user on a guest operating
        system.  (CVE-2019-0966)
    
      - An elevation of privilege vulnerability exists in
        Microsoft Windows where a certain dll, with Local
        Service privilege, is vulnerable to race planting a
        customized dll. An attacker who successfully exploited
        this vulnerability could potentially elevate privilege
        to SYSTEM. The update addresses this vulnerability by
        requiring system privileges for a certain DLL.
        (CVE-2019-1082)
    
      - A remote code execution vulnerability exists in the way
        the scripting engine handles objects in memory in
        Microsoft browsers. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1001)
    
      - A remote code execution vulnerability exists when
        Internet Explorer improperly accesses objects in memory.
        The vulnerability could corrupt memory in such a way
        that an attacker could execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1063)
    
      - A remote code execution vulnerability exists in the way
        that Microsoft browsers access objects in memory. The
        vulnerability could corrupt memory in a way that could
        allow an attacker to execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1104)
    
      - An information disclosure vulnerability exists when
        DirectWrite improperly discloses the contents of its
        memory. An attacker who successfully exploited the
        vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how DirectWrite handles objects in memory.
        (CVE-2019-1093, CVE-2019-1097)
    
      - An information disclosure vulnerability exists when the
        Windows GDI component improperly discloses the contents
        of its memory. An attacker who successfully exploited
        the vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how the Windows GDI component handles objects
        in memory. (CVE-2019-1094, CVE-2019-1095)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system. An authenticated attacker could exploit this
        vulnerability by running a specially crafted
        application. The update addresses the vulnerability by
        correcting how the Windows kernel handles objects in
        memory. (CVE-2019-1071)
    
      - An elevation of privilege vulnerability exists when the
        Windows kernel fails to properly handle objects in
        memory. An attacker who successfully exploited this
        vulnerability could run arbitrary code in kernel mode.
        An attacker could then install programs; view, change,
        or delete data; or create new accounts with full user
        rights.  (CVE-2019-1067)
    
      - An elevation of privilege exists in Windows Audio
        Service. An attacker who successfully exploited the
        vulnerability could run arbitrary code with elevated
        privileges.  (CVE-2019-1086, CVE-2019-1087,
        CVE-2019-1088)
    
      - An elevation of privilege vulnerability exists when
        Windows AppX Deployment Service (AppXSVC) improperly
        handles hard links. An attacker who successfully
        exploited this vulnerability could run processes in an
        elevated context. An attacker could then install
        programs; view, change or delete data.  (CVE-2019-1130)
    
      - A remote code execution vulnerability exists in the way
        that the scripting engine handles objects in memory in
        Internet Explorer. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1004, CVE-2019-1056, CVE-2019-1059)
    
      - A security feature bypass vulnerability exists in Active
        Directory Federation Services (ADFS) which could allow
        an attacker to bypass the extranet lockout policy.
        (CVE-2019-1126)
    
      - A remote code execution vulnerability exists in Remote
        Desktop Services formerly known as Terminal Services
        when an authenticated attacker abuses clipboard
        redirection. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on the victim
        system. An attacker could then install programs; view,
        change, or delete data; or create new accounts with full
        user rights.  (CVE-2019-0887)
    
      - An elevation of privilege vulnerability exists in the
        way that the wlansvc.dll handles objects in memory. An
        attacker who successfully exploited the vulnerability
        could execute code with elevated permissions.
        (CVE-2019-1085)
    
      - A denial of service vulnerability exists when Microsoft
        Common Object Runtime Library improperly handles web
        requests. An attacker who successfully exploited this
        vulnerability could cause a denial of service against a
        .NET web application. A remote unauthenticated attacker
        could exploit this vulnerability by issuing specially
        crafted requests to the .NET application. The update
        addresses the vulnerability by correcting how the .NET
        web application handles web requests. (CVE-2019-1083)
    
      - A memory corruption vulnerability exists in the Windows
        Server DHCP service when an attacker sends specially
        crafted packets to a DHCP failover server. An attacker
        who successfully exploited the vulnerability could
        either run arbitrary code on the DHCP failover server or
        cause the DHCP service to become nonresponsive.
        (CVE-2019-0785)
    
      - A security feature bypass vulnerability exists when
        Active Directory Federation Services (ADFS) improperly
        updates its list of banned IP addresses.
        (CVE-2019-0975)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1073)
    
      - A remote code execution vulnerability exists in the way
        that the Windows Graphics Device Interface (GDI) handles
        objects in the memory. An attacker who successfully
        exploited this vulnerability could take control of the
        affected system. An attacker could then install
        programs; view, change, or delete data; or create new
        accounts with full user rights.  (CVE-2019-1102)
    
      - An authentication bypass vulnerability exists in Windows
        Communication Foundation (WCF) and Windows Identity
        Foundation (WIF), allowing signing of SAML tokens with
        arbitrary symmetric keys. This vulnerability allows an
        attacker to impersonate another user, which can lead to
        elevation of privileges. The vulnerability exists in
        WCF, WIF 3.5 and above in .NET Framework, WIF 1.0
        component in Windows, WIF Nuget package, and WIF
        implementation in SharePoint. An unauthenticated
        attacker can exploit this by signing a SAML token with
        any arbitrary symmetric key. This security update
        addresses the issue by ensuring all versions of WCF and
        WIF validate the key used to sign SAML tokens correctly.
        (CVE-2019-1006)
    
      - An information disclosure vulnerability exists when
        Unistore.dll fails to properly handle objects in memory.
        An attacker who successfully exploited the vulnerability
        could potentially disclose memory contents of an
        elevated process.  (CVE-2019-1091)
    
      - A denial of service vulnerability exists in Windows DNS
        Server when it fails to properly handle DNS queries. An
        attacker who successfully exploited this vulnerability
        could cause the DNS Server service to become
        nonresponsive.  (CVE-2019-0811)
        
      - An information disclosure vulnerability exists when
        certain central processing units (CPU) speculatively
        access memory. An attacker who successfully exploited
        the vulnerability could read privileged data across
        trust boundaries. (CVE-2019-1125)");
      # https://support.microsoft.com/en-us/help/4507460/windows-10-update-kb4507460
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dd6e86c0");
      script_set_attribute(attribute:"solution", value:
    "Apply Cumulative Update KB4507460.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1102");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/09");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-07";
    kbs = make_list('4507460');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"10",
                       sp:0,
                       os_build:"14393",
                       rollup_date:"07_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4507460])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JUL_OFFICE_SHAREPOINT.NASL
    descriptionThe Microsoft SharePoint Server installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities : - An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys. This vulnerability allows an attacker to impersonate another user, which can lead to elevation of privileges. The vulnerability exists in WCF, WIF 3.5 and above in .NET Framework, WIF 1.0 component in Windows, WIF Nuget package, and WIF implementation in SharePoint. An unauthenticated attacker can exploit this by signing a SAML token with any arbitrary symmetric key. This security update addresses the issue by ensuring all versions of WCF and WIF validate the key used to sign SAML tokens correctly. (CVE-2019-1006) - A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim
    last seen2020-06-01
    modified2020-06-02
    plugin id126584
    published2019-07-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126584
    titleSecurity Updates for Microsoft SharePoint Server (July 2019)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(126584);
      script_version("1.4");
      script_cvs_date("Date: 2019/10/18 23:14:15");
    
      script_cve_id("CVE-2019-1006", "CVE-2019-1134");
      script_bugtraq_id(108978, 109028);
      script_xref(name:"MSKB", value:"4475510");
      script_xref(name:"MSKB", value:"4475520");
      script_xref(name:"MSKB", value:"4475522");
      script_xref(name:"MSKB", value:"4475527");
      script_xref(name:"MSKB", value:"4475529");
      script_xref(name:"MSFT", value:"MS19-4475510");
      script_xref(name:"MSFT", value:"MS19-4475520");
      script_xref(name:"MSFT", value:"MS19-4475522");
      script_xref(name:"MSFT", value:"MS19-4475527");
      script_xref(name:"MSFT", value:"MS19-4475529");
    
      script_name(english:"Security Updates for Microsoft SharePoint Server (July 2019)");
      script_summary(english:"Checks for Microsoft security updates.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The Microsoft SharePoint Server installation on the remote host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The Microsoft SharePoint Server installation on the remote
    host is missing security updates. It is, therefore, affected
    by multiple vulnerabilities :
    
      - An authentication bypass vulnerability exists in Windows
        Communication Foundation (WCF) and Windows Identity
        Foundation (WIF), allowing signing of SAML tokens with
        arbitrary symmetric keys. This vulnerability allows an
        attacker to impersonate another user, which can lead to
        elevation of privileges. The vulnerability exists in
        WCF, WIF 3.5 and above in .NET Framework, WIF 1.0
        component in Windows, WIF Nuget package, and WIF
        implementation in SharePoint. An unauthenticated
        attacker can exploit this by signing a SAML token with
        any arbitrary symmetric key. This security update
        addresses the issue by ensuring all versions of WCF and
        WIF validate the key used to sign SAML tokens correctly.
        (CVE-2019-1006)
    
      - A cross-site-scripting (XSS) vulnerability exists when
        Microsoft SharePoint Server does not properly sanitize a
        specially crafted web request to an affected SharePoint
        server. An authenticated attacker could exploit the
        vulnerability by sending a specially crafted request to
        an affected SharePoint server. The attacker who
        successfully exploited the vulnerability could then
        perform cross-site scripting attacks on affected systems
        and run script in the security context of the current
        user. The attacks could allow the attacker to read
        content that the attacker is not authorized to read, use
        the victim's identity to take actions on the SharePoint
        site on behalf of the user, such as change permissions
        and delete content, and inject malicious content in the
        browser of the user. The security update addresses the
        vulnerability by helping to ensure that SharePoint
        Server properly sanitizes web requests. (CVE-2019-1134)");
      # https://support.microsoft.com/en-us/help/4475520/security-update-for-sharepoint-enterprise-server-2016
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ccb4bdba");
      # https://support.microsoft.com/en-us/help/4475522/security-update-for-sharepoint-enterprise-server-2013
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?11471b7c");
      # https://support.microsoft.com/en-us/help/4475527/security-update-for-sharepoint-foundation-2013-july-9-2019
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f6efc6d4");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released the following security updates to address this issue: 
      -KB4475510 
      -KB4475520
      -KB4475522
      -KB4475527
      -KB4475529");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1006");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/09");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sharepoint");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("microsoft_sharepoint_installed.nbin", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include('smb_func.inc');
    include('smb_hotfixes.inc');
    include('smb_hotfixes_fcheck.inc');
    include('smb_reg_query.inc');
    include('misc_func.inc');
    include('install_func.inc');
    include('lists.inc');
    
    get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');
    
    bulletin = 'MS19-07';
    
    kbs = make_list(
      '4475510', # 2010 SP2
      '4475527', # 2013 SP1 Foundation
      '4475522', # 2013 SP1 Enterprise
      '4475520', # 2016
      '4475529'  # 2019
    );
    
    if (get_kb_item('Host/patch_management_checks'))
      hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);
    
    get_kb_item_or_exit('SMB/Registry/Enumerated', exit_code:1);
    
    # Get path information for Windows.
    windir = hotfix_get_systemroot();
    if (isnull(windir)) exit(1, 'Failed to determine the location of %windir%.');
    
    registry_init();
    
    vuln = FALSE;
    port = kb_smb_transport();
    
    install = get_single_install(app_name:'Microsoft SharePoint Server');
    
    # direct reference lookup of product...
    kb_checks =
    {
      '2010':
      # direct reference lookup of SP...
      { '2':
        # direct reference lookup of edition...
        {'Foundation':
          [{
            'kb': '4475510',
            'path': hotfix_get_commonfilesdir(),
            'append':'microsoft shared\\web server extensions\\14\\isapi',
            'file':'microsoft.sharepoint.dll',
            'version':'14.0.7235.5000',
            'min_version':'14.0.0.0',
            'product_name':'Microsoft SharePoint Foundaiton Server 2010 SP2'
          }]
        }
      },
      '2013':
      # direct reference lookup of SP...
      { '1':
        # direct reference lookup of edition...
        {'Server':
          [{
            'kb': '4475522',
            'path': install['path'],
            'append':'TransformApps',
            'file':'docxpageconverter.exe',
            'version':'15.0.5151.1000',
            'min_version':'15.0.0.0',
            'product_name':'Microsoft SharePoint Enterprise Server 2013 SP1'
          }],
        'Foundation':
          [{
            'kb': '4475527',
            'path': hotfix_get_commonfilesdir(),
            'append':'microsoft shared\\web server extensions\\15\\bin',
            'file':'csisrv.dll',
            'version':'15.0.5111.1000',
            'min_version':'15.0.0.0',
            'product_name':'Microsoft SharePoint Foundaiton Server 2013 SP1'
          }]
        }
      },
      '2016':
      # direct reference lookup of SP...
      { '0':
        # direct reference lookup of edition...
        {'Server':
          [{
            'kb': '4475520',
            'path': install['path'],
            'append':'bin',
            'file':'microsoft.sharepoint.publishing.dll',
            'version':'16.0.4867.1000',
            'min_version':'16.0.0.0',
            'product_name':'Microsoft SharePoint Enterprise Server 2016'
          }]
        }
      },
      '2019':
      # direct reference lookup of SP...
      { '0':
        # direct reference lookup of edition...
        {'Server':
          [{
            'kb': '4475529',
            'path': install['path'],
            'append':'bin',
            'file':'microsoft.sharepoint.publishing.dll',
            'version':'16.0.10348.12104',
            'min_version':'16.0.10000.0',
            'product_name':'Microsoft SharePoint Server 2019'
          }]
        }
      }
    };
    
    # get the specific product / path 
    param_list = kb_checks[install['Product']][install['SP']][install['Edition']];
    
    # audit if not affected
    if(isnull(param_list)) audit(AUDIT_INST_VER_NOT_VULN, "Microsoft SharePoint Server");
    
    vuln = FALSE;
    xss = FALSE;
    # grab the path otherwise
    foreach check (param_list)
    {
      path = hotfix_append_path(path:check['path'], value:check['append']);
      are_we_vuln = hotfix_check_fversion(file:check['file'], version:check['version'], path:path, kb:check['kb'], product:check['product_name']);
      if (are_we_vuln == HCF_OLDER)
      {
        if (check['kb'] != '4475520' || check['kb'] != '4475522' || check['kb'] != '4475529' ) xss = TRUE;
        vuln = TRUE;
      }
    }
    
    if (vuln == TRUE)
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      if (xss) replace_kb_item(name:'www/'+port+'/XSS', value:TRUE);
      hotfix_security_warning();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JUL_4507469.NASL
    descriptionThe remote Windows host is missing security update 4507469. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1113) - A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2019-0880) - An elevation of privilege vulnerability exists in rpcss.dll when the RPC service Activation Kernel improperly handles an RPC request. (CVE-2019-1089) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1062, CVE-2019-1092, CVE-2019-1103, CVE-2019-1106, CVE-2019-1107) - An information disclosure vulnerability exists when the Windows RDP client improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1108) - An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1096) - An elevation of privilege vulnerability exists in the way Windows Error Reporting (WER) handles files. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with administrator privileges. (CVE-2019-1037) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1001) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1063) - An elevation of privilege vulnerability exists in Microsoft Windows where certain folders, with local service privilege, are vulnerable to symbolic link attack. An attacker who successfully exploited this vulnerability could potentially access unauthorized information. The update addresses this vulnerability by not allowing symbolic links in these scenarios. (CVE-2019-1074) - An elevation of privilege vulnerability exists in the way that the dnsrslvr.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1090) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1104) - An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory. (CVE-2019-1093, CVE-2019-1097) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2019-1094, CVE-2019-1095) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2019-1071) - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1067) - A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system. (CVE-2019-0966) - An elevation of privilege exists in Windows Audio Service. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1086, CVE-2019-1087, CVE-2019-1088) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1004, CVE-2019-1056, CVE-2019-1059) - A security feature bypass vulnerability exists in Active Directory Federation Services (ADFS) which could allow an attacker to bypass the extranet lockout policy. (CVE-2019-1126) - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an authenticated attacker abuses clipboard redirection. An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-0887) - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1085) - A denial of service vulnerability exists when Microsoft Common Object Runtime Library improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET web application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET application. The update addresses the vulnerability by correcting how the .NET web application handles web requests. (CVE-2019-1083) - A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker who successfully exploited the vulnerability could either run arbitrary code on the DHCP failover server or cause the DHCP service to become nonresponsive. (CVE-2019-0785) - A security feature bypass vulnerability exists when Active Directory Federation Services (ADFS) improperly updates its list of banned IP addresses. (CVE-2019-0975) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1073) - A denial of service vulnerability exists when SymCrypt improperly handles a specially crafted digital signature. An attacker could exploit the vulnerability by creating a specially crafted connection or message. The security update addresses the vulnerability by correcting the way SymCrypt handles digital signatures. (CVE-2019-0865) - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1102) - An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys. This vulnerability allows an attacker to impersonate another user, which can lead to elevation of privileges. The vulnerability exists in WCF, WIF 3.5 and above in .NET Framework, WIF 1.0 component in Windows, WIF Nuget package, and WIF implementation in SharePoint. An unauthenticated attacker can exploit this by signing a SAML token with any arbitrary symmetric key. This security update addresses the issue by ensuring all versions of WCF and WIF validate the key used to sign SAML tokens correctly. (CVE-2019-1006) - An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2019-1129, CVE-2019-1130) - An information disclosure vulnerability exists when Unistore.dll fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process. (CVE-2019-1091) - A denial of service vulnerability exists in Windows DNS Server when it fails to properly handle DNS queries. An attacker who successfully exploited this vulnerability could cause the DNS Server service to become nonresponsive. (CVE-2019-0811) - A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory. (CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128) - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2019-1125)
    last seen2020-06-01
    modified2020-06-02
    plugin id126579
    published2019-07-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126579
    titleKB4507469: Windows 10 Version 1809 and Windows Server 2019 July 2019 Security Update (SWAPGS)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(126579);
      script_version("1.7");
      script_cvs_date("Date: 2019/10/18 23:14:15");
    
      script_cve_id(
        "CVE-2019-0785",
        "CVE-2019-0811",
        "CVE-2019-0865",
        "CVE-2019-0880",
        "CVE-2019-0887",
        "CVE-2019-0966",
        "CVE-2019-0975",
        "CVE-2019-1001",
        "CVE-2019-1004",
        "CVE-2019-1006",
        "CVE-2019-1037",
        "CVE-2019-1056",
        "CVE-2019-1059",
        "CVE-2019-1062",
        "CVE-2019-1063",
        "CVE-2019-1067",
        "CVE-2019-1071",
        "CVE-2019-1073",
        "CVE-2019-1074",
        "CVE-2019-1083",
        "CVE-2019-1085",
        "CVE-2019-1086",
        "CVE-2019-1087",
        "CVE-2019-1088",
        "CVE-2019-1089",
        "CVE-2019-1090",
        "CVE-2019-1091",
        "CVE-2019-1092",
        "CVE-2019-1093",
        "CVE-2019-1094",
        "CVE-2019-1095",
        "CVE-2019-1096",
        "CVE-2019-1097",
        "CVE-2019-1102",
        "CVE-2019-1103",
        "CVE-2019-1104",
        "CVE-2019-1106",
        "CVE-2019-1107",
        "CVE-2019-1108",
        "CVE-2019-1113",
        "CVE-2019-1117",
        "CVE-2019-1118",
        "CVE-2019-1119",
        "CVE-2019-1120",
        "CVE-2019-1121",
        "CVE-2019-1122",
        "CVE-2019-1123",
        "CVE-2019-1124",
        "CVE-2019-1125",
        "CVE-2019-1126",
        "CVE-2019-1127",
        "CVE-2019-1128",
        "CVE-2019-1129",
        "CVE-2019-1130"
      );
      script_xref(name:"MSKB", value:"4507469");
      script_xref(name:"MSFT", value:"MS19-4507469");
    
      script_name(english:"KB4507469: Windows 10 Version 1809 and Windows Server 2019 July 2019 Security Update (SWAPGS)");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4507469.
    It is, therefore, affected by multiple vulnerabilities :
    
      - A remote code execution vulnerability exists in .NET
        software when the software fails to check the source
        markup of a file. An attacker who successfully exploited
        the vulnerability could run arbitrary code in the
        context of the current user. If the current user is
        logged on with administrative user rights, an attacker
        could take control of the affected system. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with full user rights.
        (CVE-2019-1113)
    
      - A local elevation of privilege vulnerability exists in
        how splwow64.exe handles certain calls. An attacker who
        successfully exploited the vulnerability could elevate
        privileges on an affected system from low-integrity to
        medium-integrity. This vulnerability by itself does not
        allow arbitrary code execution; however, it could allow
        arbitrary code to be run if the attacker uses it in
        combination with another vulnerability (such as a remote
        code execution vulnerability or another elevation of
        privilege vulnerability) that is capable of leveraging
        the elevated privileges when code execution is
        attempted. (CVE-2019-0880)
    
      - An elevation of privilege vulnerability exists in
        rpcss.dll when the RPC service Activation Kernel
        improperly handles an RPC request.  (CVE-2019-1089)
    
      - A remote code execution vulnerability exists in the way
        that the Chakra scripting engine handles objects in
        memory in Microsoft Edge. The vulnerability could
        corrupt memory in such a way that an attacker could
        execute arbitrary code in the context of the current
        user. An attacker who successfully exploited the
        vulnerability could gain the same user rights as the
        current user.  (CVE-2019-1062, CVE-2019-1092,
        CVE-2019-1103, CVE-2019-1106, CVE-2019-1107)
    
      - An information disclosure vulnerability exists when the
        Windows RDP client improperly discloses the contents of
        its memory. An attacker who successfully exploited this
        vulnerability could obtain information to further
        compromise the users system.  (CVE-2019-1108)
    
      - An information disclosure vulnerability exists when the
        win32k component improperly provides kernel information.
        An attacker who successfully exploited the vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1096)
    
      - An elevation of privilege vulnerability exists in the
        way Windows Error Reporting (WER) handles files. An
        attacker who successfully exploited this vulnerability
        could run arbitrary code in kernel mode. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with administrator
        privileges.  (CVE-2019-1037)
    
      - A remote code execution vulnerability exists in the way
        the scripting engine handles objects in memory in
        Microsoft browsers. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1001)
    
      - A remote code execution vulnerability exists when
        Internet Explorer improperly accesses objects in memory.
        The vulnerability could corrupt memory in such a way
        that an attacker could execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1063)
    
      - An elevation of privilege vulnerability exists in
        Microsoft Windows where certain folders, with local
        service privilege, are vulnerable to symbolic link
        attack. An attacker who successfully exploited this
        vulnerability could potentially access unauthorized
        information. The update addresses this vulnerability by
        not allowing symbolic links in these scenarios.
        (CVE-2019-1074)
    
      - An elevation of privilege vulnerability exists in the
        way that the dnsrslvr.dll handles objects in memory. An
        attacker who successfully exploited the vulnerability
        could execute code with elevated permissions.
        (CVE-2019-1090)
    
      - A remote code execution vulnerability exists in the way
        that Microsoft browsers access objects in memory. The
        vulnerability could corrupt memory in a way that could
        allow an attacker to execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1104)
    
      - An information disclosure vulnerability exists when
        DirectWrite improperly discloses the contents of its
        memory. An attacker who successfully exploited the
        vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how DirectWrite handles objects in memory.
        (CVE-2019-1093, CVE-2019-1097)
    
      - An information disclosure vulnerability exists when the
        Windows GDI component improperly discloses the contents
        of its memory. An attacker who successfully exploited
        the vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how the Windows GDI component handles objects
        in memory. (CVE-2019-1094, CVE-2019-1095)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system. An authenticated attacker could exploit this
        vulnerability by running a specially crafted
        application. The update addresses the vulnerability by
        correcting how the Windows kernel handles objects in
        memory. (CVE-2019-1071)
    
      - An elevation of privilege vulnerability exists when the
        Windows kernel fails to properly handle objects in
        memory. An attacker who successfully exploited this
        vulnerability could run arbitrary code in kernel mode.
        An attacker could then install programs; view, change,
        or delete data; or create new accounts with full user
        rights.  (CVE-2019-1067)
    
      - A denial of service vulnerability exists when Microsoft
        Hyper-V on a host server fails to properly validate
        input from a privileged user on a guest operating
        system.  (CVE-2019-0966)
    
      - An elevation of privilege exists in Windows Audio
        Service. An attacker who successfully exploited the
        vulnerability could run arbitrary code with elevated
        privileges.  (CVE-2019-1086, CVE-2019-1087,
        CVE-2019-1088)
    
      - A remote code execution vulnerability exists in the way
        that the scripting engine handles objects in memory in
        Internet Explorer. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1004, CVE-2019-1056, CVE-2019-1059)
    
      - A security feature bypass vulnerability exists in Active
        Directory Federation Services (ADFS) which could allow
        an attacker to bypass the extranet lockout policy.
        (CVE-2019-1126)
    
      - A remote code execution vulnerability exists in Remote
        Desktop Services formerly known as Terminal Services
        when an authenticated attacker abuses clipboard
        redirection. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on the victim
        system. An attacker could then install programs; view,
        change, or delete data; or create new accounts with full
        user rights.  (CVE-2019-0887)
    
      - An elevation of privilege vulnerability exists in the
        way that the wlansvc.dll handles objects in memory. An
        attacker who successfully exploited the vulnerability
        could execute code with elevated permissions.
        (CVE-2019-1085)
    
      - A denial of service vulnerability exists when Microsoft
        Common Object Runtime Library improperly handles web
        requests. An attacker who successfully exploited this
        vulnerability could cause a denial of service against a
        .NET web application. A remote unauthenticated attacker
        could exploit this vulnerability by issuing specially
        crafted requests to the .NET application. The update
        addresses the vulnerability by correcting how the .NET
        web application handles web requests. (CVE-2019-1083)
    
      - A memory corruption vulnerability exists in the Windows
        Server DHCP service when an attacker sends specially
        crafted packets to a DHCP failover server. An attacker
        who successfully exploited the vulnerability could
        either run arbitrary code on the DHCP failover server or
        cause the DHCP service to become nonresponsive.
        (CVE-2019-0785)
    
      - A security feature bypass vulnerability exists when
        Active Directory Federation Services (ADFS) improperly
        updates its list of banned IP addresses.
        (CVE-2019-0975)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1073)
    
      - A denial of service vulnerability exists when SymCrypt
        improperly handles a specially crafted digital
        signature. An attacker could exploit the vulnerability
        by creating a specially crafted connection or message.
        The security update addresses the vulnerability by
        correcting the way SymCrypt handles digital signatures.
        (CVE-2019-0865)
    
      - A remote code execution vulnerability exists in the way
        that the Windows Graphics Device Interface (GDI) handles
        objects in the memory. An attacker who successfully
        exploited this vulnerability could take control of the
        affected system. An attacker could then install
        programs; view, change, or delete data; or create new
        accounts with full user rights.  (CVE-2019-1102)
    
      - An authentication bypass vulnerability exists in Windows
        Communication Foundation (WCF) and Windows Identity
        Foundation (WIF), allowing signing of SAML tokens with
        arbitrary symmetric keys. This vulnerability allows an
        attacker to impersonate another user, which can lead to
        elevation of privileges. The vulnerability exists in
        WCF, WIF 3.5 and above in .NET Framework, WIF 1.0
        component in Windows, WIF Nuget package, and WIF
        implementation in SharePoint. An unauthenticated
        attacker can exploit this by signing a SAML token with
        any arbitrary symmetric key. This security update
        addresses the issue by ensuring all versions of WCF and
        WIF validate the key used to sign SAML tokens correctly.
        (CVE-2019-1006)
    
      - An elevation of privilege vulnerability exists when
        Windows AppX Deployment Service (AppXSVC) improperly
        handles hard links. An attacker who successfully
        exploited this vulnerability could run processes in an
        elevated context. An attacker could then install
        programs; view, change or delete data.  (CVE-2019-1129,
        CVE-2019-1130)
    
      - An information disclosure vulnerability exists when
        Unistore.dll fails to properly handle objects in memory.
        An attacker who successfully exploited the vulnerability
        could potentially disclose memory contents of an
        elevated process.  (CVE-2019-1091)
    
      - A denial of service vulnerability exists in Windows DNS
        Server when it fails to properly handle DNS queries. An
        attacker who successfully exploited this vulnerability
        could cause the DNS Server service to become
        nonresponsive.  (CVE-2019-0811)
    
      - A remote code execution vulnerability exists in the way
        that DirectWrite handles objects in memory. An attacker
        who successfully exploited this vulnerability could take
        control of the affected system. An attacker could then
        install programs; view, change, or delete data; or
        create new accounts with full user rights. There are
        multiple ways an attacker could exploit the
        vulnerability, such as by convincing a user to open a
        specially crafted document, or by convincing a user to
        visit an untrusted webpage. The security update
        addresses the vulnerability by correcting how
        DirectWrite handles objects in memory. (CVE-2019-1117,
        CVE-2019-1118, CVE-2019-1119, CVE-2019-1120,
        CVE-2019-1121, CVE-2019-1122, CVE-2019-1123,
        CVE-2019-1124, CVE-2019-1127, CVE-2019-1128)
        
      - An information disclosure vulnerability exists when
        certain central processing units (CPU) speculatively
        access memory. An attacker who successfully exploited
        the vulnerability could read privileged data across
        trust boundaries. (CVE-2019-1125)");
      # https://support.microsoft.com/en-us/help/4507469/windows-10-update-kb4507469
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e5ce6fe4");
      script_set_attribute(attribute:"solution", value:
    "Apply Cumulative Update KB4507469.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1128");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/09");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-07";
    kbs = make_list('4507469');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"10",
                       sp:0,
                       os_build:"17763",
                       rollup_date:"07_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4507469])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JUL_4507455.NASL
    descriptionThe remote Windows host is missing security update 4507455. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-0999) - A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1113) - A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2019-0880) - A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system. (CVE-2019-0966) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1062, CVE-2019-1092, CVE-2019-1103, CVE-2019-1106, CVE-2019-1107) - An information disclosure vulnerability exists when the Windows RDP client improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1108) - An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1096) - An elevation of privilege vulnerability exists in the way Windows Error Reporting (WER) handles files. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with administrator privileges. (CVE-2019-1037) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1001) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1063) - An elevation of privilege vulnerability exists in Microsoft Windows where certain folders, with local service privilege, are vulnerable to symbolic link attack. An attacker who successfully exploited this vulnerability could potentially access unauthorized information. The update addresses this vulnerability by not allowing symbolic links in these scenarios. (CVE-2019-1074) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1104) - An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory. (CVE-2019-1093, CVE-2019-1097) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2019-1094, CVE-2019-1095) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2019-1071) - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1067) - An elevation of privilege exists in Windows Audio Service. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1086, CVE-2019-1087, CVE-2019-1088) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1004, CVE-2019-1056, CVE-2019-1059) - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an authenticated attacker abuses clipboard redirection. An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-0887) - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1085) - A denial of service vulnerability exists when Microsoft Common Object Runtime Library improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET web application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET application. The update addresses the vulnerability by correcting how the .NET web application handles web requests. (CVE-2019-1083) - An elevation of privilege vulnerability exists in rpcss.dll when the RPC service Activation Kernel improperly handles an RPC request. (CVE-2019-1089) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1073) - A denial of service vulnerability exists when SymCrypt improperly handles a specially crafted digital signature. An attacker could exploit the vulnerability by creating a specially crafted connection or message. The security update addresses the vulnerability by correcting the way SymCrypt handles digital signatures. (CVE-2019-0865) - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1102) - An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys. This vulnerability allows an attacker to impersonate another user, which can lead to elevation of privileges. The vulnerability exists in WCF, WIF 3.5 and above in .NET Framework, WIF 1.0 component in Windows, WIF Nuget package, and WIF implementation in SharePoint. An unauthenticated attacker can exploit this by signing a SAML token with any arbitrary symmetric key. This security update addresses the issue by ensuring all versions of WCF and WIF validate the key used to sign SAML tokens correctly. (CVE-2019-1006) - An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2019-1129, CVE-2019-1130) - An information disclosure vulnerability exists when Unistore.dll fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process. (CVE-2019-1091) - A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory. (CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128) - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2019-1125)
    last seen2020-05-31
    modified2019-07-09
    plugin id126575
    published2019-07-09
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126575
    titleKB4507455: Windows 10 Version 1709 July 2019 Security Update (SWAPGS)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(126575);
      script_version("1.8");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/27");
    
      script_cve_id(
        "CVE-2019-0865",
        "CVE-2019-0880",
        "CVE-2019-0887",
        "CVE-2019-0966",
        "CVE-2019-0999",
        "CVE-2019-1001",
        "CVE-2019-1004",
        "CVE-2019-1006",
        "CVE-2019-1037",
        "CVE-2019-1056",
        "CVE-2019-1059",
        "CVE-2019-1062",
        "CVE-2019-1063",
        "CVE-2019-1067",
        "CVE-2019-1071",
        "CVE-2019-1073",
        "CVE-2019-1074",
        "CVE-2019-1083",
        "CVE-2019-1085",
        "CVE-2019-1086",
        "CVE-2019-1087",
        "CVE-2019-1088",
        "CVE-2019-1089",
        "CVE-2019-1091",
        "CVE-2019-1092",
        "CVE-2019-1093",
        "CVE-2019-1094",
        "CVE-2019-1095",
        "CVE-2019-1096",
        "CVE-2019-1097",
        "CVE-2019-1102",
        "CVE-2019-1103",
        "CVE-2019-1104",
        "CVE-2019-1106",
        "CVE-2019-1107",
        "CVE-2019-1108",
        "CVE-2019-1113",
        "CVE-2019-1117",
        "CVE-2019-1118",
        "CVE-2019-1119",
        "CVE-2019-1120",
        "CVE-2019-1121",
        "CVE-2019-1122",
        "CVE-2019-1123",
        "CVE-2019-1124",
        "CVE-2019-1125",
        "CVE-2019-1127",
        "CVE-2019-1128",
        "CVE-2019-1129",
        "CVE-2019-1130"
      );
      script_xref(name:"MSKB", value:"4507455");
      script_xref(name:"MSFT", value:"MS19-4507455");
    
      script_name(english:"KB4507455: Windows 10 Version 1709 July 2019 Security Update (SWAPGS)");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4507455.
    It is, therefore, affected by multiple vulnerabilities :
    
      - An elevation of privilege vulnerability exists when
        DirectX improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could run arbitrary code in kernel mode. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with full user rights.
        (CVE-2019-0999)
    
      - A remote code execution vulnerability exists in .NET
        software when the software fails to check the source
        markup of a file. An attacker who successfully exploited
        the vulnerability could run arbitrary code in the
        context of the current user. If the current user is
        logged on with administrative user rights, an attacker
        could take control of the affected system. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with full user rights.
        (CVE-2019-1113)
    
      - A local elevation of privilege vulnerability exists in
        how splwow64.exe handles certain calls. An attacker who
        successfully exploited the vulnerability could elevate
        privileges on an affected system from low-integrity to
        medium-integrity. This vulnerability by itself does not
        allow arbitrary code execution; however, it could allow
        arbitrary code to be run if the attacker uses it in
        combination with another vulnerability (such as a remote
        code execution vulnerability or another elevation of
        privilege vulnerability) that is capable of leveraging
        the elevated privileges when code execution is
        attempted. (CVE-2019-0880)
    
      - A denial of service vulnerability exists when Microsoft
        Hyper-V on a host server fails to properly validate
        input from a privileged user on a guest operating
        system.  (CVE-2019-0966)
    
      - A remote code execution vulnerability exists in the way
        that the Chakra scripting engine handles objects in
        memory in Microsoft Edge. The vulnerability could
        corrupt memory in such a way that an attacker could
        execute arbitrary code in the context of the current
        user. An attacker who successfully exploited the
        vulnerability could gain the same user rights as the
        current user.  (CVE-2019-1062, CVE-2019-1092,
        CVE-2019-1103, CVE-2019-1106, CVE-2019-1107)
    
      - An information disclosure vulnerability exists when the
        Windows RDP client improperly discloses the contents of
        its memory. An attacker who successfully exploited this
        vulnerability could obtain information to further
        compromise the users system.  (CVE-2019-1108)
    
      - An information disclosure vulnerability exists when the
        win32k component improperly provides kernel information.
        An attacker who successfully exploited the vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1096)
    
      - An elevation of privilege vulnerability exists in the
        way Windows Error Reporting (WER) handles files. An
        attacker who successfully exploited this vulnerability
        could run arbitrary code in kernel mode. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with administrator
        privileges.  (CVE-2019-1037)
    
      - A remote code execution vulnerability exists in the way
        the scripting engine handles objects in memory in
        Microsoft browsers. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1001)
    
      - A remote code execution vulnerability exists when
        Internet Explorer improperly accesses objects in memory.
        The vulnerability could corrupt memory in such a way
        that an attacker could execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1063)
    
      - An elevation of privilege vulnerability exists in
        Microsoft Windows where certain folders, with local
        service privilege, are vulnerable to symbolic link
        attack. An attacker who successfully exploited this
        vulnerability could potentially access unauthorized
        information. The update addresses this vulnerability by
        not allowing symbolic links in these scenarios.
        (CVE-2019-1074)
    
      - A remote code execution vulnerability exists in the way
        that Microsoft browsers access objects in memory. The
        vulnerability could corrupt memory in a way that could
        allow an attacker to execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1104)
    
      - An information disclosure vulnerability exists when
        DirectWrite improperly discloses the contents of its
        memory. An attacker who successfully exploited the
        vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how DirectWrite handles objects in memory.
        (CVE-2019-1093, CVE-2019-1097)
    
      - An information disclosure vulnerability exists when the
        Windows GDI component improperly discloses the contents
        of its memory. An attacker who successfully exploited
        the vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how the Windows GDI component handles objects
        in memory. (CVE-2019-1094, CVE-2019-1095)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system. An authenticated attacker could exploit this
        vulnerability by running a specially crafted
        application. The update addresses the vulnerability by
        correcting how the Windows kernel handles objects in
        memory. (CVE-2019-1071)
    
      - An elevation of privilege vulnerability exists when the
        Windows kernel fails to properly handle objects in
        memory. An attacker who successfully exploited this
        vulnerability could run arbitrary code in kernel mode.
        An attacker could then install programs; view, change,
        or delete data; or create new accounts with full user
        rights.  (CVE-2019-1067)
    
      - An elevation of privilege exists in Windows Audio
        Service. An attacker who successfully exploited the
        vulnerability could run arbitrary code with elevated
        privileges.  (CVE-2019-1086, CVE-2019-1087,
        CVE-2019-1088)
    
      - A remote code execution vulnerability exists in the way
        that the scripting engine handles objects in memory in
        Internet Explorer. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1004, CVE-2019-1056, CVE-2019-1059)
    
      - A remote code execution vulnerability exists in Remote
        Desktop Services formerly known as Terminal Services
        when an authenticated attacker abuses clipboard
        redirection. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on the victim
        system. An attacker could then install programs; view,
        change, or delete data; or create new accounts with full
        user rights.  (CVE-2019-0887)
    
      - An elevation of privilege vulnerability exists in the
        way that the wlansvc.dll handles objects in memory. An
        attacker who successfully exploited the vulnerability
        could execute code with elevated permissions.
        (CVE-2019-1085)
    
      - A denial of service vulnerability exists when Microsoft
        Common Object Runtime Library improperly handles web
        requests. An attacker who successfully exploited this
        vulnerability could cause a denial of service against a
        .NET web application. A remote unauthenticated attacker
        could exploit this vulnerability by issuing specially
        crafted requests to the .NET application. The update
        addresses the vulnerability by correcting how the .NET
        web application handles web requests. (CVE-2019-1083)
    
      - An elevation of privilege vulnerability exists in
        rpcss.dll when the RPC service Activation Kernel
        improperly handles an RPC request.  (CVE-2019-1089)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1073)
    
      - A denial of service vulnerability exists when SymCrypt
        improperly handles a specially crafted digital
        signature. An attacker could exploit the vulnerability
        by creating a specially crafted connection or message.
        The security update addresses the vulnerability by
        correcting the way SymCrypt handles digital signatures.
        (CVE-2019-0865)
    
      - A remote code execution vulnerability exists in the way
        that the Windows Graphics Device Interface (GDI) handles
        objects in the memory. An attacker who successfully
        exploited this vulnerability could take control of the
        affected system. An attacker could then install
        programs; view, change, or delete data; or create new
        accounts with full user rights.  (CVE-2019-1102)
    
      - An authentication bypass vulnerability exists in Windows
        Communication Foundation (WCF) and Windows Identity
        Foundation (WIF), allowing signing of SAML tokens with
        arbitrary symmetric keys. This vulnerability allows an
        attacker to impersonate another user, which can lead to
        elevation of privileges. The vulnerability exists in
        WCF, WIF 3.5 and above in .NET Framework, WIF 1.0
        component in Windows, WIF Nuget package, and WIF
        implementation in SharePoint. An unauthenticated
        attacker can exploit this by signing a SAML token with
        any arbitrary symmetric key. This security update
        addresses the issue by ensuring all versions of WCF and
        WIF validate the key used to sign SAML tokens correctly.
        (CVE-2019-1006)
    
      - An elevation of privilege vulnerability exists when
        Windows AppX Deployment Service (AppXSVC) improperly
        handles hard links. An attacker who successfully
        exploited this vulnerability could run processes in an
        elevated context. An attacker could then install
        programs; view, change or delete data.  (CVE-2019-1129,
        CVE-2019-1130)
    
      - An information disclosure vulnerability exists when
        Unistore.dll fails to properly handle objects in memory.
        An attacker who successfully exploited the vulnerability
        could potentially disclose memory contents of an
        elevated process.  (CVE-2019-1091)
    
      - A remote code execution vulnerability exists in the way
        that DirectWrite handles objects in memory. An attacker
        who successfully exploited this vulnerability could take
        control of the affected system. An attacker could then
        install programs; view, change, or delete data; or
        create new accounts with full user rights. There are
        multiple ways an attacker could exploit the
        vulnerability, such as by convincing a user to open a
        specially crafted document, or by convincing a user to
        visit an untrusted webpage. The security update
        addresses the vulnerability by correcting how
        DirectWrite handles objects in memory. (CVE-2019-1117,
        CVE-2019-1118, CVE-2019-1119, CVE-2019-1120,
        CVE-2019-1121, CVE-2019-1122, CVE-2019-1123,
        CVE-2019-1124, CVE-2019-1127, CVE-2019-1128)
        
      - An information disclosure vulnerability exists when
        certain central processing units (CPU) speculatively
        access memory. An attacker who successfully exploited
        the vulnerability could read privileged data across
        trust boundaries. (CVE-2019-1125)");
      # https://support.microsoft.com/en-us/help/4507455/windows-10-update-kb4507455
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4741f3da");
      script_set_attribute(attribute:"solution", value:
    "Apply Cumulative Update KB4507455.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1128");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/09");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-07";
    kbs = make_list('4507455');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    my_os_build = get_kb_item("SMB/WindowsVersionBuild");
    productname = get_kb_item_or_exit("SMB/ProductName");
    
    if (my_os_build == "16299" && "enterprise" >!< tolower(productname) && "education" >!< tolower(productname) && "server" >!< tolower(productname))
      audit(AUDIT_OS_NOT, "a supported version of Windows");
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"10",
                       sp:0,
                       os_build:"16299",
                       rollup_date:"07_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4507455])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JUL_4507453.NASL
    descriptionThe remote Windows host is missing security update 4507453. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1113) - A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2019-0880) - A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system. (CVE-2019-0966) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1062, CVE-2019-1092, CVE-2019-1103, CVE-2019-1106, CVE-2019-1107) - An information disclosure vulnerability exists when the Windows RDP client improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1108) - An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1096) - An elevation of privilege vulnerability exists in the way Windows Error Reporting (WER) handles files. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with administrator privileges. (CVE-2019-1037) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1001) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1063) - An elevation of privilege vulnerability exists in Microsoft Windows where certain folders, with local service privilege, are vulnerable to symbolic link attack. An attacker who successfully exploited this vulnerability could potentially access unauthorized information. The update addresses this vulnerability by not allowing symbolic links in these scenarios. (CVE-2019-1074) - An elevation of privilege vulnerability exists in the way that the dnsrslvr.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1090) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1104) - An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory. (CVE-2019-1093, CVE-2019-1097) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2019-1094, CVE-2019-1095) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2019-1071) - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1067) - An elevation of privilege exists in Windows Audio Service. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1086, CVE-2019-1087, CVE-2019-1088) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1004, CVE-2019-1056, CVE-2019-1059) - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an authenticated attacker abuses clipboard redirection. An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-0887) - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1085) - A denial of service vulnerability exists when Microsoft Common Object Runtime Library improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET web application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET application. The update addresses the vulnerability by correcting how the .NET web application handles web requests. (CVE-2019-1083) - An elevation of privilege vulnerability exists in rpcss.dll when the RPC service Activation Kernel improperly handles an RPC request. (CVE-2019-1089) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1073) - A denial of service vulnerability exists when SymCrypt improperly handles a specially crafted digital signature. An attacker could exploit the vulnerability by creating a specially crafted connection or message. The security update addresses the vulnerability by correcting the way SymCrypt handles digital signatures. (CVE-2019-0865) - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1102) - An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys. This vulnerability allows an attacker to impersonate another user, which can lead to elevation of privileges. The vulnerability exists in WCF, WIF 3.5 and above in .NET Framework, WIF 1.0 component in Windows, WIF Nuget package, and WIF implementation in SharePoint. An unauthenticated attacker can exploit this by signing a SAML token with any arbitrary symmetric key. This security update addresses the issue by ensuring all versions of WCF and WIF validate the key used to sign SAML tokens correctly. (CVE-2019-1006) - An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2019-1129, CVE-2019-1130) - An information disclosure vulnerability exists when Unistore.dll fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process. (CVE-2019-1091) - A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory. (CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128) - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2019-1125)
    last seen2020-06-01
    modified2020-06-02
    plugin id126574
    published2019-07-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126574
    titleKB4507453: Windows 10 Version 1903 July 2019 Security Update (SWAPGS)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(126574);
      script_version("1.7");
      script_cvs_date("Date: 2019/10/18 23:14:15");
    
      script_cve_id(
        "CVE-2019-0865",
        "CVE-2019-0880",
        "CVE-2019-0887",
        "CVE-2019-0966",
        "CVE-2019-1001",
        "CVE-2019-1004",
        "CVE-2019-1006",
        "CVE-2019-1037",
        "CVE-2019-1056",
        "CVE-2019-1059",
        "CVE-2019-1062",
        "CVE-2019-1063",
        "CVE-2019-1067",
        "CVE-2019-1071",
        "CVE-2019-1073",
        "CVE-2019-1074",
        "CVE-2019-1083",
        "CVE-2019-1085",
        "CVE-2019-1086",
        "CVE-2019-1087",
        "CVE-2019-1088",
        "CVE-2019-1089",
        "CVE-2019-1090",
        "CVE-2019-1091",
        "CVE-2019-1092",
        "CVE-2019-1093",
        "CVE-2019-1094",
        "CVE-2019-1095",
        "CVE-2019-1096",
        "CVE-2019-1097",
        "CVE-2019-1102",
        "CVE-2019-1103",
        "CVE-2019-1104",
        "CVE-2019-1106",
        "CVE-2019-1107",
        "CVE-2019-1108",
        "CVE-2019-1113",
        "CVE-2019-1117",
        "CVE-2019-1118",
        "CVE-2019-1119",
        "CVE-2019-1120",
        "CVE-2019-1121",
        "CVE-2019-1122",
        "CVE-2019-1123",
        "CVE-2019-1124",
        "CVE-2019-1125",
        "CVE-2019-1127",
        "CVE-2019-1128",
        "CVE-2019-1129",
        "CVE-2019-1130"
      );
      script_xref(name:"MSKB", value:"4507453");
      script_xref(name:"MSFT", value:"MS19-4507453");
    
      script_name(english:"KB4507453: Windows 10 Version 1903 July 2019 Security Update (SWAPGS)");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4507453.
    It is, therefore, affected by multiple vulnerabilities :
    
      - A remote code execution vulnerability exists in .NET
        software when the software fails to check the source
        markup of a file. An attacker who successfully exploited
        the vulnerability could run arbitrary code in the
        context of the current user. If the current user is
        logged on with administrative user rights, an attacker
        could take control of the affected system. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with full user rights.
        (CVE-2019-1113)
    
      - A local elevation of privilege vulnerability exists in
        how splwow64.exe handles certain calls. An attacker who
        successfully exploited the vulnerability could elevate
        privileges on an affected system from low-integrity to
        medium-integrity. This vulnerability by itself does not
        allow arbitrary code execution; however, it could allow
        arbitrary code to be run if the attacker uses it in
        combination with another vulnerability (such as a remote
        code execution vulnerability or another elevation of
        privilege vulnerability) that is capable of leveraging
        the elevated privileges when code execution is
        attempted. (CVE-2019-0880)
    
      - A denial of service vulnerability exists when Microsoft
        Hyper-V on a host server fails to properly validate
        input from a privileged user on a guest operating
        system.  (CVE-2019-0966)
    
      - A remote code execution vulnerability exists in the way
        that the Chakra scripting engine handles objects in
        memory in Microsoft Edge. The vulnerability could
        corrupt memory in such a way that an attacker could
        execute arbitrary code in the context of the current
        user. An attacker who successfully exploited the
        vulnerability could gain the same user rights as the
        current user.  (CVE-2019-1062, CVE-2019-1092,
        CVE-2019-1103, CVE-2019-1106, CVE-2019-1107)
    
      - An information disclosure vulnerability exists when the
        Windows RDP client improperly discloses the contents of
        its memory. An attacker who successfully exploited this
        vulnerability could obtain information to further
        compromise the users system.  (CVE-2019-1108)
    
      - An information disclosure vulnerability exists when the
        win32k component improperly provides kernel information.
        An attacker who successfully exploited the vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1096)
    
      - An elevation of privilege vulnerability exists in the
        way Windows Error Reporting (WER) handles files. An
        attacker who successfully exploited this vulnerability
        could run arbitrary code in kernel mode. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with administrator
        privileges.  (CVE-2019-1037)
    
      - A remote code execution vulnerability exists in the way
        the scripting engine handles objects in memory in
        Microsoft browsers. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1001)
    
      - A remote code execution vulnerability exists when
        Internet Explorer improperly accesses objects in memory.
        The vulnerability could corrupt memory in such a way
        that an attacker could execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1063)
    
      - An elevation of privilege vulnerability exists in
        Microsoft Windows where certain folders, with local
        service privilege, are vulnerable to symbolic link
        attack. An attacker who successfully exploited this
        vulnerability could potentially access unauthorized
        information. The update addresses this vulnerability by
        not allowing symbolic links in these scenarios.
        (CVE-2019-1074)
    
      - An elevation of privilege vulnerability exists in the
        way that the dnsrslvr.dll handles objects in memory. An
        attacker who successfully exploited the vulnerability
        could execute code with elevated permissions.
        (CVE-2019-1090)
    
      - A remote code execution vulnerability exists in the way
        that Microsoft browsers access objects in memory. The
        vulnerability could corrupt memory in a way that could
        allow an attacker to execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1104)
    
      - An information disclosure vulnerability exists when
        DirectWrite improperly discloses the contents of its
        memory. An attacker who successfully exploited the
        vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how DirectWrite handles objects in memory.
        (CVE-2019-1093, CVE-2019-1097)
    
      - An information disclosure vulnerability exists when the
        Windows GDI component improperly discloses the contents
        of its memory. An attacker who successfully exploited
        the vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how the Windows GDI component handles objects
        in memory. (CVE-2019-1094, CVE-2019-1095)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system. An authenticated attacker could exploit this
        vulnerability by running a specially crafted
        application. The update addresses the vulnerability by
        correcting how the Windows kernel handles objects in
        memory. (CVE-2019-1071)
    
      - An elevation of privilege vulnerability exists when the
        Windows kernel fails to properly handle objects in
        memory. An attacker who successfully exploited this
        vulnerability could run arbitrary code in kernel mode.
        An attacker could then install programs; view, change,
        or delete data; or create new accounts with full user
        rights.  (CVE-2019-1067)
    
      - An elevation of privilege exists in Windows Audio
        Service. An attacker who successfully exploited the
        vulnerability could run arbitrary code with elevated
        privileges.  (CVE-2019-1086, CVE-2019-1087,
        CVE-2019-1088)
    
      - A remote code execution vulnerability exists in the way
        that the scripting engine handles objects in memory in
        Internet Explorer. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1004, CVE-2019-1056, CVE-2019-1059)
    
      - A remote code execution vulnerability exists in Remote
        Desktop Services formerly known as Terminal Services
        when an authenticated attacker abuses clipboard
        redirection. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on the victim
        system. An attacker could then install programs; view,
        change, or delete data; or create new accounts with full
        user rights.  (CVE-2019-0887)
    
      - An elevation of privilege vulnerability exists in the
        way that the wlansvc.dll handles objects in memory. An
        attacker who successfully exploited the vulnerability
        could execute code with elevated permissions.
        (CVE-2019-1085)
    
      - A denial of service vulnerability exists when Microsoft
        Common Object Runtime Library improperly handles web
        requests. An attacker who successfully exploited this
        vulnerability could cause a denial of service against a
        .NET web application. A remote unauthenticated attacker
        could exploit this vulnerability by issuing specially
        crafted requests to the .NET application. The update
        addresses the vulnerability by correcting how the .NET
        web application handles web requests. (CVE-2019-1083)
    
      - An elevation of privilege vulnerability exists in
        rpcss.dll when the RPC service Activation Kernel
        improperly handles an RPC request.  (CVE-2019-1089)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1073)
    
      - A denial of service vulnerability exists when SymCrypt
        improperly handles a specially crafted digital
        signature. An attacker could exploit the vulnerability
        by creating a specially crafted connection or message.
        The security update addresses the vulnerability by
        correcting the way SymCrypt handles digital signatures.
        (CVE-2019-0865)
    
      - A remote code execution vulnerability exists in the way
        that the Windows Graphics Device Interface (GDI) handles
        objects in the memory. An attacker who successfully
        exploited this vulnerability could take control of the
        affected system. An attacker could then install
        programs; view, change, or delete data; or create new
        accounts with full user rights.  (CVE-2019-1102)
    
      - An authentication bypass vulnerability exists in Windows
        Communication Foundation (WCF) and Windows Identity
        Foundation (WIF), allowing signing of SAML tokens with
        arbitrary symmetric keys. This vulnerability allows an
        attacker to impersonate another user, which can lead to
        elevation of privileges. The vulnerability exists in
        WCF, WIF 3.5 and above in .NET Framework, WIF 1.0
        component in Windows, WIF Nuget package, and WIF
        implementation in SharePoint. An unauthenticated
        attacker can exploit this by signing a SAML token with
        any arbitrary symmetric key. This security update
        addresses the issue by ensuring all versions of WCF and
        WIF validate the key used to sign SAML tokens correctly.
        (CVE-2019-1006)
    
      - An elevation of privilege vulnerability exists when
        Windows AppX Deployment Service (AppXSVC) improperly
        handles hard links. An attacker who successfully
        exploited this vulnerability could run processes in an
        elevated context. An attacker could then install
        programs; view, change or delete data.  (CVE-2019-1129,
        CVE-2019-1130)
    
      - An information disclosure vulnerability exists when
        Unistore.dll fails to properly handle objects in memory.
        An attacker who successfully exploited the vulnerability
        could potentially disclose memory contents of an
        elevated process.  (CVE-2019-1091)
    
      - A remote code execution vulnerability exists in the way
        that DirectWrite handles objects in memory. An attacker
        who successfully exploited this vulnerability could take
        control of the affected system. An attacker could then
        install programs; view, change, or delete data; or
        create new accounts with full user rights. There are
        multiple ways an attacker could exploit the
        vulnerability, such as by convincing a user to open a
        specially crafted document, or by convincing a user to
        visit an untrusted webpage. The security update
        addresses the vulnerability by correcting how
        DirectWrite handles objects in memory. (CVE-2019-1117,
        CVE-2019-1118, CVE-2019-1119, CVE-2019-1120,
        CVE-2019-1121, CVE-2019-1122, CVE-2019-1123,
        CVE-2019-1124, CVE-2019-1127, CVE-2019-1128)
        
      - An information disclosure vulnerability exists when
        certain central processing units (CPU) speculatively
        access memory. An attacker who successfully exploited
        the vulnerability could read privileged data across
        trust boundaries. (CVE-2019-1125)");
      # https://support.microsoft.com/en-us/help/4507453/windows-10-update-kb4507453
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?29fe0038");
      script_set_attribute(attribute:"solution", value:
    "Apply Cumulative Update KB4507453.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1128");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/09");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-07";
    kbs = make_list('4507453');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"10",
                       sp:0,
                       os_build:"18362",
                       rollup_date:"07_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4507453])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JUL_4507452.NASL
    descriptionThe remote Windows host is missing security update 4507461 or cumulative update 4507452. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an authenticated attacker abuses clipboard redirection. An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-0887) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1063) - A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1113) - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1102) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1004, CVE-2019-1059) - A denial of service vulnerability exists when Microsoft Common Object Runtime Library improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET web application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET application. The update addresses the vulnerability by correcting how the .NET web application handles web requests. (CVE-2019-1083) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1104) - An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory. (CVE-2019-1093, CVE-2019-1097) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2019-1094, CVE-2019-1095, CVE-2019-1098, CVE-2019-1099, CVE-2019-1100, CVE-2019-1101, CVE-2019-1116) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2019-1071) - An information disclosure vulnerability exists when the Windows RDP client improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1108) - An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys. This vulnerability allows an attacker to impersonate another user, which can lead to elevation of privileges. The vulnerability exists in WCF, WIF 3.5 and above in .NET Framework, WIF 1.0 component in Windows, WIF Nuget package, and WIF implementation in SharePoint. An unauthenticated attacker can exploit this by signing a SAML token with any arbitrary symmetric key. This security update addresses the issue by ensuring all versions of WCF and WIF validate the key used to sign SAML tokens correctly. (CVE-2019-1006) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1073) - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1132) - An elevation of privilege exists in Windows Audio Service. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1088) - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1085) - An elevation of privilege vulnerability exists in rpcss.dll when the RPC service Activation Kernel improperly handles an RPC request. (CVE-2019-1089) - An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1096) - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2019-1125)
    last seen2020-06-01
    modified2020-06-02
    plugin id126573
    published2019-07-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126573
    titleKB4507461: Windows Server 2008 July 2019 Security Update (SWAPGS)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(126573);
      script_version("1.9");
      script_cvs_date("Date: 2019/10/18 23:14:15");
    
      script_cve_id(
        "CVE-2019-0887",
        "CVE-2019-1004",
        "CVE-2019-1006",
        "CVE-2019-1059",
        "CVE-2019-1063",
        "CVE-2019-1071",
        "CVE-2019-1073",
        "CVE-2019-1083",
        "CVE-2019-1085",
        "CVE-2019-1088",
        "CVE-2019-1089",
        "CVE-2019-1093",
        "CVE-2019-1094",
        "CVE-2019-1095",
        "CVE-2019-1096",
        "CVE-2019-1097",
        "CVE-2019-1098",
        "CVE-2019-1099",
        "CVE-2019-1100",
        "CVE-2019-1101",
        "CVE-2019-1102",
        "CVE-2019-1104",
        "CVE-2019-1108",
        "CVE-2019-1113",
        "CVE-2019-1116",
        "CVE-2019-1125",
        "CVE-2019-1132"
      );
      script_xref(name:"MSKB", value:"4507452");
      script_xref(name:"MSKB", value:"4507461");
      script_xref(name:"MSFT", value:"MS19-4507452");
      script_xref(name:"MSFT", value:"MS19-4507461");
    
      script_name(english:"KB4507461: Windows Server 2008 July 2019 Security Update (SWAPGS)");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4507461
    or cumulative update 4507452. It is, therefore, affected by
    multiple vulnerabilities :
    
      - A remote code execution vulnerability exists in Remote
        Desktop Services formerly known as Terminal Services
        when an authenticated attacker abuses clipboard
        redirection. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on the victim
        system. An attacker could then install programs; view,
        change, or delete data; or create new accounts with full
        user rights.  (CVE-2019-0887)
    
      - A remote code execution vulnerability exists when
        Internet Explorer improperly accesses objects in memory.
        The vulnerability could corrupt memory in such a way
        that an attacker could execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1063)
    
      - A remote code execution vulnerability exists in .NET
        software when the software fails to check the source
        markup of a file. An attacker who successfully exploited
        the vulnerability could run arbitrary code in the
        context of the current user. If the current user is
        logged on with administrative user rights, an attacker
        could take control of the affected system. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with full user rights.
        (CVE-2019-1113)
    
      - A remote code execution vulnerability exists in the way
        that the Windows Graphics Device Interface (GDI) handles
        objects in the memory. An attacker who successfully
        exploited this vulnerability could take control of the
        affected system. An attacker could then install
        programs; view, change, or delete data; or create new
        accounts with full user rights.  (CVE-2019-1102)
    
      - A remote code execution vulnerability exists in the way
        that the scripting engine handles objects in memory in
        Internet Explorer. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1004, CVE-2019-1059)
    
      - A denial of service vulnerability exists when Microsoft
        Common Object Runtime Library improperly handles web
        requests. An attacker who successfully exploited this
        vulnerability could cause a denial of service against a
        .NET web application. A remote unauthenticated attacker
        could exploit this vulnerability by issuing specially
        crafted requests to the .NET application. The update
        addresses the vulnerability by correcting how the .NET
        web application handles web requests. (CVE-2019-1083)
    
      - A remote code execution vulnerability exists in the way
        that Microsoft browsers access objects in memory. The
        vulnerability could corrupt memory in a way that could
        allow an attacker to execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1104)
    
      - An information disclosure vulnerability exists when
        DirectWrite improperly discloses the contents of its
        memory. An attacker who successfully exploited the
        vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how DirectWrite handles objects in memory.
        (CVE-2019-1093, CVE-2019-1097)
    
      - An information disclosure vulnerability exists when the
        Windows GDI component improperly discloses the contents
        of its memory. An attacker who successfully exploited
        the vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how the Windows GDI component handles objects
        in memory. (CVE-2019-1094, CVE-2019-1095, CVE-2019-1098,
        CVE-2019-1099, CVE-2019-1100, CVE-2019-1101,
        CVE-2019-1116)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system. An authenticated attacker could exploit this
        vulnerability by running a specially crafted
        application. The update addresses the vulnerability by
        correcting how the Windows kernel handles objects in
        memory. (CVE-2019-1071)
    
      - An information disclosure vulnerability exists when the
        Windows RDP client improperly discloses the contents of
        its memory. An attacker who successfully exploited this
        vulnerability could obtain information to further
        compromise the users system.  (CVE-2019-1108)
    
      - An authentication bypass vulnerability exists in Windows
        Communication Foundation (WCF) and Windows Identity
        Foundation (WIF), allowing signing of SAML tokens with
        arbitrary symmetric keys. This vulnerability allows an
        attacker to impersonate another user, which can lead to
        elevation of privileges. The vulnerability exists in
        WCF, WIF 3.5 and above in .NET Framework, WIF 1.0
        component in Windows, WIF Nuget package, and WIF
        implementation in SharePoint. An unauthenticated
        attacker can exploit this by signing a SAML token with
        any arbitrary symmetric key. This security update
        addresses the issue by ensuring all versions of WCF and
        WIF validate the key used to sign SAML tokens correctly.
        (CVE-2019-1006)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1073)
    
      - An elevation of privilege vulnerability exists in
        Windows when the Win32k component fails to properly
        handle objects in memory. An attacker who successfully
        exploited this vulnerability could run arbitrary code in
        kernel mode. An attacker could then install programs;
        view, change, or delete data; or create new accounts
        with full user rights.  (CVE-2019-1132)
    
      - An elevation of privilege exists in Windows Audio
        Service. An attacker who successfully exploited the
        vulnerability could run arbitrary code with elevated
        privileges.  (CVE-2019-1088)
    
      - An elevation of privilege vulnerability exists in the
        way that the wlansvc.dll handles objects in memory. An
        attacker who successfully exploited the vulnerability
        could execute code with elevated permissions.
        (CVE-2019-1085)
    
      - An elevation of privilege vulnerability exists in
        rpcss.dll when the RPC service Activation Kernel
        improperly handles an RPC request.  (CVE-2019-1089)
    
      - An information disclosure vulnerability exists when the
        win32k component improperly provides kernel information.
        An attacker who successfully exploited the vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1096)
        
      - An information disclosure vulnerability exists when
        certain central processing units (CPU) speculatively
        access memory. An attacker who successfully exploited
        the vulnerability could read privileged data across
        trust boundaries. (CVE-2019-1125)");
      # https://support.microsoft.com/en-us/help/4507452/windows-server-2008-update-kb4507452
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?01b80f6a");
      # https://support.microsoft.com/en-us/help/4507461/windows-server-2008-update-kb4507461
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c28becb3");
      script_set_attribute(attribute:"solution", value:
    "Apply Security Only update KB4507461 or Cumulative Update KB4507452.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1102");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/09");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-07";
    kbs = make_list('4507461', '4507452');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
    if ("Vista" >< productname) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"6.0",
                       sp:2,
                       rollup_date:"07_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4507461, 4507452])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JUL_4507448.NASL
    descriptionThe remote Windows host is missing security update 4507457 or cumulative update 4507448. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1113) - A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2019-0880) - An information disclosure vulnerability exists when the Windows RDP client improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1108) - An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1096) - An elevation of privilege vulnerability exists in Microsoft Windows where a certain dll, with Local Service privilege, is vulnerable to race planting a customized dll. An attacker who successfully exploited this vulnerability could potentially elevate privilege to SYSTEM. The update addresses this vulnerability by requiring system privileges for a certain DLL. (CVE-2019-1082) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1001) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1063) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1104) - An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory. (CVE-2019-1093, CVE-2019-1097) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2019-1094, CVE-2019-1095) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2019-1071) - An elevation of privilege exists in Windows Audio Service. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1086, CVE-2019-1087, CVE-2019-1088) - An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2019-1130) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1004, CVE-2019-1056, CVE-2019-1059) - A security feature bypass vulnerability exists in Active Directory Federation Services (ADFS) which could allow an attacker to bypass the extranet lockout policy. (CVE-2019-1126) - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an authenticated attacker abuses clipboard redirection. An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-0887) - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1085) - A denial of service vulnerability exists when Microsoft Common Object Runtime Library improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET web application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET application. The update addresses the vulnerability by correcting how the .NET web application handles web requests. (CVE-2019-1083) - A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server. An attacker who successfully exploited the vulnerability could either run arbitrary code on the DHCP failover server or cause the DHCP service to become nonresponsive. (CVE-2019-0785) - An elevation of privilege vulnerability exists in rpcss.dll when the RPC service Activation Kernel improperly handles an RPC request. (CVE-2019-1089) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1073) - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1102) - An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys. This vulnerability allows an attacker to impersonate another user, which can lead to elevation of privileges. The vulnerability exists in WCF, WIF 3.5 and above in .NET Framework, WIF 1.0 component in Windows, WIF Nuget package, and WIF implementation in SharePoint. An unauthenticated attacker can exploit this by signing a SAML token with any arbitrary symmetric key. This security update addresses the issue by ensuring all versions of WCF and WIF validate the key used to sign SAML tokens correctly. (CVE-2019-1006) - A denial of service vulnerability exists in Windows DNS Server when it fails to properly handle DNS queries. An attacker who successfully exploited this vulnerability could cause the DNS Server service to become nonresponsive. (CVE-2019-0811) - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2019-1125)
    last seen2020-06-01
    modified2020-06-02
    plugin id126570
    published2019-07-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126570
    titleKB4507457: Windows 8.1 and Windows Server 2012 R2 July 2019 Security Update (SWAPGS)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(126570);
      script_version("1.7");
      script_cvs_date("Date: 2019/10/18 23:14:15");
    
      script_cve_id(
        "CVE-2019-0785",
        "CVE-2019-0811",
        "CVE-2019-0880",
        "CVE-2019-0887",
        "CVE-2019-1001",
        "CVE-2019-1004",
        "CVE-2019-1006",
        "CVE-2019-1056",
        "CVE-2019-1059",
        "CVE-2019-1063",
        "CVE-2019-1071",
        "CVE-2019-1073",
        "CVE-2019-1082",
        "CVE-2019-1083",
        "CVE-2019-1085",
        "CVE-2019-1086",
        "CVE-2019-1087",
        "CVE-2019-1088",
        "CVE-2019-1089",
        "CVE-2019-1093",
        "CVE-2019-1094",
        "CVE-2019-1095",
        "CVE-2019-1096",
        "CVE-2019-1097",
        "CVE-2019-1102",
        "CVE-2019-1104",
        "CVE-2019-1108",
        "CVE-2019-1113",
        "CVE-2019-1125",
        "CVE-2019-1126",
        "CVE-2019-1130"
      );
      script_xref(name:"MSKB", value:"4507448");
      script_xref(name:"MSKB", value:"4507457");
      script_xref(name:"MSFT", value:"MS19-4507448");
      script_xref(name:"MSFT", value:"MS19-4507457");
    
      script_name(english:"KB4507457: Windows 8.1 and Windows Server 2012 R2 July 2019 Security Update (SWAPGS)");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4507457
    or cumulative update 4507448. It is, therefore, affected by
    multiple vulnerabilities :
    
      - A remote code execution vulnerability exists in .NET
        software when the software fails to check the source
        markup of a file. An attacker who successfully exploited
        the vulnerability could run arbitrary code in the
        context of the current user. If the current user is
        logged on with administrative user rights, an attacker
        could take control of the affected system. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with full user rights.
        (CVE-2019-1113)
    
      - A local elevation of privilege vulnerability exists in
        how splwow64.exe handles certain calls. An attacker who
        successfully exploited the vulnerability could elevate
        privileges on an affected system from low-integrity to
        medium-integrity. This vulnerability by itself does not
        allow arbitrary code execution; however, it could allow
        arbitrary code to be run if the attacker uses it in
        combination with another vulnerability (such as a remote
        code execution vulnerability or another elevation of
        privilege vulnerability) that is capable of leveraging
        the elevated privileges when code execution is
        attempted. (CVE-2019-0880)
    
      - An information disclosure vulnerability exists when the
        Windows RDP client improperly discloses the contents of
        its memory. An attacker who successfully exploited this
        vulnerability could obtain information to further
        compromise the users system.  (CVE-2019-1108)
    
      - An information disclosure vulnerability exists when the
        win32k component improperly provides kernel information.
        An attacker who successfully exploited the vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1096)
    
      - An elevation of privilege vulnerability exists in
        Microsoft Windows where a certain dll, with Local
        Service privilege, is vulnerable to race planting a
        customized dll. An attacker who successfully exploited
        this vulnerability could potentially elevate privilege
        to SYSTEM. The update addresses this vulnerability by
        requiring system privileges for a certain DLL.
        (CVE-2019-1082)
    
      - A remote code execution vulnerability exists in the way
        the scripting engine handles objects in memory in
        Microsoft browsers. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1001)
    
      - A remote code execution vulnerability exists when
        Internet Explorer improperly accesses objects in memory.
        The vulnerability could corrupt memory in such a way
        that an attacker could execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1063)
    
      - A remote code execution vulnerability exists in the way
        that Microsoft browsers access objects in memory. The
        vulnerability could corrupt memory in a way that could
        allow an attacker to execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1104)
    
      - An information disclosure vulnerability exists when
        DirectWrite improperly discloses the contents of its
        memory. An attacker who successfully exploited the
        vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how DirectWrite handles objects in memory.
        (CVE-2019-1093, CVE-2019-1097)
    
      - An information disclosure vulnerability exists when the
        Windows GDI component improperly discloses the contents
        of its memory. An attacker who successfully exploited
        the vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how the Windows GDI component handles objects
        in memory. (CVE-2019-1094, CVE-2019-1095)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system. An authenticated attacker could exploit this
        vulnerability by running a specially crafted
        application. The update addresses the vulnerability by
        correcting how the Windows kernel handles objects in
        memory. (CVE-2019-1071)
    
      - An elevation of privilege exists in Windows Audio
        Service. An attacker who successfully exploited the
        vulnerability could run arbitrary code with elevated
        privileges.  (CVE-2019-1086, CVE-2019-1087,
        CVE-2019-1088)
    
      - An elevation of privilege vulnerability exists when
        Windows AppX Deployment Service (AppXSVC) improperly
        handles hard links. An attacker who successfully
        exploited this vulnerability could run processes in an
        elevated context. An attacker could then install
        programs; view, change or delete data.  (CVE-2019-1130)
    
      - A remote code execution vulnerability exists in the way
        that the scripting engine handles objects in memory in
        Internet Explorer. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1004, CVE-2019-1056, CVE-2019-1059)
    
      - A security feature bypass vulnerability exists in Active
        Directory Federation Services (ADFS) which could allow
        an attacker to bypass the extranet lockout policy.
        (CVE-2019-1126)
    
      - A remote code execution vulnerability exists in Remote
        Desktop Services formerly known as Terminal Services
        when an authenticated attacker abuses clipboard
        redirection. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on the victim
        system. An attacker could then install programs; view,
        change, or delete data; or create new accounts with full
        user rights.  (CVE-2019-0887)
    
      - An elevation of privilege vulnerability exists in the
        way that the wlansvc.dll handles objects in memory. An
        attacker who successfully exploited the vulnerability
        could execute code with elevated permissions.
        (CVE-2019-1085)
    
      - A denial of service vulnerability exists when Microsoft
        Common Object Runtime Library improperly handles web
        requests. An attacker who successfully exploited this
        vulnerability could cause a denial of service against a
        .NET web application. A remote unauthenticated attacker
        could exploit this vulnerability by issuing specially
        crafted requests to the .NET application. The update
        addresses the vulnerability by correcting how the .NET
        web application handles web requests. (CVE-2019-1083)
    
      - A memory corruption vulnerability exists in the Windows
        Server DHCP service when an attacker sends specially
        crafted packets to a DHCP failover server. An attacker
        who successfully exploited the vulnerability could
        either run arbitrary code on the DHCP failover server or
        cause the DHCP service to become nonresponsive.
        (CVE-2019-0785)
    
      - An elevation of privilege vulnerability exists in
        rpcss.dll when the RPC service Activation Kernel
        improperly handles an RPC request.  (CVE-2019-1089)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1073)
    
      - A remote code execution vulnerability exists in the way
        that the Windows Graphics Device Interface (GDI) handles
        objects in the memory. An attacker who successfully
        exploited this vulnerability could take control of the
        affected system. An attacker could then install
        programs; view, change, or delete data; or create new
        accounts with full user rights.  (CVE-2019-1102)
    
      - An authentication bypass vulnerability exists in Windows
        Communication Foundation (WCF) and Windows Identity
        Foundation (WIF), allowing signing of SAML tokens with
        arbitrary symmetric keys. This vulnerability allows an
        attacker to impersonate another user, which can lead to
        elevation of privileges. The vulnerability exists in
        WCF, WIF 3.5 and above in .NET Framework, WIF 1.0
        component in Windows, WIF Nuget package, and WIF
        implementation in SharePoint. An unauthenticated
        attacker can exploit this by signing a SAML token with
        any arbitrary symmetric key. This security update
        addresses the issue by ensuring all versions of WCF and
        WIF validate the key used to sign SAML tokens correctly.
        (CVE-2019-1006)
    
      - A denial of service vulnerability exists in Windows DNS
        Server when it fails to properly handle DNS queries. An
        attacker who successfully exploited this vulnerability
        could cause the DNS Server service to become
        nonresponsive.  (CVE-2019-0811)
        
      - An information disclosure vulnerability exists when
        certain central processing units (CPU) speculatively
        access memory. An attacker who successfully exploited
        the vulnerability could read privileged data across
        trust boundaries. (CVE-2019-1125)");
      # https://support.microsoft.com/en-us/help/4507448/windows-8-1-update-kb4507448
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d231fad3");
      # https://support.microsoft.com/en-us/help/4507457/windows-8-1-update-kb4507457
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1d422a75");
      script_set_attribute(attribute:"solution", value:
    "Apply Security Only update KB4507457 or Cumulative Update KB4507448.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1102");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/09");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-07";
    kbs = make_list('4507448', '4507457');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    # Windows 8 EOL
    productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
    if ("Windows 8" >< productname && "8.1" >!< productname)
      audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"6.3",
                       sp:0,
                       rollup_date:"07_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4507448, 4507457])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JUL_DOTNET.NASL
    descriptionThe Microsoft .NET Framework installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities : - An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys. This vulnerability allows an attacker to impersonate another user, which can lead to elevation of privileges. The vulnerability exists in WCF, WIF 3.5 and above in .NET Framework, WIF 1.0 component in Windows, WIF Nuget package, and WIF implementation in SharePoint. An unauthenticated attacker can exploit this by signing a SAML token with any arbitrary symmetric key. This security update addresses the issue by ensuring all versions of WCF and WIF validate the key used to sign SAML tokens correctly. (CVE-2019-1006) - A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1113) - A denial of service vulnerability exists when Microsoft Common Object Runtime Library improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET web application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET application. The update addresses the vulnerability by correcting how the .NET web application handles web requests. (CVE-2019-1083)
    last seen2020-06-01
    modified2020-06-02
    plugin id126600
    published2019-07-10
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126600
    titleSecurity Updates for Microsoft .NET Framework (July 2019)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126600);
      script_version("1.4");
      script_cvs_date("Date: 2019/10/18 23:14:15");
    
      script_cve_id("CVE-2019-1006", "CVE-2019-1083", "CVE-2019-1113");
      script_bugtraq_id(108977, 108981);
      script_xref(name:"MSKB", value:"4507435");
      script_xref(name:"MSKB", value:"4507460");
      script_xref(name:"MSKB", value:"4507423");
      script_xref(name:"MSKB", value:"4507422");
      script_xref(name:"MSKB", value:"4507421");
      script_xref(name:"MSKB", value:"4507420");
      script_xref(name:"MSKB", value:"4507414");
      script_xref(name:"MSKB", value:"4507419");
      script_xref(name:"MSKB", value:"4507412");
      script_xref(name:"MSKB", value:"4507413");
      script_xref(name:"MSKB", value:"4507411");
      script_xref(name:"MSKB", value:"4506991");
      script_xref(name:"MSKB", value:"4507450");
      script_xref(name:"MSKB", value:"4506987");
      script_xref(name:"MSKB", value:"4506986");
      script_xref(name:"MSKB", value:"4507455");
      script_xref(name:"MSKB", value:"4506989");
      script_xref(name:"MSKB", value:"4506988");
      script_xref(name:"MSKB", value:"4507458");
      script_xref(name:"MSFT", value:"MS19-4507435");
      script_xref(name:"MSFT", value:"MS19-4507460");
      script_xref(name:"MSFT", value:"MS19-4507423");
      script_xref(name:"MSFT", value:"MS19-4507422");
      script_xref(name:"MSFT", value:"MS19-4507421");
      script_xref(name:"MSFT", value:"MS19-4507420");
      script_xref(name:"MSFT", value:"MS19-4507414");
      script_xref(name:"MSFT", value:"MS19-4507419");
      script_xref(name:"MSFT", value:"MS19-4507412");
      script_xref(name:"MSFT", value:"MS19-4507413");
      script_xref(name:"MSFT", value:"MS19-4507411");
      script_xref(name:"MSFT", value:"MS19-4506991");
      script_xref(name:"MSFT", value:"MS19-4507450");
      script_xref(name:"MSFT", value:"MS19-4506987");
      script_xref(name:"MSFT", value:"MS19-4506986");
      script_xref(name:"MSFT", value:"MS19-4507455");
      script_xref(name:"MSFT", value:"MS19-4506989");
      script_xref(name:"MSFT", value:"MS19-4506988");
      script_xref(name:"MSFT", value:"MS19-4507458");
      script_xref(name:"IAVA", value:"2019-A-0240");
    
      script_name(english:"Security Updates for Microsoft .NET Framework (July 2019)");
      script_summary(english:"Checks for Microsoft security updates.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The Microsoft .NET Framework installation on the remote host is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The Microsoft .NET Framework installation on the remote host
    is missing security updates. It is, therefore, affected by
    multiple vulnerabilities :
    
      - An authentication bypass vulnerability exists in Windows
        Communication Foundation (WCF) and Windows Identity
        Foundation (WIF), allowing signing of SAML tokens with
        arbitrary symmetric keys. This vulnerability allows an
        attacker to impersonate another user, which can lead to
        elevation of privileges. The vulnerability exists in
        WCF, WIF 3.5 and above in .NET Framework, WIF 1.0
        component in Windows, WIF Nuget package, and WIF
        implementation in SharePoint. An unauthenticated
        attacker can exploit this by signing a SAML token with
        any arbitrary symmetric key. This security update
        addresses the issue by ensuring all versions of WCF and
        WIF validate the key used to sign SAML tokens correctly.
        (CVE-2019-1006)
    
      - A remote code execution vulnerability exists in .NET
        software when the software fails to check the source
        markup of a file. An attacker who successfully exploited
        the vulnerability could run arbitrary code in the
        context of the current user. If the current user is
        logged on with administrative user rights, an attacker
        could take control of the affected system. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with full user rights.
        (CVE-2019-1113)
    
      - A denial of service vulnerability exists when Microsoft
        Common Object Runtime Library improperly handles web
        requests. An attacker who successfully exploited this
        vulnerability could cause a denial of service against a
        .NET web application. A remote unauthenticated attacker
        could exploit this vulnerability by issuing specially
        crafted requests to the .NET application. The update
        addresses the vulnerability by correcting how the .NET
        web application handles web requests. (CVE-2019-1083)");
      # https://support.microsoft.com/en-us/help/4507435/windows-10-update-kb4507435
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3bfac69e");
      # https://support.microsoft.com/en-us/help/4507460/windows-10-update-kb4507460
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dd6e86c0");
      # https://support.microsoft.com/en-us/help/4507423/security-and-quality-rollup-for-net-framework-2-0-3-0-4-5-2-4-6
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9bd4e25a");
      # https://support.microsoft.com/en-us/help/4507422/security-and-quality-rollup-for-net-framework
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?858ef63b");
      # https://support.microsoft.com/en-us/help/4507421/security-and-quality-rollup-for-net-framework
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0de7f142");
      # https://support.microsoft.com/en-us/help/4507420/security-and-quality-rollup-for-net-framework
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8b8b7b50");
      # https://support.microsoft.com/en-us/help/4507414/security-only-update-for-net-framework-3-0-sp2-4-5-2-4-6
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eb25ce98");
      # https://support.microsoft.com/en-us/help/4507419/july-9-2019-kb4507419-cumulative-update-for-net-framework
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1e436e1f");
      # https://support.microsoft.com/en-us/help/4507412/security-only-update-for-net-framework
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2123a8a4");
      # https://support.microsoft.com/en-us/help/4507413/security-only-update-for-net-framework
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fef03323");
      # https://support.microsoft.com/en-us/help/4507411/security-only-update-for-net-framework
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ce4aeddd");
      # https://support.microsoft.com/en-us/help/4506991/july-9-2019-kb4506991-cumulative-update-for-net-framework-3-5-and-4-8
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8d3a86a9");
      # https://support.microsoft.com/en-us/help/4507450/windows-10-update-kb4507450
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f489340c");
      # https://support.microsoft.com/en-us/help/4506987/july-9-2019-kb4506987-cumulative-update-for-net-framework-4-8
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ff0c98be");
      # https://support.microsoft.com/en-us/help/4506986/july-9-2019-kb4506986-cumulative-update-for-net-framework-4-8
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7a0ad909");
      # https://support.microsoft.com/en-us/help/4507455/windows-10-update-kb4507455
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4741f3da");
      # https://support.microsoft.com/en-us/help/4506989/july-9-2019-kb4506989-cumulative-update-for-net-framework-4-8
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ccd5eb26");
      # https://support.microsoft.com/en-us/help/4506988/july-9-2019-kb4506988-cumulative-update-for-net-framework-4-8
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?df72c2c1");
      # https://support.microsoft.com/en-us/help/4507458/windows-10-update-kb4507458
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dfda1841");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released security updates for Microsoft .NET Framework.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1113");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/10");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:.net_framework");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_dotnet_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl", "microsoft_net_framework_installed.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    include('audit.inc');
    include('global_settings.inc');
    include('install_func.inc');
    include('misc_func.inc');
    include('smb_func.inc');
    include('smb_hotfixes.inc');
    include('smb_hotfixes_fcheck.inc');
    
    get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');
    
    bulletin = 'MS19-07';
    kbs = make_list(
      '4506986',
      '4506987',
      '4506988',
      '4506989',
      '4506991',
      '4507411',
      '4507412',
      '4507413',
      '4507414',
      '4507419',
      '4507420',
      '4507421',
      '4507422',
      '4507423',
      '4507435',
      '4507450',
      '4507455',
      '4507458',
      '4507460'
    );
    
    if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);
    
    get_kb_item_or_exit('SMB/Registry/Enumerated');
    get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);
    
    if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    productname = get_kb_item_or_exit('SMB/ProductName', exit_code:1);
    if ('Windows 8' >< productname && 'Windows 8.1' >!< productname) audit(AUDIT_OS_SP_NOT_VULN);
    else if ('Vista' >< productname) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(exit_on_fail:TRUE, as_share:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    app = 'Microsoft .NET Framework';
    get_install_count(app_name:app, exit_if_zero:TRUE);
    installs = get_combined_installs(app_name:app);
    
    vuln = 0;
    
    if (installs[0] == 0)
    {
      foreach install (installs[1])
      {
        version = install['version'];
        if( version != UNKNOWN_VER &&
            smb_check_dotnet_rollup(rollup_date:'07_2019', dotnet_ver:version))
          vuln++;
      }
    }
    if(vuln)
    {
      hotfix_security_warning();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JUL_4507449.NASL
    descriptionThe remote Windows host is missing security update 4507456 or cumulative update 4507449. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an authenticated attacker abuses clipboard redirection. An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-0887) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1063) - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1085) - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1102) - A denial of service vulnerability exists when Microsoft Common Object Runtime Library improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET web application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET application. The update addresses the vulnerability by correcting how the .NET web application handles web requests. (CVE-2019-1083) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1104) - An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory. (CVE-2019-1093, CVE-2019-1097) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2019-1094, CVE-2019-1095, CVE-2019-1098, CVE-2019-1099, CVE-2019-1100, CVE-2019-1101, CVE-2019-1116) - A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1113) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2019-1071) - An information disclosure vulnerability exists when the Windows RDP client improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1108) - An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys. This vulnerability allows an attacker to impersonate another user, which can lead to elevation of privileges. The vulnerability exists in WCF, WIF 3.5 and above in .NET Framework, WIF 1.0 component in Windows, WIF Nuget package, and WIF implementation in SharePoint. An unauthenticated attacker can exploit this by signing a SAML token with any arbitrary symmetric key. This security update addresses the issue by ensuring all versions of WCF and WIF validate the key used to sign SAML tokens correctly. (CVE-2019-1006) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1073) - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1132) - An elevation of privilege exists in Windows Audio Service. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1088) - An elevation of privilege vulnerability exists in rpcss.dll when the RPC service Activation Kernel improperly handles an RPC request. (CVE-2019-1089) - An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1096) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1004, CVE-2019-1056, CVE-2019-1059) - An elevation of privilege vulnerability exists in Microsoft Windows where a certain dll, with Local Service privilege, is vulnerable to race planting a customized dll. An attacker who successfully exploited this vulnerability could potentially elevate privilege to SYSTEM. The update addresses this vulnerability by requiring system privileges for a certain DLL. (CVE-2019-1082) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1001) - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2019-1125)
    last seen2020-06-01
    modified2020-06-02
    plugin id126571
    published2019-07-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126571
    titleKB4507456: Windows 7 and Windows Server 2008 R2 July 2019 Security Update (SWAPGS)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(126571);
      script_version("1.9");
      script_cvs_date("Date: 2019/10/18 23:14:15");
    
      script_cve_id(
        "CVE-2019-0887",
        "CVE-2019-1001",
        "CVE-2019-1004",
        "CVE-2019-1006",
        "CVE-2019-1056",
        "CVE-2019-1059",
        "CVE-2019-1063",
        "CVE-2019-1071",
        "CVE-2019-1073",
        "CVE-2019-1082",
        "CVE-2019-1083",
        "CVE-2019-1085",
        "CVE-2019-1088",
        "CVE-2019-1089",
        "CVE-2019-1093",
        "CVE-2019-1094",
        "CVE-2019-1095",
        "CVE-2019-1096",
        "CVE-2019-1097",
        "CVE-2019-1098",
        "CVE-2019-1099",
        "CVE-2019-1100",
        "CVE-2019-1101",
        "CVE-2019-1102",
        "CVE-2019-1104",
        "CVE-2019-1108",
        "CVE-2019-1113",
        "CVE-2019-1116",
        "CVE-2019-1125",
        "CVE-2019-1132"
      );
      script_xref(name:"MSKB", value:"4507449");
      script_xref(name:"MSKB", value:"4507456");
      script_xref(name:"MSFT", value:"MS19-4507449");
      script_xref(name:"MSFT", value:"MS19-4507456");
    
      script_name(english:"KB4507456: Windows 7 and Windows Server 2008 R2 July 2019 Security Update (SWAPGS)");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4507456
    or cumulative update 4507449. It is, therefore, affected by
    multiple vulnerabilities :
    
      - A remote code execution vulnerability exists in Remote
        Desktop Services formerly known as Terminal Services
        when an authenticated attacker abuses clipboard
        redirection. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on the victim
        system. An attacker could then install programs; view,
        change, or delete data; or create new accounts with full
        user rights.  (CVE-2019-0887)
    
      - A remote code execution vulnerability exists when
        Internet Explorer improperly accesses objects in memory.
        The vulnerability could corrupt memory in such a way
        that an attacker could execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1063)
    
      - An elevation of privilege vulnerability exists in the
        way that the wlansvc.dll handles objects in memory. An
        attacker who successfully exploited the vulnerability
        could execute code with elevated permissions.
        (CVE-2019-1085)
    
      - A remote code execution vulnerability exists in the way
        that the Windows Graphics Device Interface (GDI) handles
        objects in the memory. An attacker who successfully
        exploited this vulnerability could take control of the
        affected system. An attacker could then install
        programs; view, change, or delete data; or create new
        accounts with full user rights.  (CVE-2019-1102)
    
      - A denial of service vulnerability exists when Microsoft
        Common Object Runtime Library improperly handles web
        requests. An attacker who successfully exploited this
        vulnerability could cause a denial of service against a
        .NET web application. A remote unauthenticated attacker
        could exploit this vulnerability by issuing specially
        crafted requests to the .NET application. The update
        addresses the vulnerability by correcting how the .NET
        web application handles web requests. (CVE-2019-1083)
    
      - A remote code execution vulnerability exists in the way
        that Microsoft browsers access objects in memory. The
        vulnerability could corrupt memory in a way that could
        allow an attacker to execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1104)
    
      - An information disclosure vulnerability exists when
        DirectWrite improperly discloses the contents of its
        memory. An attacker who successfully exploited the
        vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how DirectWrite handles objects in memory.
        (CVE-2019-1093, CVE-2019-1097)
    
      - An information disclosure vulnerability exists when the
        Windows GDI component improperly discloses the contents
        of its memory. An attacker who successfully exploited
        the vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how the Windows GDI component handles objects
        in memory. (CVE-2019-1094, CVE-2019-1095, CVE-2019-1098,
        CVE-2019-1099, CVE-2019-1100, CVE-2019-1101,
        CVE-2019-1116)
    
      - A remote code execution vulnerability exists in .NET
        software when the software fails to check the source
        markup of a file. An attacker who successfully exploited
        the vulnerability could run arbitrary code in the
        context of the current user. If the current user is
        logged on with administrative user rights, an attacker
        could take control of the affected system. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with full user rights.
        (CVE-2019-1113)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system. An authenticated attacker could exploit this
        vulnerability by running a specially crafted
        application. The update addresses the vulnerability by
        correcting how the Windows kernel handles objects in
        memory. (CVE-2019-1071)
    
      - An information disclosure vulnerability exists when the
        Windows RDP client improperly discloses the contents of
        its memory. An attacker who successfully exploited this
        vulnerability could obtain information to further
        compromise the users system.  (CVE-2019-1108)
    
      - An authentication bypass vulnerability exists in Windows
        Communication Foundation (WCF) and Windows Identity
        Foundation (WIF), allowing signing of SAML tokens with
        arbitrary symmetric keys. This vulnerability allows an
        attacker to impersonate another user, which can lead to
        elevation of privileges. The vulnerability exists in
        WCF, WIF 3.5 and above in .NET Framework, WIF 1.0
        component in Windows, WIF Nuget package, and WIF
        implementation in SharePoint. An unauthenticated
        attacker can exploit this by signing a SAML token with
        any arbitrary symmetric key. This security update
        addresses the issue by ensuring all versions of WCF and
        WIF validate the key used to sign SAML tokens correctly.
        (CVE-2019-1006)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1073)
    
      - An elevation of privilege vulnerability exists in
        Windows when the Win32k component fails to properly
        handle objects in memory. An attacker who successfully
        exploited this vulnerability could run arbitrary code in
        kernel mode. An attacker could then install programs;
        view, change, or delete data; or create new accounts
        with full user rights.  (CVE-2019-1132)
    
      - An elevation of privilege exists in Windows Audio
        Service. An attacker who successfully exploited the
        vulnerability could run arbitrary code with elevated
        privileges.  (CVE-2019-1088)
    
      - An elevation of privilege vulnerability exists in
        rpcss.dll when the RPC service Activation Kernel
        improperly handles an RPC request.  (CVE-2019-1089)
    
      - An information disclosure vulnerability exists when the
        win32k component improperly provides kernel information.
        An attacker who successfully exploited the vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1096)
    
      - A remote code execution vulnerability exists in the way
        that the scripting engine handles objects in memory in
        Internet Explorer. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1004, CVE-2019-1056, CVE-2019-1059)
    
      - An elevation of privilege vulnerability exists in
        Microsoft Windows where a certain dll, with Local
        Service privilege, is vulnerable to race planting a
        customized dll. An attacker who successfully exploited
        this vulnerability could potentially elevate privilege
        to SYSTEM. The update addresses this vulnerability by
        requiring system privileges for a certain DLL.
        (CVE-2019-1082)
    
      - A remote code execution vulnerability exists in the way
        the scripting engine handles objects in memory in
        Microsoft browsers. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1001)
        
      - An information disclosure vulnerability exists when
        certain central processing units (CPU) speculatively
        access memory. An attacker who successfully exploited
        the vulnerability could read privileged data across
        trust boundaries. (CVE-2019-1125)");
      # https://support.microsoft.com/en-us/help/4507449/windows-7-update-kb4507449
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cbe675e9");
      # https://support.microsoft.com/en-us/help/4507456/windows-7-update-kb4507456
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0b4f001f");
      script_set_attribute(attribute:"solution", value:
    "Apply Security Only update KB4507456 or Cumulative Update KB4507449.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1102");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/09");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-07";
    kbs = make_list('4507449', '4507456');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"6.1",
                       sp:1,
                       rollup_date:"07_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4507449, 4507456])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_JUL_4507435.NASL
    descriptionThe remote Windows host is missing security update 4507435. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-0999) - A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1113) - A local elevation of privilege vulnerability exists in how splwow64.exe handles certain calls. An attacker who successfully exploited the vulnerability could elevate privileges on an affected system from low-integrity to medium-integrity. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. (CVE-2019-0880) - A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate input from a privileged user on a guest operating system. (CVE-2019-0966) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1062, CVE-2019-1092, CVE-2019-1103, CVE-2019-1106, CVE-2019-1107) - An information disclosure vulnerability exists when the Windows RDP client improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1108) - An information disclosure vulnerability exists when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2019-1096) - An elevation of privilege vulnerability exists in the way Windows Error Reporting (WER) handles files. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with administrator privileges. (CVE-2019-1037) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1001) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1063) - An elevation of privilege vulnerability exists in Microsoft Windows where certain folders, with local service privilege, are vulnerable to symbolic link attack. An attacker who successfully exploited this vulnerability could potentially access unauthorized information. The update addresses this vulnerability by not allowing symbolic links in these scenarios. (CVE-2019-1074) - An elevation of privilege vulnerability exists in the way that the dnsrslvr.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1090) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1104) - An information disclosure vulnerability exists when DirectWrite improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory. (CVE-2019-1093, CVE-2019-1097) - An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2019-1094, CVE-2019-1095) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory. (CVE-2019-1071) - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1067) - An elevation of privilege exists in Windows Audio Service. An attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges. (CVE-2019-1086, CVE-2019-1087, CVE-2019-1088) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1004, CVE-2019-1056, CVE-2019-1059) - A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an authenticated attacker abuses clipboard redirection. An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-0887) - An elevation of privilege vulnerability exists in the way that the wlansvc.dll handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2019-1085) - A denial of service vulnerability exists when Microsoft Common Object Runtime Library improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET web application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET application. The update addresses the vulnerability by correcting how the .NET web application handles web requests. (CVE-2019-1083) - An elevation of privilege vulnerability exists in rpcss.dll when the RPC service Activation Kernel improperly handles an RPC request. (CVE-2019-1089) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1073) - A denial of service vulnerability exists when SymCrypt improperly handles a specially crafted digital signature. An attacker could exploit the vulnerability by creating a specially crafted connection or message. The security update addresses the vulnerability by correcting the way SymCrypt handles digital signatures. (CVE-2019-0865) - A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1102) - An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys. This vulnerability allows an attacker to impersonate another user, which can lead to elevation of privileges. The vulnerability exists in WCF, WIF 3.5 and above in .NET Framework, WIF 1.0 component in Windows, WIF Nuget package, and WIF implementation in SharePoint. An unauthenticated attacker can exploit this by signing a SAML token with any arbitrary symmetric key. This security update addresses the issue by ensuring all versions of WCF and WIF validate the key used to sign SAML tokens correctly. (CVE-2019-1006) - An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2019-1129, CVE-2019-1130) - An information disclosure vulnerability exists when Unistore.dll fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process. (CVE-2019-1091) - A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory. (CVE-2019-1117, CVE-2019-1118, CVE-2019-1119, CVE-2019-1120, CVE-2019-1121, CVE-2019-1122, CVE-2019-1123, CVE-2019-1124, CVE-2019-1127, CVE-2019-1128) - An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory. An attacker who successfully exploited the vulnerability could read privileged data across trust boundaries. (CVE-2019-1125)
    last seen2020-06-01
    modified2020-06-02
    plugin id126569
    published2019-07-09
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126569
    titleKB4507435: Windows 10 Version 1803 July 2019 Security Update (SWAPGS)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(126569);
      script_version("1.7");
      script_cvs_date("Date: 2019/10/18 23:14:15");
    
      script_cve_id(
        "CVE-2019-0865",
        "CVE-2019-0880",
        "CVE-2019-0887",
        "CVE-2019-0966",
        "CVE-2019-0999",
        "CVE-2019-1001",
        "CVE-2019-1004",
        "CVE-2019-1006",
        "CVE-2019-1037",
        "CVE-2019-1056",
        "CVE-2019-1059",
        "CVE-2019-1062",
        "CVE-2019-1063",
        "CVE-2019-1067",
        "CVE-2019-1071",
        "CVE-2019-1073",
        "CVE-2019-1074",
        "CVE-2019-1083",
        "CVE-2019-1085",
        "CVE-2019-1086",
        "CVE-2019-1087",
        "CVE-2019-1088",
        "CVE-2019-1089",
        "CVE-2019-1090",
        "CVE-2019-1091",
        "CVE-2019-1092",
        "CVE-2019-1093",
        "CVE-2019-1094",
        "CVE-2019-1095",
        "CVE-2019-1096",
        "CVE-2019-1097",
        "CVE-2019-1102",
        "CVE-2019-1103",
        "CVE-2019-1104",
        "CVE-2019-1106",
        "CVE-2019-1107",
        "CVE-2019-1108",
        "CVE-2019-1113",
        "CVE-2019-1117",
        "CVE-2019-1118",
        "CVE-2019-1119",
        "CVE-2019-1120",
        "CVE-2019-1121",
        "CVE-2019-1122",
        "CVE-2019-1123",
        "CVE-2019-1124",
        "CVE-2019-1125",
        "CVE-2019-1127",
        "CVE-2019-1128",
        "CVE-2019-1129",
        "CVE-2019-1130"
      );
      script_xref(name:"MSKB", value:"4507435");
      script_xref(name:"MSFT", value:"MS19-4507435");
    
      script_name(english:"KB4507435: Windows 10 Version 1803 July 2019 Security Update (SWAPGS)");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4507435.
    It is, therefore, affected by multiple vulnerabilities :
    
      - An elevation of privilege vulnerability exists when
        DirectX improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could run arbitrary code in kernel mode. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with full user rights.
        (CVE-2019-0999)
    
      - A remote code execution vulnerability exists in .NET
        software when the software fails to check the source
        markup of a file. An attacker who successfully exploited
        the vulnerability could run arbitrary code in the
        context of the current user. If the current user is
        logged on with administrative user rights, an attacker
        could take control of the affected system. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with full user rights.
        (CVE-2019-1113)
    
      - A local elevation of privilege vulnerability exists in
        how splwow64.exe handles certain calls. An attacker who
        successfully exploited the vulnerability could elevate
        privileges on an affected system from low-integrity to
        medium-integrity. This vulnerability by itself does not
        allow arbitrary code execution; however, it could allow
        arbitrary code to be run if the attacker uses it in
        combination with another vulnerability (such as a remote
        code execution vulnerability or another elevation of
        privilege vulnerability) that is capable of leveraging
        the elevated privileges when code execution is
        attempted. (CVE-2019-0880)
    
      - A denial of service vulnerability exists when Microsoft
        Hyper-V on a host server fails to properly validate
        input from a privileged user on a guest operating
        system.  (CVE-2019-0966)
    
      - A remote code execution vulnerability exists in the way
        that the Chakra scripting engine handles objects in
        memory in Microsoft Edge. The vulnerability could
        corrupt memory in such a way that an attacker could
        execute arbitrary code in the context of the current
        user. An attacker who successfully exploited the
        vulnerability could gain the same user rights as the
        current user.  (CVE-2019-1062, CVE-2019-1092,
        CVE-2019-1103, CVE-2019-1106, CVE-2019-1107)
    
      - An information disclosure vulnerability exists when the
        Windows RDP client improperly discloses the contents of
        its memory. An attacker who successfully exploited this
        vulnerability could obtain information to further
        compromise the users system.  (CVE-2019-1108)
    
      - An information disclosure vulnerability exists when the
        win32k component improperly provides kernel information.
        An attacker who successfully exploited the vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1096)
    
      - An elevation of privilege vulnerability exists in the
        way Windows Error Reporting (WER) handles files. An
        attacker who successfully exploited this vulnerability
        could run arbitrary code in kernel mode. An attacker
        could then install programs; view, change, or delete
        data; or create new accounts with administrator
        privileges.  (CVE-2019-1037)
    
      - A remote code execution vulnerability exists in the way
        the scripting engine handles objects in memory in
        Microsoft browsers. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1001)
    
      - A remote code execution vulnerability exists when
        Internet Explorer improperly accesses objects in memory.
        The vulnerability could corrupt memory in such a way
        that an attacker could execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1063)
    
      - An elevation of privilege vulnerability exists in
        Microsoft Windows where certain folders, with local
        service privilege, are vulnerable to symbolic link
        attack. An attacker who successfully exploited this
        vulnerability could potentially access unauthorized
        information. The update addresses this vulnerability by
        not allowing symbolic links in these scenarios.
        (CVE-2019-1074)
    
      - An elevation of privilege vulnerability exists in the
        way that the dnsrslvr.dll handles objects in memory. An
        attacker who successfully exploited the vulnerability
        could execute code with elevated permissions.
        (CVE-2019-1090)
    
      - A remote code execution vulnerability exists in the way
        that Microsoft browsers access objects in memory. The
        vulnerability could corrupt memory in a way that could
        allow an attacker to execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1104)
    
      - An information disclosure vulnerability exists when
        DirectWrite improperly discloses the contents of its
        memory. An attacker who successfully exploited the
        vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how DirectWrite handles objects in memory.
        (CVE-2019-1093, CVE-2019-1097)
    
      - An information disclosure vulnerability exists when the
        Windows GDI component improperly discloses the contents
        of its memory. An attacker who successfully exploited
        the vulnerability could obtain information to further
        compromise the users system. There are multiple ways an
        attacker could exploit the vulnerability, such as by
        convincing a user to open a specially crafted document,
        or by convincing a user to visit an untrusted webpage.
        The security update addresses the vulnerability by
        correcting how the Windows GDI component handles objects
        in memory. (CVE-2019-1094, CVE-2019-1095)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system. An authenticated attacker could exploit this
        vulnerability by running a specially crafted
        application. The update addresses the vulnerability by
        correcting how the Windows kernel handles objects in
        memory. (CVE-2019-1071)
    
      - An elevation of privilege vulnerability exists when the
        Windows kernel fails to properly handle objects in
        memory. An attacker who successfully exploited this
        vulnerability could run arbitrary code in kernel mode.
        An attacker could then install programs; view, change,
        or delete data; or create new accounts with full user
        rights.  (CVE-2019-1067)
    
      - An elevation of privilege exists in Windows Audio
        Service. An attacker who successfully exploited the
        vulnerability could run arbitrary code with elevated
        privileges.  (CVE-2019-1086, CVE-2019-1087,
        CVE-2019-1088)
    
      - A remote code execution vulnerability exists in the way
        that the scripting engine handles objects in memory in
        Internet Explorer. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2019-1004, CVE-2019-1056, CVE-2019-1059)
    
      - A remote code execution vulnerability exists in Remote
        Desktop Services formerly known as Terminal Services
        when an authenticated attacker abuses clipboard
        redirection. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on the victim
        system. An attacker could then install programs; view,
        change, or delete data; or create new accounts with full
        user rights.  (CVE-2019-0887)
    
      - An elevation of privilege vulnerability exists in the
        way that the wlansvc.dll handles objects in memory. An
        attacker who successfully exploited the vulnerability
        could execute code with elevated permissions.
        (CVE-2019-1085)
    
      - A denial of service vulnerability exists when Microsoft
        Common Object Runtime Library improperly handles web
        requests. An attacker who successfully exploited this
        vulnerability could cause a denial of service against a
        .NET web application. A remote unauthenticated attacker
        could exploit this vulnerability by issuing specially
        crafted requests to the .NET application. The update
        addresses the vulnerability by correcting how the .NET
        web application handles web requests. (CVE-2019-1083)
    
      - An elevation of privilege vulnerability exists in
        rpcss.dll when the RPC service Activation Kernel
        improperly handles an RPC request.  (CVE-2019-1089)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1073)
    
      - A denial of service vulnerability exists when SymCrypt
        improperly handles a specially crafted digital
        signature. An attacker could exploit the vulnerability
        by creating a specially crafted connection or message.
        The security update addresses the vulnerability by
        correcting the way SymCrypt handles digital signatures.
        (CVE-2019-0865)
    
      - A remote code execution vulnerability exists in the way
        that the Windows Graphics Device Interface (GDI) handles
        objects in the memory. An attacker who successfully
        exploited this vulnerability could take control of the
        affected system. An attacker could then install
        programs; view, change, or delete data; or create new
        accounts with full user rights.  (CVE-2019-1102)
    
      - An authentication bypass vulnerability exists in Windows
        Communication Foundation (WCF) and Windows Identity
        Foundation (WIF), allowing signing of SAML tokens with
        arbitrary symmetric keys. This vulnerability allows an
        attacker to impersonate another user, which can lead to
        elevation of privileges. The vulnerability exists in
        WCF, WIF 3.5 and above in .NET Framework, WIF 1.0
        component in Windows, WIF Nuget package, and WIF
        implementation in SharePoint. An unauthenticated
        attacker can exploit this by signing a SAML token with
        any arbitrary symmetric key. This security update
        addresses the issue by ensuring all versions of WCF and
        WIF validate the key used to sign SAML tokens correctly.
        (CVE-2019-1006)
    
      - An elevation of privilege vulnerability exists when
        Windows AppX Deployment Service (AppXSVC) improperly
        handles hard links. An attacker who successfully
        exploited this vulnerability could run processes in an
        elevated context. An attacker could then install
        programs; view, change or delete data.  (CVE-2019-1129,
        CVE-2019-1130)
    
      - An information disclosure vulnerability exists when
        Unistore.dll fails to properly handle objects in memory.
        An attacker who successfully exploited the vulnerability
        could potentially disclose memory contents of an
        elevated process.  (CVE-2019-1091)
    
      - A remote code execution vulnerability exists in the way
        that DirectWrite handles objects in memory. An attacker
        who successfully exploited this vulnerability could take
        control of the affected system. An attacker could then
        install programs; view, change, or delete data; or
        create new accounts with full user rights. There are
        multiple ways an attacker could exploit the
        vulnerability, such as by convincing a user to open a
        specially crafted document, or by convincing a user to
        visit an untrusted webpage. The security update
        addresses the vulnerability by correcting how
        DirectWrite handles objects in memory. (CVE-2019-1117,
        CVE-2019-1118, CVE-2019-1119, CVE-2019-1120,
        CVE-2019-1121, CVE-2019-1122, CVE-2019-1123,
        CVE-2019-1124, CVE-2019-1127, CVE-2019-1128)
      
      - An information disclosure vulnerability exists when
        certain central processing units (CPU) speculatively
        access memory. An attacker who successfully exploited
        the vulnerability could read privileged data across
        trust boundaries. (CVE-2019-1125)");
      # https://support.microsoft.com/en-us/help/4507435/windows-10-update-kb4507435
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3bfac69e");
      script_set_attribute(attribute:"solution", value:
    "Apply Cumulative Update KB4507435.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1128");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/09");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-07";
    kbs = make_list('4507435');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"10",
                       sp:0,
                       os_build:"17134",
                       rollup_date:"07_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4507435])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }