Vulnerabilities > CVE-2019-1334 - Information Exposure vulnerability in Microsoft products

047910
CVSS 5.5 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
local
low complexity
microsoft
CWE-200
nessus

Summary

An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1345.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_OCT_4520005.NASL
    descriptionThe remote Windows host is missing security update 4519990 or cumulative update 4520005. It is, therefore, affected by multiple vulnerabilities : - A spoofing vulnerability exists when Microsoft Browsers improperly handle browser cookies. An attacker who successfully exploited this vulnerability could trick a browser into overwriting a secure cookie with an insecure cookie. The insecure cookie could serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2019-1357) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1358, CVE-2019-1359) - A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1333) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1371) - An information disclosure vulnerability exists in the way that the Windows Code Integrity Module handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1344) - A remote code execution vulnerability exists when the Windows Imaging API improperly handles objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. (CVE-2019-1311) - A spoofing vulnerability exists when Transport Layer Security (TLS) accesses non- Extended Master Secret (EMS) sessions. An attacker who successfully exploited this vulnerability may gain access to unauthorized information. (CVE-2019-1318) - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2019-1342) - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1238) - A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. (CVE-2019-1326) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1334) - A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. An attacker who successfully exploited this vulnerability could gain the ability to downgrade NTLM security features. (CVE-2019-1166) - An elevation of privilege vulnerability exists in the Windows redirected drive buffering system (rdbss.sys) when the operating system improperly handles specific local calls within Windows 7 for 32-bit systems. When this vulnerability is exploited within other versions of Windows it can cause a denial of service, but not an elevation of privilege. (CVE-2019-1325) - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-1343, CVE-2019-1346, CVE-2019-1347) - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. (CVE-2019-1315, CVE-2019-1339) - An elevation of privilege vulnerability exists when Microsoft IIS Server fails to check the length of a buffer prior to copying memory to it. An attacker who successfully exploited this vulnerability can allow an unprivileged function ran by the user to execute code in the context of NT AUTHORITY\system escaping the Sandbox. The security update addresses the vulnerability by correcting how Microsoft IIS Server sanitizes web requests. (CVE-2019-1365) - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1060) - An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. (CVE-2019-1319) - A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2019-0608) - An elevation of privilege vulnerability exists when umpo.dll of the Power Service, improperly handles a Registry Restore Key function. An attacker who successfully exploited this vulnerability could delete a targeted registry key leading to an elevated status. (CVE-2019-1341)
    last seen2020-06-01
    modified2020-06-02
    plugin id129722
    published2019-10-08
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129722
    titleKB4519990: Windows 8.1 and Windows Server 2012 R2 October 2019 Security Update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    
    
    include("compat.inc");
    
    if (description)
    {
      script_id(129722);
      script_version("1.8");
      script_cvs_date("Date: 2019/12/19");
    
      script_cve_id(
        "CVE-2019-0608",
        "CVE-2019-1060",
        "CVE-2019-1166",
        "CVE-2019-1238",
        "CVE-2019-1311",
        "CVE-2019-1315",
        "CVE-2019-1318",
        "CVE-2019-1319",
        "CVE-2019-1325",
        "CVE-2019-1326",
        "CVE-2019-1333",
        "CVE-2019-1334",
        "CVE-2019-1339",
        "CVE-2019-1341",
        "CVE-2019-1342",
        "CVE-2019-1343",
        "CVE-2019-1344",
        "CVE-2019-1346",
        "CVE-2019-1347",
        "CVE-2019-1357",
        "CVE-2019-1358",
        "CVE-2019-1359",
        "CVE-2019-1365",
        "CVE-2019-1371"
      );
      script_xref(name:"MSKB", value:"4519990");
      script_xref(name:"MSKB", value:"4520005");
      script_xref(name:"MSFT", value:"MS19-4519990");
      script_xref(name:"MSFT", value:"MS19-4520005");
    
      script_name(english:"KB4519990: Windows 8.1 and Windows Server 2012 R2 October 2019 Security Update");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4519990
    or cumulative update 4520005. It is, therefore, affected by
    multiple vulnerabilities :
    
      - A spoofing vulnerability exists when Microsoft Browsers
        improperly handle browser cookies. An attacker who
        successfully exploited this vulnerability could trick a
        browser into overwriting a secure cookie with an
        insecure cookie. The insecure cookie could serve as a
        pivot to chain an attack with other vulnerabilities in
        web services.  (CVE-2019-1357)
    
      - A remote code execution vulnerability exists when the
        Windows Jet Database Engine improperly handles objects
        in memory. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on a victim
        system. An attacker could exploit this vulnerability by
        enticing a victim to open a specially crafted file. The
        update addresses the vulnerability by correcting the way
        the Windows Jet Database Engine handles objects in
        memory. (CVE-2019-1358, CVE-2019-1359)
    
      - A remote code execution vulnerability exists in the
        Windows Remote Desktop Client when a user connects to a
        malicious server. An attacker who successfully exploited
        this vulnerability could execute arbitrary code on the
        computer of the connecting client. An attacker could
        then install programs; view, change, or delete data; or
        create new accounts with full user rights.
        (CVE-2019-1333)
    
      - A remote code execution vulnerability exists when
        Internet Explorer improperly accesses objects in memory.
        The vulnerability could corrupt memory in such a way
        that an attacker could execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1371)
    
      - An information disclosure vulnerability exists in the
        way that the Windows Code Integrity Module handles
        objects in memory. An attacker who successfully
        exploited this vulnerability could obtain information to
        further compromise the users system.  (CVE-2019-1344)
    
      - A remote code execution vulnerability exists when the
        Windows Imaging API improperly handles objects in
        memory. The vulnerability could corrupt memory in a way
        that enables an attacker to execute arbitrary code in
        the context of the current user.  (CVE-2019-1311)
    
      - A spoofing vulnerability exists when Transport Layer
        Security (TLS) accesses non- Extended Master Secret
        (EMS) sessions. An attacker who successfully exploited
        this vulnerability may gain access to unauthorized
        information.  (CVE-2019-1318)
    
      - An elevation of privilege vulnerability exists when
        Windows Error Reporting manager improperly handles a
        process crash. An attacker who successfully exploited
        this vulnerability could delete a targeted file leading
        to an elevated status.  (CVE-2019-1342)
    
      - A remote code execution vulnerability exists in the way
        that the VBScript engine handles objects in memory. The
        vulnerability could corrupt memory in such a way that an
        attacker could execute arbitrary code in the context of
        the current user. An attacker who successfully exploited
        the vulnerability could gain the same user rights as the
        current user.  (CVE-2019-1238)
    
      - A denial of service vulnerability exists in Remote
        Desktop Protocol (RDP) when an attacker connects to the
        target system using RDP and sends specially crafted
        requests. An attacker who successfully exploited this
        vulnerability could cause the RDP service on the target
        system to stop responding.  (CVE-2019-1326)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1334)
    
      - A tampering vulnerability exists in Microsoft Windows
        when a man-in-the-middle attacker is able to
        successfully bypass the NTLM MIC (Message Integrity
        Check) protection. An attacker who successfully
        exploited this vulnerability could gain the ability to
        downgrade NTLM security features.  (CVE-2019-1166)
    
      - An elevation of privilege vulnerability exists in the
        Windows redirected drive buffering system (rdbss.sys)
        when the operating system improperly handles specific
        local calls within Windows 7 for 32-bit systems. When
        this vulnerability is exploited within other versions of
        Windows it can cause a denial of service, but not an
        elevation of privilege.  (CVE-2019-1325)
    
      - A denial of service vulnerability exists when Windows
        improperly handles objects in memory. An attacker who
        successfully exploited the vulnerability could cause a
        target system to stop responding.  (CVE-2019-1343,
        CVE-2019-1346, CVE-2019-1347)
    
      - An elevation of privilege vulnerability exists when
        Windows Error Reporting manager improperly handles hard
        links. An attacker who successfully exploited this
        vulnerability could overwrite a targeted file leading to
        an elevated status.  (CVE-2019-1315, CVE-2019-1339)
    
      - An elevation of privilege vulnerability exists when
        Microsoft IIS Server fails to check the length of a
        buffer prior to copying memory to it. An attacker who
        successfully exploited this vulnerability can allow an
        unprivileged function ran by the user to execute code in
        the context of NT AUTHORITY\system escaping the Sandbox.
        The security update addresses the vulnerability by
        correcting how Microsoft IIS Server sanitizes web
        requests. (CVE-2019-1365)
    
      - A remote code execution vulnerability exists when the
        Microsoft XML Core Services MSXML parser processes user
        input. An attacker who successfully exploited the
        vulnerability could run malicious code remotely to take
        control of the users system.  (CVE-2019-1060)
    
      - An elevation of privilege vulnerability exists in
        Windows Error Reporting (WER) when WER handles and
        executes files. The vulnerability could allow elevation
        of privilege if an attacker can successfully exploit it.
        An attacker who successfully exploited the vulnerability
        could gain greater access to sensitive information and
        system functionality.  (CVE-2019-1319)
    
      - A spoofing vulnerability exists when Microsoft Browsers
        does not properly parse HTTP content. An attacker who
        successfully exploited this vulnerability could
        impersonate a user request by crafting HTTP queries. The
        specially crafted website could either spoof content or
        serve as a pivot to chain an attack with other
        vulnerabilities in web services.  (CVE-2019-0608)
    
      - An elevation of privilege vulnerability exists when
        umpo.dll of the Power Service, improperly handles a
        Registry Restore Key function. An attacker who
        successfully exploited this vulnerability could delete a
        targeted registry key leading to an elevated status.
        (CVE-2019-1341)");
      script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4519990/windows-8-1-kb4519990");
      script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4520005/windows-8-1-kb4520005");
      script_set_attribute(attribute:"solution", value:
    "Apply Security Only update KB4519990 or Cumulative Update KB4520005.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1359");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-10";
    kbs = make_list('4520005', '4519990');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    # Windows 8 EOL
    productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
    if ("Windows 8" >< productname && "8.1" >!< productname)
      audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"6.3",
                       sp:0,
                       rollup_date:"10_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4520005, 4519990])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_OCT_4520010.NASL
    descriptionThe remote Windows host is missing security update 4520010. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists in Windows AppX Deployment Server that allows file creation in arbitrary locations. (CVE-2019-1340) - A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2019-0608) - A denial of service vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-1317) - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-1343, CVE-2019-1346, CVE-2019-1347) - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2019-1342) - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1238) - An information disclosure vulnerability exists when the Windows Hyper-V Network Switch on a host operating system fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-1230) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1371) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1334, CVE-2019-1345) - A spoofing vulnerability exists when Transport Layer Security (TLS) accesses non- Extended Master Secret (EMS) sessions. An attacker who successfully exploited this vulnerability may gain access to unauthorized information. (CVE-2019-1318) - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1060) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1358, CVE-2019-1359) - A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1333) - A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. An attacker who successfully exploited this vulnerability could gain the ability to downgrade NTLM security features. (CVE-2019-1166) - An elevation of privilege vulnerability exists in the Windows redirected drive buffering system (rdbss.sys) when the operating system improperly handles specific local calls within Windows 7 for 32-bit systems. When this vulnerability is exploited within other versions of Windows it can cause a denial of service, but not an elevation of privilege. (CVE-2019-1325) - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. (CVE-2019-1315, CVE-2019-1339) - A spoofing vulnerability exists when Microsoft Browsers improperly handle browser cookies. An attacker who successfully exploited this vulnerability could trick a browser into overwriting a secure cookie with an insecure cookie. The insecure cookie could serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2019-1357) - An elevation of privilege vulnerability exists when Windows CloudStore improperly handles file Discretionary Access Control List (DACL). An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. (CVE-2019-1321) - An elevation of privilege vulnerability exists in Microsoft Windows Setup when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2019-1316) - An information disclosure vulnerability exists in the way that the Windows Code Integrity Module handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1344) - A remote code execution vulnerability exists when the Windows Imaging API improperly handles objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. (CVE-2019-1311) - A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. (CVE-2019-1326) - An elevation of privilege vulnerability exists when umpo.dll of the Power Service, improperly handles a Registry Restore Key function. An attacker who successfully exploited this vulnerability could delete a targeted registry key leading to an elevated status. (CVE-2019-1341) - An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. (CVE-2019-1319)
    last seen2020-06-01
    modified2020-06-02
    plugin id129725
    published2019-10-08
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129725
    titleKB4520010: Windows 10 Version 1703 October 2019 Security Update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    
    
    include("compat.inc");
    
    if (description)
    {
      script_id(129725);
      script_version("1.7");
      script_cvs_date("Date: 2019/12/19");
    
      script_cve_id(
        "CVE-2019-0608",
        "CVE-2019-1060",
        "CVE-2019-1166",
        "CVE-2019-1230",
        "CVE-2019-1238",
        "CVE-2019-1311",
        "CVE-2019-1315",
        "CVE-2019-1316",
        "CVE-2019-1317",
        "CVE-2019-1318",
        "CVE-2019-1319",
        "CVE-2019-1321",
        "CVE-2019-1325",
        "CVE-2019-1326",
        "CVE-2019-1333",
        "CVE-2019-1334",
        "CVE-2019-1339",
        "CVE-2019-1340",
        "CVE-2019-1341",
        "CVE-2019-1342",
        "CVE-2019-1343",
        "CVE-2019-1344",
        "CVE-2019-1345",
        "CVE-2019-1346",
        "CVE-2019-1347",
        "CVE-2019-1357",
        "CVE-2019-1358",
        "CVE-2019-1359",
        "CVE-2019-1371"
      );
      script_xref(name:"MSKB", value:"4520010");
      script_xref(name:"MSFT", value:"MS19-4520010");
    
      script_name(english:"KB4520010: Windows 10 Version 1703 October 2019 Security Update");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4520010.
    It is, therefore, affected by multiple vulnerabilities :
    
      - An elevation of privilege vulnerability exists in
        Windows AppX Deployment Server that allows file creation
        in arbitrary locations.  (CVE-2019-1340)
    
      - A spoofing vulnerability exists when Microsoft Browsers
        does not properly parse HTTP content. An attacker who
        successfully exploited this vulnerability could
        impersonate a user request by crafting HTTP queries. The
        specially crafted website could either spoof content or
        serve as a pivot to chain an attack with other
        vulnerabilities in web services.  (CVE-2019-0608)
    
      - A denial of service vulnerability exists when Windows
        improperly handles hard links. An attacker who
        successfully exploited the vulnerability could cause a
        target system to stop responding.  (CVE-2019-1317)
    
      - A denial of service vulnerability exists when Windows
        improperly handles objects in memory. An attacker who
        successfully exploited the vulnerability could cause a
        target system to stop responding.  (CVE-2019-1343,
        CVE-2019-1346, CVE-2019-1347)
    
      - An elevation of privilege vulnerability exists when
        Windows Error Reporting manager improperly handles a
        process crash. An attacker who successfully exploited
        this vulnerability could delete a targeted file leading
        to an elevated status.  (CVE-2019-1342)
    
      - A remote code execution vulnerability exists in the way
        that the VBScript engine handles objects in memory. The
        vulnerability could corrupt memory in such a way that an
        attacker could execute arbitrary code in the context of
        the current user. An attacker who successfully exploited
        the vulnerability could gain the same user rights as the
        current user.  (CVE-2019-1238)
    
      - An information disclosure vulnerability exists when the
        Windows Hyper-V Network Switch on a host operating
        system fails to properly validate input from an
        authenticated user on a guest operating system.
        (CVE-2019-1230)
    
      - A remote code execution vulnerability exists when
        Internet Explorer improperly accesses objects in memory.
        The vulnerability could corrupt memory in such a way
        that an attacker could execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1371)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1334, CVE-2019-1345)
    
      - A spoofing vulnerability exists when Transport Layer
        Security (TLS) accesses non- Extended Master Secret
        (EMS) sessions. An attacker who successfully exploited
        this vulnerability may gain access to unauthorized
        information.  (CVE-2019-1318)
    
      - A remote code execution vulnerability exists when the
        Microsoft XML Core Services MSXML parser processes user
        input. An attacker who successfully exploited the
        vulnerability could run malicious code remotely to take
        control of the users system.  (CVE-2019-1060)
    
      - A remote code execution vulnerability exists when the
        Windows Jet Database Engine improperly handles objects
        in memory. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on a victim
        system. An attacker could exploit this vulnerability by
        enticing a victim to open a specially crafted file. The
        update addresses the vulnerability by correcting the way
        the Windows Jet Database Engine handles objects in
        memory. (CVE-2019-1358, CVE-2019-1359)
    
      - A remote code execution vulnerability exists in the
        Windows Remote Desktop Client when a user connects to a
        malicious server. An attacker who successfully exploited
        this vulnerability could execute arbitrary code on the
        computer of the connecting client. An attacker could
        then install programs; view, change, or delete data; or
        create new accounts with full user rights.
        (CVE-2019-1333)
    
      - A tampering vulnerability exists in Microsoft Windows
        when a man-in-the-middle attacker is able to
        successfully bypass the NTLM MIC (Message Integrity
        Check) protection. An attacker who successfully
        exploited this vulnerability could gain the ability to
        downgrade NTLM security features.  (CVE-2019-1166)
    
      - An elevation of privilege vulnerability exists in the
        Windows redirected drive buffering system (rdbss.sys)
        when the operating system improperly handles specific
        local calls within Windows 7 for 32-bit systems. When
        this vulnerability is exploited within other versions of
        Windows it can cause a denial of service, but not an
        elevation of privilege.  (CVE-2019-1325)
    
      - An elevation of privilege vulnerability exists when
        Windows Error Reporting manager improperly handles hard
        links. An attacker who successfully exploited this
        vulnerability could overwrite a targeted file leading to
        an elevated status.  (CVE-2019-1315, CVE-2019-1339)
    
      - A spoofing vulnerability exists when Microsoft Browsers
        improperly handle browser cookies. An attacker who
        successfully exploited this vulnerability could trick a
        browser into overwriting a secure cookie with an
        insecure cookie. The insecure cookie could serve as a
        pivot to chain an attack with other vulnerabilities in
        web services.  (CVE-2019-1357)
    
      - An elevation of privilege vulnerability exists when
        Windows CloudStore improperly handles file Discretionary
        Access Control List (DACL). An attacker who successfully
        exploited this vulnerability could overwrite a targeted
        file leading to an elevated status.  (CVE-2019-1321)
    
      - An elevation of privilege vulnerability exists in
        Microsoft Windows Setup when it does not properly handle
        privileges. An attacker who successfully exploited this
        vulnerability could run processes in an elevated
        context. An attacker could then install programs; view,
        change or delete data.  (CVE-2019-1316)
    
      - An information disclosure vulnerability exists in the
        way that the Windows Code Integrity Module handles
        objects in memory. An attacker who successfully
        exploited this vulnerability could obtain information to
        further compromise the users system.  (CVE-2019-1344)
    
      - A remote code execution vulnerability exists when the
        Windows Imaging API improperly handles objects in
        memory. The vulnerability could corrupt memory in a way
        that enables an attacker to execute arbitrary code in
        the context of the current user.  (CVE-2019-1311)
    
      - A denial of service vulnerability exists in Remote
        Desktop Protocol (RDP) when an attacker connects to the
        target system using RDP and sends specially crafted
        requests. An attacker who successfully exploited this
        vulnerability could cause the RDP service on the target
        system to stop responding.  (CVE-2019-1326)
    
      - An elevation of privilege vulnerability exists when
        umpo.dll of the Power Service, improperly handles a
        Registry Restore Key function. An attacker who
        successfully exploited this vulnerability could delete a
        targeted registry key leading to an elevated status.
        (CVE-2019-1341)
    
      - An elevation of privilege vulnerability exists in
        Windows Error Reporting (WER) when WER handles and
        executes files. The vulnerability could allow elevation
        of privilege if an attacker can successfully exploit it.
        An attacker who successfully exploited the vulnerability
        could gain greater access to sensitive information and
        system functionality.  (CVE-2019-1319)");
      # https://support.microsoft.com/en-us/help/4520010/windows-10-update-kb4520010
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4f0552f5");
      script_set_attribute(attribute:"solution", value:
    "Apply Cumulative Update KB4520010.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1359");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-10";
    kbs = make_list('4520010');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"10",
                       sp:0,
                       os_build:"15063",
                       rollup_date:"10_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4520010])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_OCT_4517389.NASL
    descriptionThe remote Windows host is missing security update 4517389. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists in Windows AppX Deployment Server that allows file creation in arbitrary locations. (CVE-2019-1340) - A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2019-0608) - A denial of service vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-1317) - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-1343, CVE-2019-1346, CVE-2019-1347) - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2019-1342) - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1238) - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2019-1323, CVE-2019-1336) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1371) - An elevation of privilege vulnerability exists in Microsoft Windows Setup when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2019-1316) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1334, CVE-2019-1345) - A spoofing vulnerability exists when Transport Layer Security (TLS) accesses non- Extended Master Secret (EMS) sessions. An attacker who successfully exploited this vulnerability may gain access to unauthorized information. (CVE-2019-1318) - An elevation of privilege vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way Windows handles authentication requests. (CVE-2019-1320, CVE-2019-1322) - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1060) - A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1333) - A security feature bypass exists when Windows Secure Boot improperly restricts access to debugging functionality. An attacker who successfully exploited this vulnerability could disclose protected kernel memory. (CVE-2019-1368) - A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. An attacker who successfully exploited this vulnerability could gain the ability to downgrade NTLM security features. (CVE-2019-1166) - An elevation of privilege vulnerability exists in the Windows redirected drive buffering system (rdbss.sys) when the operating system improperly handles specific local calls within Windows 7 for 32-bit systems. When this vulnerability is exploited within other versions of Windows it can cause a denial of service, but not an elevation of privilege. (CVE-2019-1325) - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. (CVE-2019-1315, CVE-2019-1339) - An elevation of privilege vulnerability exists when Microsoft IIS Server fails to check the length of a buffer prior to copying memory to it. An attacker who successfully exploited this vulnerability can allow an unprivileged function ran by the user to execute code in the context of NT AUTHORITY\system escaping the Sandbox. The security update addresses the vulnerability by correcting how Microsoft IIS Server sanitizes web requests. (CVE-2019-1365) - A spoofing vulnerability exists when Microsoft Browsers improperly handle browser cookies. An attacker who successfully exploited this vulnerability could trick a browser into overwriting a secure cookie with an insecure cookie. The insecure cookie could serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2019-1357) - An elevation of privilege vulnerability exists when Windows CloudStore improperly handles file Discretionary Access Control List (DACL). An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. (CVE-2019-1321) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1358, CVE-2019-1359) - An information disclosure vulnerability exists in the way that the Windows Code Integrity Module handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1344) - A remote code execution vulnerability exists when the Windows Imaging API improperly handles objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. (CVE-2019-1311) - A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. (CVE-2019-1326) - An information disclosure vulnerability exists when Windows Update Client fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process. (CVE-2019-1337) - An elevation of privilege vulnerability exists when umpo.dll of the Power Service, improperly handles a Registry Restore Key function. An attacker who successfully exploited this vulnerability could delete a targeted registry key leading to an elevated status. (CVE-2019-1341) - An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. (CVE-2019-1319)
    last seen2020-05-06
    modified2019-10-08
    plugin id129716
    published2019-10-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129716
    titleKB4517389: Windows 10 Version 1903 October 2019 Security Update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(129716);
      script_version("1.9");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2019-0608",
        "CVE-2019-1060",
        "CVE-2019-1166",
        "CVE-2019-1238",
        "CVE-2019-1311",
        "CVE-2019-1315",
        "CVE-2019-1316",
        "CVE-2019-1317",
        "CVE-2019-1318",
        "CVE-2019-1319",
        "CVE-2019-1320",
        "CVE-2019-1321",
        "CVE-2019-1322",
        "CVE-2019-1323",
        "CVE-2019-1325",
        "CVE-2019-1326",
        "CVE-2019-1333",
        "CVE-2019-1334",
        "CVE-2019-1336",
        "CVE-2019-1337",
        "CVE-2019-1339",
        "CVE-2019-1340",
        "CVE-2019-1341",
        "CVE-2019-1342",
        "CVE-2019-1343",
        "CVE-2019-1344",
        "CVE-2019-1345",
        "CVE-2019-1346",
        "CVE-2019-1347",
        "CVE-2019-1357",
        "CVE-2019-1358",
        "CVE-2019-1359",
        "CVE-2019-1365",
        "CVE-2019-1368",
        "CVE-2019-1371"
      );
      script_xref(name:"MSKB", value:"4517389");
      script_xref(name:"MSFT", value:"MS19-4517389");
    
      script_name(english:"KB4517389: Windows 10 Version 1903 October 2019 Security Update");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4517389.
    It is, therefore, affected by multiple vulnerabilities :
    
      - An elevation of privilege vulnerability exists in
        Windows AppX Deployment Server that allows file creation
        in arbitrary locations.  (CVE-2019-1340)
    
      - A spoofing vulnerability exists when Microsoft Browsers
        does not properly parse HTTP content. An attacker who
        successfully exploited this vulnerability could
        impersonate a user request by crafting HTTP queries. The
        specially crafted website could either spoof content or
        serve as a pivot to chain an attack with other
        vulnerabilities in web services.  (CVE-2019-0608)
    
      - A denial of service vulnerability exists when Windows
        improperly handles hard links. An attacker who
        successfully exploited the vulnerability could cause a
        target system to stop responding.  (CVE-2019-1317)
    
      - A denial of service vulnerability exists when Windows
        improperly handles objects in memory. An attacker who
        successfully exploited the vulnerability could cause a
        target system to stop responding.  (CVE-2019-1343,
        CVE-2019-1346, CVE-2019-1347)
    
      - An elevation of privilege vulnerability exists when
        Windows Error Reporting manager improperly handles a
        process crash. An attacker who successfully exploited
        this vulnerability could delete a targeted file leading
        to an elevated status.  (CVE-2019-1342)
    
      - A remote code execution vulnerability exists in the way
        that the VBScript engine handles objects in memory. The
        vulnerability could corrupt memory in such a way that an
        attacker could execute arbitrary code in the context of
        the current user. An attacker who successfully exploited
        the vulnerability could gain the same user rights as the
        current user.  (CVE-2019-1238)
    
      - An elevation of privilege vulnerability exists in the
        Microsoft Windows Update Client when it does not
        properly handle privileges. An attacker who successfully
        exploited this vulnerability could run processes in an
        elevated context. An attacker could then install
        programs; view, change or delete data.  (CVE-2019-1323,
        CVE-2019-1336)
    
      - A remote code execution vulnerability exists when
        Internet Explorer improperly accesses objects in memory.
        The vulnerability could corrupt memory in such a way
        that an attacker could execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1371)
    
      - An elevation of privilege vulnerability exists in
        Microsoft Windows Setup when it does not properly handle
        privileges. An attacker who successfully exploited this
        vulnerability could run processes in an elevated
        context. An attacker could then install programs; view,
        change or delete data.  (CVE-2019-1316)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1334, CVE-2019-1345)
    
      - A spoofing vulnerability exists when Transport Layer
        Security (TLS) accesses non- Extended Master Secret
        (EMS) sessions. An attacker who successfully exploited
        this vulnerability may gain access to unauthorized
        information.  (CVE-2019-1318)
    
      - An elevation of privilege vulnerability exists when
        Windows improperly handles authentication requests. An
        attacker who successfully exploited this vulnerability
        could run processes in an elevated context. An attacker
        could exploit this vulnerability by running a specially
        crafted application on the victim system. The update
        addresses the vulnerability by correcting the way
        Windows handles authentication requests. (CVE-2019-1320,
        CVE-2019-1322)
    
      - A remote code execution vulnerability exists when the
        Microsoft XML Core Services MSXML parser processes user
        input. An attacker who successfully exploited the
        vulnerability could run malicious code remotely to take
        control of the users system.  (CVE-2019-1060)
    
      - A remote code execution vulnerability exists in the
        Windows Remote Desktop Client when a user connects to a
        malicious server. An attacker who successfully exploited
        this vulnerability could execute arbitrary code on the
        computer of the connecting client. An attacker could
        then install programs; view, change, or delete data; or
        create new accounts with full user rights.
        (CVE-2019-1333)
    
      - A security feature bypass exists when Windows Secure
        Boot improperly restricts access to debugging
        functionality. An attacker who successfully exploited
        this vulnerability could disclose protected kernel
        memory.  (CVE-2019-1368)
    
      - A tampering vulnerability exists in Microsoft Windows
        when a man-in-the-middle attacker is able to
        successfully bypass the NTLM MIC (Message Integrity
        Check) protection. An attacker who successfully
        exploited this vulnerability could gain the ability to
        downgrade NTLM security features.  (CVE-2019-1166)
    
      - An elevation of privilege vulnerability exists in the
        Windows redirected drive buffering system (rdbss.sys)
        when the operating system improperly handles specific
        local calls within Windows 7 for 32-bit systems. When
        this vulnerability is exploited within other versions of
        Windows it can cause a denial of service, but not an
        elevation of privilege.  (CVE-2019-1325)
    
      - An elevation of privilege vulnerability exists when
        Windows Error Reporting manager improperly handles hard
        links. An attacker who successfully exploited this
        vulnerability could overwrite a targeted file leading to
        an elevated status.  (CVE-2019-1315, CVE-2019-1339)
    
      - An elevation of privilege vulnerability exists when
        Microsoft IIS Server fails to check the length of a
        buffer prior to copying memory to it. An attacker who
        successfully exploited this vulnerability can allow an
        unprivileged function ran by the user to execute code in
        the context of NT AUTHORITY\system escaping the Sandbox.
        The security update addresses the vulnerability by
        correcting how Microsoft IIS Server sanitizes web
        requests. (CVE-2019-1365)
    
      - A spoofing vulnerability exists when Microsoft Browsers
        improperly handle browser cookies. An attacker who
        successfully exploited this vulnerability could trick a
        browser into overwriting a secure cookie with an
        insecure cookie. The insecure cookie could serve as a
        pivot to chain an attack with other vulnerabilities in
        web services.  (CVE-2019-1357)
    
      - An elevation of privilege vulnerability exists when
        Windows CloudStore improperly handles file Discretionary
        Access Control List (DACL). An attacker who successfully
        exploited this vulnerability could overwrite a targeted
        file leading to an elevated status.  (CVE-2019-1321)
    
      - A remote code execution vulnerability exists when the
        Windows Jet Database Engine improperly handles objects
        in memory. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on a victim
        system. An attacker could exploit this vulnerability by
        enticing a victim to open a specially crafted file. The
        update addresses the vulnerability by correcting the way
        the Windows Jet Database Engine handles objects in
        memory. (CVE-2019-1358, CVE-2019-1359)
    
      - An information disclosure vulnerability exists in the
        way that the Windows Code Integrity Module handles
        objects in memory. An attacker who successfully
        exploited this vulnerability could obtain information to
        further compromise the users system.  (CVE-2019-1344)
    
      - A remote code execution vulnerability exists when the
        Windows Imaging API improperly handles objects in
        memory. The vulnerability could corrupt memory in a way
        that enables an attacker to execute arbitrary code in
        the context of the current user.  (CVE-2019-1311)
    
      - A denial of service vulnerability exists in Remote
        Desktop Protocol (RDP) when an attacker connects to the
        target system using RDP and sends specially crafted
        requests. An attacker who successfully exploited this
        vulnerability could cause the RDP service on the target
        system to stop responding.  (CVE-2019-1326)
    
      - An information disclosure vulnerability exists when
        Windows Update Client fails to properly handle objects
        in memory. An attacker who successfully exploited the
        vulnerability could potentially disclose memory contents
        of an elevated process.  (CVE-2019-1337)
    
      - An elevation of privilege vulnerability exists when
        umpo.dll of the Power Service, improperly handles a
        Registry Restore Key function. An attacker who
        successfully exploited this vulnerability could delete a
        targeted registry key leading to an elevated status.
        (CVE-2019-1341)
    
      - An elevation of privilege vulnerability exists in
        Windows Error Reporting (WER) when WER handles and
        executes files. The vulnerability could allow elevation
        of privilege if an attacker can successfully exploit it.
        An attacker who successfully exploited the vulnerability
        could gain greater access to sensitive information and
        system functionality.  (CVE-2019-1319)");
      # https://support.microsoft.com/en-us/help/4517389/windows-10-update-kb4517389
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?13a5b27c");
      script_set_attribute(attribute:"solution", value:
    "Apply Cumulative Update KB4517389.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1359");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Microsoft UPnP Local Privilege Elevation Vulnerability');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-10";
    kbs = make_list('4517389');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"10",
                       sp:0,
                       os_build:"18362",
                       rollup_date:"10_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4517389])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_OCT_4520008.NASL
    descriptionThe remote Windows host is missing security update 4520008. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists in Windows AppX Deployment Server that allows file creation in arbitrary locations. (CVE-2019-1340) - A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2019-0608) - A denial of service vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-1317) - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-1343, CVE-2019-1346, CVE-2019-1347) - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2019-1342) - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1238) - An information disclosure vulnerability exists when the Windows Hyper-V Network Switch on a host operating system fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-1230) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1371) - An elevation of privilege vulnerability exists in Microsoft Windows Setup when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2019-1316) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1334, CVE-2019-1345) - A spoofing vulnerability exists when Transport Layer Security (TLS) accesses non- Extended Master Secret (EMS) sessions. An attacker who successfully exploited this vulnerability may gain access to unauthorized information. (CVE-2019-1318) - An elevation of privilege vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way Windows handles authentication requests. (CVE-2019-1320, CVE-2019-1322) - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1060) - A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1333) - A security feature bypass exists when Windows Secure Boot improperly restricts access to debugging functionality. An attacker who successfully exploited this vulnerability could disclose protected kernel memory. (CVE-2019-1368) - A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. An attacker who successfully exploited this vulnerability could gain the ability to downgrade NTLM security features. (CVE-2019-1166) - An elevation of privilege vulnerability exists in the Windows redirected drive buffering system (rdbss.sys) when the operating system improperly handles specific local calls within Windows 7 for 32-bit systems. When this vulnerability is exploited within other versions of Windows it can cause a denial of service, but not an elevation of privilege. (CVE-2019-1325) - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. (CVE-2019-1315, CVE-2019-1339) - An elevation of privilege vulnerability exists when Microsoft IIS Server fails to check the length of a buffer prior to copying memory to it. An attacker who successfully exploited this vulnerability can allow an unprivileged function ran by the user to execute code in the context of NT AUTHORITY\system escaping the Sandbox. The security update addresses the vulnerability by correcting how Microsoft IIS Server sanitizes web requests. (CVE-2019-1365) - A spoofing vulnerability exists when Microsoft Browsers improperly handle browser cookies. An attacker who successfully exploited this vulnerability could trick a browser into overwriting a secure cookie with an insecure cookie. The insecure cookie could serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2019-1357) - An elevation of privilege vulnerability exists when Windows CloudStore improperly handles file Discretionary Access Control List (DACL). An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. (CVE-2019-1321) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1358, CVE-2019-1359) - An information disclosure vulnerability exists in the way that the Windows Code Integrity Module handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1344) - A remote code execution vulnerability exists when the Windows Imaging API improperly handles objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. (CVE-2019-1311) - A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. (CVE-2019-1326) - An elevation of privilege vulnerability exists when umpo.dll of the Power Service, improperly handles a Registry Restore Key function. An attacker who successfully exploited this vulnerability could delete a targeted registry key leading to an elevated status. (CVE-2019-1341) - An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. (CVE-2019-1319)
    last seen2020-05-06
    modified2019-10-08
    plugin id129724
    published2019-10-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129724
    titleKB4520008: Windows 10 Version 1803 October 2019 Security Update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(129724);
      script_version("1.9");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2019-0608",
        "CVE-2019-1060",
        "CVE-2019-1166",
        "CVE-2019-1230",
        "CVE-2019-1238",
        "CVE-2019-1311",
        "CVE-2019-1315",
        "CVE-2019-1316",
        "CVE-2019-1317",
        "CVE-2019-1318",
        "CVE-2019-1319",
        "CVE-2019-1320",
        "CVE-2019-1321",
        "CVE-2019-1322",
        "CVE-2019-1325",
        "CVE-2019-1326",
        "CVE-2019-1333",
        "CVE-2019-1334",
        "CVE-2019-1339",
        "CVE-2019-1340",
        "CVE-2019-1341",
        "CVE-2019-1342",
        "CVE-2019-1343",
        "CVE-2019-1344",
        "CVE-2019-1345",
        "CVE-2019-1346",
        "CVE-2019-1347",
        "CVE-2019-1357",
        "CVE-2019-1358",
        "CVE-2019-1359",
        "CVE-2019-1365",
        "CVE-2019-1368",
        "CVE-2019-1371"
      );
      script_xref(name:"MSKB", value:"4520008");
      script_xref(name:"MSFT", value:"MS19-4520008");
    
      script_name(english:"KB4520008: Windows 10 Version 1803 October 2019 Security Update");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4520008.
    It is, therefore, affected by multiple vulnerabilities :
    
      - An elevation of privilege vulnerability exists in
        Windows AppX Deployment Server that allows file creation
        in arbitrary locations.  (CVE-2019-1340)
    
      - A spoofing vulnerability exists when Microsoft Browsers
        does not properly parse HTTP content. An attacker who
        successfully exploited this vulnerability could
        impersonate a user request by crafting HTTP queries. The
        specially crafted website could either spoof content or
        serve as a pivot to chain an attack with other
        vulnerabilities in web services.  (CVE-2019-0608)
    
      - A denial of service vulnerability exists when Windows
        improperly handles hard links. An attacker who
        successfully exploited the vulnerability could cause a
        target system to stop responding.  (CVE-2019-1317)
    
      - A denial of service vulnerability exists when Windows
        improperly handles objects in memory. An attacker who
        successfully exploited the vulnerability could cause a
        target system to stop responding.  (CVE-2019-1343,
        CVE-2019-1346, CVE-2019-1347)
    
      - An elevation of privilege vulnerability exists when
        Windows Error Reporting manager improperly handles a
        process crash. An attacker who successfully exploited
        this vulnerability could delete a targeted file leading
        to an elevated status.  (CVE-2019-1342)
    
      - A remote code execution vulnerability exists in the way
        that the VBScript engine handles objects in memory. The
        vulnerability could corrupt memory in such a way that an
        attacker could execute arbitrary code in the context of
        the current user. An attacker who successfully exploited
        the vulnerability could gain the same user rights as the
        current user.  (CVE-2019-1238)
    
      - An information disclosure vulnerability exists when the
        Windows Hyper-V Network Switch on a host operating
        system fails to properly validate input from an
        authenticated user on a guest operating system.
        (CVE-2019-1230)
    
      - A remote code execution vulnerability exists when
        Internet Explorer improperly accesses objects in memory.
        The vulnerability could corrupt memory in such a way
        that an attacker could execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1371)
    
      - An elevation of privilege vulnerability exists in
        Microsoft Windows Setup when it does not properly handle
        privileges. An attacker who successfully exploited this
        vulnerability could run processes in an elevated
        context. An attacker could then install programs; view,
        change or delete data.  (CVE-2019-1316)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1334, CVE-2019-1345)
    
      - A spoofing vulnerability exists when Transport Layer
        Security (TLS) accesses non- Extended Master Secret
        (EMS) sessions. An attacker who successfully exploited
        this vulnerability may gain access to unauthorized
        information.  (CVE-2019-1318)
    
      - An elevation of privilege vulnerability exists when
        Windows improperly handles authentication requests. An
        attacker who successfully exploited this vulnerability
        could run processes in an elevated context. An attacker
        could exploit this vulnerability by running a specially
        crafted application on the victim system. The update
        addresses the vulnerability by correcting the way
        Windows handles authentication requests. (CVE-2019-1320,
        CVE-2019-1322)
    
      - A remote code execution vulnerability exists when the
        Microsoft XML Core Services MSXML parser processes user
        input. An attacker who successfully exploited the
        vulnerability could run malicious code remotely to take
        control of the users system.  (CVE-2019-1060)
    
      - A remote code execution vulnerability exists in the
        Windows Remote Desktop Client when a user connects to a
        malicious server. An attacker who successfully exploited
        this vulnerability could execute arbitrary code on the
        computer of the connecting client. An attacker could
        then install programs; view, change, or delete data; or
        create new accounts with full user rights.
        (CVE-2019-1333)
    
      - A security feature bypass exists when Windows Secure
        Boot improperly restricts access to debugging
        functionality. An attacker who successfully exploited
        this vulnerability could disclose protected kernel
        memory.  (CVE-2019-1368)
    
      - A tampering vulnerability exists in Microsoft Windows
        when a man-in-the-middle attacker is able to
        successfully bypass the NTLM MIC (Message Integrity
        Check) protection. An attacker who successfully
        exploited this vulnerability could gain the ability to
        downgrade NTLM security features.  (CVE-2019-1166)
    
      - An elevation of privilege vulnerability exists in the
        Windows redirected drive buffering system (rdbss.sys)
        when the operating system improperly handles specific
        local calls within Windows 7 for 32-bit systems. When
        this vulnerability is exploited within other versions of
        Windows it can cause a denial of service, but not an
        elevation of privilege.  (CVE-2019-1325)
    
      - An elevation of privilege vulnerability exists when
        Windows Error Reporting manager improperly handles hard
        links. An attacker who successfully exploited this
        vulnerability could overwrite a targeted file leading to
        an elevated status.  (CVE-2019-1315, CVE-2019-1339)
    
      - An elevation of privilege vulnerability exists when
        Microsoft IIS Server fails to check the length of a
        buffer prior to copying memory to it. An attacker who
        successfully exploited this vulnerability can allow an
        unprivileged function ran by the user to execute code in
        the context of NT AUTHORITY\system escaping the Sandbox.
        The security update addresses the vulnerability by
        correcting how Microsoft IIS Server sanitizes web
        requests. (CVE-2019-1365)
    
      - A spoofing vulnerability exists when Microsoft Browsers
        improperly handle browser cookies. An attacker who
        successfully exploited this vulnerability could trick a
        browser into overwriting a secure cookie with an
        insecure cookie. The insecure cookie could serve as a
        pivot to chain an attack with other vulnerabilities in
        web services.  (CVE-2019-1357)
    
      - An elevation of privilege vulnerability exists when
        Windows CloudStore improperly handles file Discretionary
        Access Control List (DACL). An attacker who successfully
        exploited this vulnerability could overwrite a targeted
        file leading to an elevated status.  (CVE-2019-1321)
    
      - A remote code execution vulnerability exists when the
        Windows Jet Database Engine improperly handles objects
        in memory. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on a victim
        system. An attacker could exploit this vulnerability by
        enticing a victim to open a specially crafted file. The
        update addresses the vulnerability by correcting the way
        the Windows Jet Database Engine handles objects in
        memory. (CVE-2019-1358, CVE-2019-1359)
    
      - An information disclosure vulnerability exists in the
        way that the Windows Code Integrity Module handles
        objects in memory. An attacker who successfully
        exploited this vulnerability could obtain information to
        further compromise the users system.  (CVE-2019-1344)
    
      - A remote code execution vulnerability exists when the
        Windows Imaging API improperly handles objects in
        memory. The vulnerability could corrupt memory in a way
        that enables an attacker to execute arbitrary code in
        the context of the current user.  (CVE-2019-1311)
    
      - A denial of service vulnerability exists in Remote
        Desktop Protocol (RDP) when an attacker connects to the
        target system using RDP and sends specially crafted
        requests. An attacker who successfully exploited this
        vulnerability could cause the RDP service on the target
        system to stop responding.  (CVE-2019-1326)
    
      - An elevation of privilege vulnerability exists when
        umpo.dll of the Power Service, improperly handles a
        Registry Restore Key function. An attacker who
        successfully exploited this vulnerability could delete a
        targeted registry key leading to an elevated status.
        (CVE-2019-1341)
    
      - An elevation of privilege vulnerability exists in
        Windows Error Reporting (WER) when WER handles and
        executes files. The vulnerability could allow elevation
        of privilege if an attacker can successfully exploit it.
        An attacker who successfully exploited the vulnerability
        could gain greater access to sensitive information and
        system functionality.  (CVE-2019-1319)");
      # https://support.microsoft.com/en-us/help/4520008/windows-10-update-kb4520008
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0ed66c5d");
      script_set_attribute(attribute:"solution", value:
    "Apply Cumulative Update KB4520008.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1359");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Microsoft UPnP Local Privilege Elevation Vulnerability');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-10";
    kbs = make_list('4520008');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"10",
                       sp:0,
                       os_build:"17134",
                       rollup_date:"10_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4520008])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_OCT_4520004.NASL
    descriptionThe remote Windows host is missing security update 4520004. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists in Windows AppX Deployment Server that allows file creation in arbitrary locations. (CVE-2019-1340) - A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2019-0608) - A denial of service vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-1317) - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-1343, CVE-2019-1346, CVE-2019-1347) - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2019-1342) - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1238) - An information disclosure vulnerability exists when the Windows Hyper-V Network Switch on a host operating system fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-1230) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1371) - An elevation of privilege vulnerability exists in Microsoft Windows Setup when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2019-1316) - An elevation of privilege vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way Windows handles authentication requests. (CVE-2019-1320) - A spoofing vulnerability exists when Transport Layer Security (TLS) accesses non- Extended Master Secret (EMS) sessions. An attacker who successfully exploited this vulnerability may gain access to unauthorized information. (CVE-2019-1318) - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1060) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1334, CVE-2019-1345) - A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1333) - A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. An attacker who successfully exploited this vulnerability could gain the ability to downgrade NTLM security features. (CVE-2019-1166) - An elevation of privilege vulnerability exists in the Windows redirected drive buffering system (rdbss.sys) when the operating system improperly handles specific local calls within Windows 7 for 32-bit systems. When this vulnerability is exploited within other versions of Windows it can cause a denial of service, but not an elevation of privilege. (CVE-2019-1325) - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. (CVE-2019-1315, CVE-2019-1339) - A spoofing vulnerability exists when Microsoft Browsers improperly handle browser cookies. An attacker who successfully exploited this vulnerability could trick a browser into overwriting a secure cookie with an insecure cookie. The insecure cookie could serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2019-1357) - An elevation of privilege vulnerability exists when Windows CloudStore improperly handles file Discretionary Access Control List (DACL). An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. (CVE-2019-1321) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1358, CVE-2019-1359) - An information disclosure vulnerability exists in the way that the Windows Code Integrity Module handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1344) - A remote code execution vulnerability exists when the Windows Imaging API improperly handles objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. (CVE-2019-1311) - A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. (CVE-2019-1326) - An elevation of privilege vulnerability exists when umpo.dll of the Power Service, improperly handles a Registry Restore Key function. An attacker who successfully exploited this vulnerability could delete a targeted registry key leading to an elevated status. (CVE-2019-1341) - An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. (CVE-2019-1319)
    last seen2020-05-31
    modified2019-10-08
    plugin id129721
    published2019-10-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129721
    titleKB4520004: Windows 10 Version 1709 October 2019 Security Update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    
    
    include("compat.inc");
    
    if (description)
    {
      script_id(129721);
      script_version("1.8");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/27");
    
      script_cve_id(
        "CVE-2019-0608",
        "CVE-2019-1060",
        "CVE-2019-1166",
        "CVE-2019-1230",
        "CVE-2019-1238",
        "CVE-2019-1311",
        "CVE-2019-1315",
        "CVE-2019-1316",
        "CVE-2019-1317",
        "CVE-2019-1318",
        "CVE-2019-1319",
        "CVE-2019-1320",
        "CVE-2019-1321",
        "CVE-2019-1325",
        "CVE-2019-1326",
        "CVE-2019-1333",
        "CVE-2019-1334",
        "CVE-2019-1339",
        "CVE-2019-1340",
        "CVE-2019-1341",
        "CVE-2019-1342",
        "CVE-2019-1343",
        "CVE-2019-1344",
        "CVE-2019-1345",
        "CVE-2019-1346",
        "CVE-2019-1347",
        "CVE-2019-1357",
        "CVE-2019-1358",
        "CVE-2019-1359",
        "CVE-2019-1371"
      );
      script_xref(name:"MSKB", value:"4520004");
      script_xref(name:"MSFT", value:"MS19-4520004");
    
      script_name(english:"KB4520004: Windows 10 Version 1709 October 2019 Security Update");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4520004.
    It is, therefore, affected by multiple vulnerabilities :
    
      - An elevation of privilege vulnerability exists in
        Windows AppX Deployment Server that allows file creation
        in arbitrary locations.  (CVE-2019-1340)
    
      - A spoofing vulnerability exists when Microsoft Browsers
        does not properly parse HTTP content. An attacker who
        successfully exploited this vulnerability could
        impersonate a user request by crafting HTTP queries. The
        specially crafted website could either spoof content or
        serve as a pivot to chain an attack with other
        vulnerabilities in web services.  (CVE-2019-0608)
    
      - A denial of service vulnerability exists when Windows
        improperly handles hard links. An attacker who
        successfully exploited the vulnerability could cause a
        target system to stop responding.  (CVE-2019-1317)
    
      - A denial of service vulnerability exists when Windows
        improperly handles objects in memory. An attacker who
        successfully exploited the vulnerability could cause a
        target system to stop responding.  (CVE-2019-1343,
        CVE-2019-1346, CVE-2019-1347)
    
      - An elevation of privilege vulnerability exists when
        Windows Error Reporting manager improperly handles a
        process crash. An attacker who successfully exploited
        this vulnerability could delete a targeted file leading
        to an elevated status.  (CVE-2019-1342)
    
      - A remote code execution vulnerability exists in the way
        that the VBScript engine handles objects in memory. The
        vulnerability could corrupt memory in such a way that an
        attacker could execute arbitrary code in the context of
        the current user. An attacker who successfully exploited
        the vulnerability could gain the same user rights as the
        current user.  (CVE-2019-1238)
    
      - An information disclosure vulnerability exists when the
        Windows Hyper-V Network Switch on a host operating
        system fails to properly validate input from an
        authenticated user on a guest operating system.
        (CVE-2019-1230)
    
      - A remote code execution vulnerability exists when
        Internet Explorer improperly accesses objects in memory.
        The vulnerability could corrupt memory in such a way
        that an attacker could execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1371)
    
      - An elevation of privilege vulnerability exists in
        Microsoft Windows Setup when it does not properly handle
        privileges. An attacker who successfully exploited this
        vulnerability could run processes in an elevated
        context. An attacker could then install programs; view,
        change or delete data.  (CVE-2019-1316)
    
      - An elevation of privilege vulnerability exists when
        Windows improperly handles authentication requests. An
        attacker who successfully exploited this vulnerability
        could run processes in an elevated context. An attacker
        could exploit this vulnerability by running a specially
        crafted application on the victim system. The update
        addresses the vulnerability by correcting the way
        Windows handles authentication requests. (CVE-2019-1320)
    
      - A spoofing vulnerability exists when Transport Layer
        Security (TLS) accesses non- Extended Master Secret
        (EMS) sessions. An attacker who successfully exploited
        this vulnerability may gain access to unauthorized
        information.  (CVE-2019-1318)
    
      - A remote code execution vulnerability exists when the
        Microsoft XML Core Services MSXML parser processes user
        input. An attacker who successfully exploited the
        vulnerability could run malicious code remotely to take
        control of the users system.  (CVE-2019-1060)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1334, CVE-2019-1345)
    
      - A remote code execution vulnerability exists in the
        Windows Remote Desktop Client when a user connects to a
        malicious server. An attacker who successfully exploited
        this vulnerability could execute arbitrary code on the
        computer of the connecting client. An attacker could
        then install programs; view, change, or delete data; or
        create new accounts with full user rights.
        (CVE-2019-1333)
    
      - A tampering vulnerability exists in Microsoft Windows
        when a man-in-the-middle attacker is able to
        successfully bypass the NTLM MIC (Message Integrity
        Check) protection. An attacker who successfully
        exploited this vulnerability could gain the ability to
        downgrade NTLM security features.  (CVE-2019-1166)
    
      - An elevation of privilege vulnerability exists in the
        Windows redirected drive buffering system (rdbss.sys)
        when the operating system improperly handles specific
        local calls within Windows 7 for 32-bit systems. When
        this vulnerability is exploited within other versions of
        Windows it can cause a denial of service, but not an
        elevation of privilege.  (CVE-2019-1325)
    
      - An elevation of privilege vulnerability exists when
        Windows Error Reporting manager improperly handles hard
        links. An attacker who successfully exploited this
        vulnerability could overwrite a targeted file leading to
        an elevated status.  (CVE-2019-1315, CVE-2019-1339)
    
      - A spoofing vulnerability exists when Microsoft Browsers
        improperly handle browser cookies. An attacker who
        successfully exploited this vulnerability could trick a
        browser into overwriting a secure cookie with an
        insecure cookie. The insecure cookie could serve as a
        pivot to chain an attack with other vulnerabilities in
        web services.  (CVE-2019-1357)
    
      - An elevation of privilege vulnerability exists when
        Windows CloudStore improperly handles file Discretionary
        Access Control List (DACL). An attacker who successfully
        exploited this vulnerability could overwrite a targeted
        file leading to an elevated status.  (CVE-2019-1321)
    
      - A remote code execution vulnerability exists when the
        Windows Jet Database Engine improperly handles objects
        in memory. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on a victim
        system. An attacker could exploit this vulnerability by
        enticing a victim to open a specially crafted file. The
        update addresses the vulnerability by correcting the way
        the Windows Jet Database Engine handles objects in
        memory. (CVE-2019-1358, CVE-2019-1359)
    
      - An information disclosure vulnerability exists in the
        way that the Windows Code Integrity Module handles
        objects in memory. An attacker who successfully
        exploited this vulnerability could obtain information to
        further compromise the users system.  (CVE-2019-1344)
    
      - A remote code execution vulnerability exists when the
        Windows Imaging API improperly handles objects in
        memory. The vulnerability could corrupt memory in a way
        that enables an attacker to execute arbitrary code in
        the context of the current user.  (CVE-2019-1311)
    
      - A denial of service vulnerability exists in Remote
        Desktop Protocol (RDP) when an attacker connects to the
        target system using RDP and sends specially crafted
        requests. An attacker who successfully exploited this
        vulnerability could cause the RDP service on the target
        system to stop responding.  (CVE-2019-1326)
    
      - An elevation of privilege vulnerability exists when
        umpo.dll of the Power Service, improperly handles a
        Registry Restore Key function. An attacker who
        successfully exploited this vulnerability could delete a
        targeted registry key leading to an elevated status.
        (CVE-2019-1341)
    
      - An elevation of privilege vulnerability exists in
        Windows Error Reporting (WER) when WER handles and
        executes files. The vulnerability could allow elevation
        of privilege if an attacker can successfully exploit it.
        An attacker who successfully exploited the vulnerability
        could gain greater access to sensitive information and
        system functionality.  (CVE-2019-1319)");
      # https://support.microsoft.com/en-us/help/4520004/windows-10-update-kb4520004
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?60d0b932");
      script_set_attribute(attribute:"solution", value:
    "Apply Cumulative Update KB4520004.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1359");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-10";
    kbs = make_list('4520004');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    my_os_build = get_kb_item("SMB/WindowsVersionBuild");
    productname = get_kb_item_or_exit("SMB/ProductName");
    
    if (my_os_build = "16299" && "enterprise" >!< tolower(productname) && "education" >!< tolower(productname) && "server" >!< tolower(productname))
      audit(AUDIT_OS_NOT, "a supported version of Windows");
    
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"10",
                       sp:0,
                       os_build:"16299",
                       rollup_date:"10_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4520004])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_OCT_4519998.NASL
    descriptionThe remote Windows host is missing security update 4519998. It is, therefore, affected by multiple vulnerabilities : - A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2019-0608) - A denial of service vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-1317) - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-1343, CVE-2019-1346, CVE-2019-1347) - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2019-1342) - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1238) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1371) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1334, CVE-2019-1345) - A spoofing vulnerability exists when Transport Layer Security (TLS) accesses non- Extended Master Secret (EMS) sessions. An attacker who successfully exploited this vulnerability may gain access to unauthorized information. (CVE-2019-1318) - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1060) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1358, CVE-2019-1359) - A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1333) - A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. An attacker who successfully exploited this vulnerability could gain the ability to downgrade NTLM security features. (CVE-2019-1166) - An elevation of privilege vulnerability exists in the Windows redirected drive buffering system (rdbss.sys) when the operating system improperly handles specific local calls within Windows 7 for 32-bit systems. When this vulnerability is exploited within other versions of Windows it can cause a denial of service, but not an elevation of privilege. (CVE-2019-1325) - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. (CVE-2019-1315, CVE-2019-1339) - An elevation of privilege vulnerability exists when Microsoft IIS Server fails to check the length of a buffer prior to copying memory to it. An attacker who successfully exploited this vulnerability can allow an unprivileged function ran by the user to execute code in the context of NT AUTHORITY\system escaping the Sandbox. The security update addresses the vulnerability by correcting how Microsoft IIS Server sanitizes web requests. (CVE-2019-1365) - A spoofing vulnerability exists when Microsoft Browsers improperly handle browser cookies. An attacker who successfully exploited this vulnerability could trick a browser into overwriting a secure cookie with an insecure cookie. The insecure cookie could serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2019-1357) - An elevation of privilege vulnerability exists in Microsoft Windows Setup when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2019-1316) - An information disclosure vulnerability exists in the way that the Windows Code Integrity Module handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1344) - A remote code execution vulnerability exists when the Windows Imaging API improperly handles objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. (CVE-2019-1311) - A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. (CVE-2019-1326) - An elevation of privilege vulnerability exists when umpo.dll of the Power Service, improperly handles a Registry Restore Key function. An attacker who successfully exploited this vulnerability could delete a targeted registry key leading to an elevated status. (CVE-2019-1341) - An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. (CVE-2019-1319)
    last seen2020-06-01
    modified2020-06-02
    plugin id129719
    published2019-10-08
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129719
    titleKB4519998: Windows 10 Version 1607 and Windows Server 2016 October 2019 Security Update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    
    
    include("compat.inc");
    
    if (description)
    {
      script_id(129719);
      script_version("1.8");
      script_cvs_date("Date: 2019/12/19");
    
      script_cve_id(
        "CVE-2019-0608",
        "CVE-2019-1060",
        "CVE-2019-1166",
        "CVE-2019-1238",
        "CVE-2019-1311",
        "CVE-2019-1315",
        "CVE-2019-1316",
        "CVE-2019-1317",
        "CVE-2019-1318",
        "CVE-2019-1319",
        "CVE-2019-1325",
        "CVE-2019-1326",
        "CVE-2019-1333",
        "CVE-2019-1334",
        "CVE-2019-1339",
        "CVE-2019-1341",
        "CVE-2019-1342",
        "CVE-2019-1343",
        "CVE-2019-1344",
        "CVE-2019-1345",
        "CVE-2019-1346",
        "CVE-2019-1347",
        "CVE-2019-1357",
        "CVE-2019-1358",
        "CVE-2019-1359",
        "CVE-2019-1365",
        "CVE-2019-1371"
      );
      script_xref(name:"MSKB", value:"4519998");
      script_xref(name:"MSFT", value:"MS19-4519998");
    
      script_name(english:"KB4519998: Windows 10 Version 1607 and Windows Server 2016 October 2019 Security Update");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4519998.
    It is, therefore, affected by multiple vulnerabilities :
    
      - A spoofing vulnerability exists when Microsoft Browsers
        does not properly parse HTTP content. An attacker who
        successfully exploited this vulnerability could
        impersonate a user request by crafting HTTP queries. The
        specially crafted website could either spoof content or
        serve as a pivot to chain an attack with other
        vulnerabilities in web services.  (CVE-2019-0608)
    
      - A denial of service vulnerability exists when Windows
        improperly handles hard links. An attacker who
        successfully exploited the vulnerability could cause a
        target system to stop responding.  (CVE-2019-1317)
    
      - A denial of service vulnerability exists when Windows
        improperly handles objects in memory. An attacker who
        successfully exploited the vulnerability could cause a
        target system to stop responding.  (CVE-2019-1343,
        CVE-2019-1346, CVE-2019-1347)
    
      - An elevation of privilege vulnerability exists when
        Windows Error Reporting manager improperly handles a
        process crash. An attacker who successfully exploited
        this vulnerability could delete a targeted file leading
        to an elevated status.  (CVE-2019-1342)
    
      - A remote code execution vulnerability exists in the way
        that the VBScript engine handles objects in memory. The
        vulnerability could corrupt memory in such a way that an
        attacker could execute arbitrary code in the context of
        the current user. An attacker who successfully exploited
        the vulnerability could gain the same user rights as the
        current user.  (CVE-2019-1238)
    
      - A remote code execution vulnerability exists when
        Internet Explorer improperly accesses objects in memory.
        The vulnerability could corrupt memory in such a way
        that an attacker could execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1371)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1334, CVE-2019-1345)
    
      - A spoofing vulnerability exists when Transport Layer
        Security (TLS) accesses non- Extended Master Secret
        (EMS) sessions. An attacker who successfully exploited
        this vulnerability may gain access to unauthorized
        information.  (CVE-2019-1318)
    
      - A remote code execution vulnerability exists when the
        Microsoft XML Core Services MSXML parser processes user
        input. An attacker who successfully exploited the
        vulnerability could run malicious code remotely to take
        control of the users system.  (CVE-2019-1060)
    
      - A remote code execution vulnerability exists when the
        Windows Jet Database Engine improperly handles objects
        in memory. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on a victim
        system. An attacker could exploit this vulnerability by
        enticing a victim to open a specially crafted file. The
        update addresses the vulnerability by correcting the way
        the Windows Jet Database Engine handles objects in
        memory. (CVE-2019-1358, CVE-2019-1359)
    
      - A remote code execution vulnerability exists in the
        Windows Remote Desktop Client when a user connects to a
        malicious server. An attacker who successfully exploited
        this vulnerability could execute arbitrary code on the
        computer of the connecting client. An attacker could
        then install programs; view, change, or delete data; or
        create new accounts with full user rights.
        (CVE-2019-1333)
    
      - A tampering vulnerability exists in Microsoft Windows
        when a man-in-the-middle attacker is able to
        successfully bypass the NTLM MIC (Message Integrity
        Check) protection. An attacker who successfully
        exploited this vulnerability could gain the ability to
        downgrade NTLM security features.  (CVE-2019-1166)
    
      - An elevation of privilege vulnerability exists in the
        Windows redirected drive buffering system (rdbss.sys)
        when the operating system improperly handles specific
        local calls within Windows 7 for 32-bit systems. When
        this vulnerability is exploited within other versions of
        Windows it can cause a denial of service, but not an
        elevation of privilege.  (CVE-2019-1325)
    
      - An elevation of privilege vulnerability exists when
        Windows Error Reporting manager improperly handles hard
        links. An attacker who successfully exploited this
        vulnerability could overwrite a targeted file leading to
        an elevated status.  (CVE-2019-1315, CVE-2019-1339)
    
      - An elevation of privilege vulnerability exists when
        Microsoft IIS Server fails to check the length of a
        buffer prior to copying memory to it. An attacker who
        successfully exploited this vulnerability can allow an
        unprivileged function ran by the user to execute code in
        the context of NT AUTHORITY\system escaping the Sandbox.
        The security update addresses the vulnerability by
        correcting how Microsoft IIS Server sanitizes web
        requests. (CVE-2019-1365)
    
      - A spoofing vulnerability exists when Microsoft Browsers
        improperly handle browser cookies. An attacker who
        successfully exploited this vulnerability could trick a
        browser into overwriting a secure cookie with an
        insecure cookie. The insecure cookie could serve as a
        pivot to chain an attack with other vulnerabilities in
        web services.  (CVE-2019-1357)
    
      - An elevation of privilege vulnerability exists in
        Microsoft Windows Setup when it does not properly handle
        privileges. An attacker who successfully exploited this
        vulnerability could run processes in an elevated
        context. An attacker could then install programs; view,
        change or delete data.  (CVE-2019-1316)
    
      - An information disclosure vulnerability exists in the
        way that the Windows Code Integrity Module handles
        objects in memory. An attacker who successfully
        exploited this vulnerability could obtain information to
        further compromise the users system.  (CVE-2019-1344)
    
      - A remote code execution vulnerability exists when the
        Windows Imaging API improperly handles objects in
        memory. The vulnerability could corrupt memory in a way
        that enables an attacker to execute arbitrary code in
        the context of the current user.  (CVE-2019-1311)
    
      - A denial of service vulnerability exists in Remote
        Desktop Protocol (RDP) when an attacker connects to the
        target system using RDP and sends specially crafted
        requests. An attacker who successfully exploited this
        vulnerability could cause the RDP service on the target
        system to stop responding.  (CVE-2019-1326)
    
      - An elevation of privilege vulnerability exists when
        umpo.dll of the Power Service, improperly handles a
        Registry Restore Key function. An attacker who
        successfully exploited this vulnerability could delete a
        targeted registry key leading to an elevated status.
        (CVE-2019-1341)
    
      - An elevation of privilege vulnerability exists in
        Windows Error Reporting (WER) when WER handles and
        executes files. The vulnerability could allow elevation
        of privilege if an attacker can successfully exploit it.
        An attacker who successfully exploited the vulnerability
        could gain greater access to sensitive information and
        system functionality.  (CVE-2019-1319)");
      # https://support.microsoft.com/en-us/help/4519998/windows-10-update-kb4519998
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5df9140f");
      script_set_attribute(attribute:"solution", value:
    "Apply Cumulative Update KB4519998.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1359");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-10";
    kbs = make_list('4519998');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"10",
                       sp:0,
                       os_build:"14393",
                       rollup_date:"10_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4519998])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_OCT_4520011.NASL
    descriptionThe remote Windows host is missing security update 4520011. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-1343, CVE-2019-1346, CVE-2019-1347) - An elevation of privilege vulnerability exists in Microsoft Windows Setup when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2019-1316) - A spoofing vulnerability exists when Microsoft Browsers improperly handle browser cookies. An attacker who successfully exploited this vulnerability could trick a browser into overwriting a secure cookie with an insecure cookie. The insecure cookie could serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2019-1357) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1358, CVE-2019-1359) - A denial of service vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-1317) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1371) - An information disclosure vulnerability exists in the way that the Windows Code Integrity Module handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1344) - A remote code execution vulnerability exists when the Windows Imaging API improperly handles objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. (CVE-2019-1311) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1334) - A spoofing vulnerability exists when Transport Layer Security (TLS) accesses non- Extended Master Secret (EMS) sessions. An attacker who successfully exploited this vulnerability may gain access to unauthorized information. (CVE-2019-1318) - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2019-1342) - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1238) - A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. (CVE-2019-1326) - A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1333) - An elevation of privilege vulnerability exists in the Windows redirected drive buffering system (rdbss.sys) when the operating system improperly handles specific local calls within Windows 7 for 32-bit systems. When this vulnerability is exploited within other versions of Windows it can cause a denial of service, but not an elevation of privilege. (CVE-2019-1325) - A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. An attacker who successfully exploited this vulnerability could gain the ability to downgrade NTLM security features. (CVE-2019-1166) - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. (CVE-2019-1315, CVE-2019-1339) - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1060) - An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. (CVE-2019-1319) - A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2019-0608) - An elevation of privilege vulnerability exists when umpo.dll of the Power Service, improperly handles a Registry Restore Key function. An attacker who successfully exploited this vulnerability could delete a targeted registry key leading to an elevated status. (CVE-2019-1341)
    last seen2020-06-01
    modified2020-06-02
    plugin id129726
    published2019-10-08
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129726
    titleKB4520011: Windows 10 October 2019 Security Update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    
    
    include("compat.inc");
    
    if (description)
    {
      script_id(129726);
      script_version("1.7");
      script_cvs_date("Date: 2019/12/19");
    
      script_cve_id(
        "CVE-2019-0608",
        "CVE-2019-1060",
        "CVE-2019-1166",
        "CVE-2019-1238",
        "CVE-2019-1311",
        "CVE-2019-1315",
        "CVE-2019-1316",
        "CVE-2019-1317",
        "CVE-2019-1318",
        "CVE-2019-1319",
        "CVE-2019-1325",
        "CVE-2019-1326",
        "CVE-2019-1333",
        "CVE-2019-1334",
        "CVE-2019-1339",
        "CVE-2019-1341",
        "CVE-2019-1342",
        "CVE-2019-1343",
        "CVE-2019-1344",
        "CVE-2019-1346",
        "CVE-2019-1347",
        "CVE-2019-1357",
        "CVE-2019-1358",
        "CVE-2019-1359",
        "CVE-2019-1371"
      );
      script_xref(name:"MSKB", value:"4520011");
      script_xref(name:"MSFT", value:"MS19-4520011");
    
      script_name(english:"KB4520011: Windows 10 October 2019 Security Update");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4520011.
    It is, therefore, affected by multiple vulnerabilities :
    
      - A denial of service vulnerability exists when Windows
        improperly handles objects in memory. An attacker who
        successfully exploited the vulnerability could cause a
        target system to stop responding.  (CVE-2019-1343,
        CVE-2019-1346, CVE-2019-1347)
    
      - An elevation of privilege vulnerability exists in
        Microsoft Windows Setup when it does not properly handle
        privileges. An attacker who successfully exploited this
        vulnerability could run processes in an elevated
        context. An attacker could then install programs; view,
        change or delete data.  (CVE-2019-1316)
    
      - A spoofing vulnerability exists when Microsoft Browsers
        improperly handle browser cookies. An attacker who
        successfully exploited this vulnerability could trick a
        browser into overwriting a secure cookie with an
        insecure cookie. The insecure cookie could serve as a
        pivot to chain an attack with other vulnerabilities in
        web services.  (CVE-2019-1357)
    
      - A remote code execution vulnerability exists when the
        Windows Jet Database Engine improperly handles objects
        in memory. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on a victim
        system. An attacker could exploit this vulnerability by
        enticing a victim to open a specially crafted file. The
        update addresses the vulnerability by correcting the way
        the Windows Jet Database Engine handles objects in
        memory. (CVE-2019-1358, CVE-2019-1359)
    
      - A denial of service vulnerability exists when Windows
        improperly handles hard links. An attacker who
        successfully exploited the vulnerability could cause a
        target system to stop responding.  (CVE-2019-1317)
    
      - A remote code execution vulnerability exists when
        Internet Explorer improperly accesses objects in memory.
        The vulnerability could corrupt memory in such a way
        that an attacker could execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1371)
    
      - An information disclosure vulnerability exists in the
        way that the Windows Code Integrity Module handles
        objects in memory. An attacker who successfully
        exploited this vulnerability could obtain information to
        further compromise the users system.  (CVE-2019-1344)
    
      - A remote code execution vulnerability exists when the
        Windows Imaging API improperly handles objects in
        memory. The vulnerability could corrupt memory in a way
        that enables an attacker to execute arbitrary code in
        the context of the current user.  (CVE-2019-1311)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1334)
    
      - A spoofing vulnerability exists when Transport Layer
        Security (TLS) accesses non- Extended Master Secret
        (EMS) sessions. An attacker who successfully exploited
        this vulnerability may gain access to unauthorized
        information.  (CVE-2019-1318)
    
      - An elevation of privilege vulnerability exists when
        Windows Error Reporting manager improperly handles a
        process crash. An attacker who successfully exploited
        this vulnerability could delete a targeted file leading
        to an elevated status.  (CVE-2019-1342)
    
      - A remote code execution vulnerability exists in the way
        that the VBScript engine handles objects in memory. The
        vulnerability could corrupt memory in such a way that an
        attacker could execute arbitrary code in the context of
        the current user. An attacker who successfully exploited
        the vulnerability could gain the same user rights as the
        current user.  (CVE-2019-1238)
    
      - A denial of service vulnerability exists in Remote
        Desktop Protocol (RDP) when an attacker connects to the
        target system using RDP and sends specially crafted
        requests. An attacker who successfully exploited this
        vulnerability could cause the RDP service on the target
        system to stop responding.  (CVE-2019-1326)
    
      - A remote code execution vulnerability exists in the
        Windows Remote Desktop Client when a user connects to a
        malicious server. An attacker who successfully exploited
        this vulnerability could execute arbitrary code on the
        computer of the connecting client. An attacker could
        then install programs; view, change, or delete data; or
        create new accounts with full user rights.
        (CVE-2019-1333)
    
      - An elevation of privilege vulnerability exists in the
        Windows redirected drive buffering system (rdbss.sys)
        when the operating system improperly handles specific
        local calls within Windows 7 for 32-bit systems. When
        this vulnerability is exploited within other versions of
        Windows it can cause a denial of service, but not an
        elevation of privilege.  (CVE-2019-1325)
    
      - A tampering vulnerability exists in Microsoft Windows
        when a man-in-the-middle attacker is able to
        successfully bypass the NTLM MIC (Message Integrity
        Check) protection. An attacker who successfully
        exploited this vulnerability could gain the ability to
        downgrade NTLM security features.  (CVE-2019-1166)
    
      - An elevation of privilege vulnerability exists when
        Windows Error Reporting manager improperly handles hard
        links. An attacker who successfully exploited this
        vulnerability could overwrite a targeted file leading to
        an elevated status.  (CVE-2019-1315, CVE-2019-1339)
    
      - A remote code execution vulnerability exists when the
        Microsoft XML Core Services MSXML parser processes user
        input. An attacker who successfully exploited the
        vulnerability could run malicious code remotely to take
        control of the users system.  (CVE-2019-1060)
    
      - An elevation of privilege vulnerability exists in
        Windows Error Reporting (WER) when WER handles and
        executes files. The vulnerability could allow elevation
        of privilege if an attacker can successfully exploit it.
        An attacker who successfully exploited the vulnerability
        could gain greater access to sensitive information and
        system functionality.  (CVE-2019-1319)
    
      - A spoofing vulnerability exists when Microsoft Browsers
        does not properly parse HTTP content. An attacker who
        successfully exploited this vulnerability could
        impersonate a user request by crafting HTTP queries. The
        specially crafted website could either spoof content or
        serve as a pivot to chain an attack with other
        vulnerabilities in web services.  (CVE-2019-0608)
    
      - An elevation of privilege vulnerability exists when
        umpo.dll of the Power Service, improperly handles a
        Registry Restore Key function. An attacker who
        successfully exploited this vulnerability could delete a
        targeted registry key leading to an elevated status.
        (CVE-2019-1341)");
      # https://support.microsoft.com/en-us/help/4520011/windows-10-update-kb4520011
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8905e062");
      script_set_attribute(attribute:"solution", value:
    "Apply Cumulative Update KB4520011.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1359");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-10";
    kbs = make_list('4520011');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"10",
                       sp:0,
                       os_build:"10240",
                       rollup_date:"10_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4520011])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_OCT_4519338.NASL
    descriptionThe remote Windows host is missing security update 4519338. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists in Windows AppX Deployment Server that allows file creation in arbitrary locations. (CVE-2019-1340) - A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2019-0608) - A denial of service vulnerability exists when Windows improperly handles hard links. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-1317) - A denial of service vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited the vulnerability could cause a target system to stop responding. (CVE-2019-1343, CVE-2019-1346, CVE-2019-1347) - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles a process crash. An attacker who successfully exploited this vulnerability could delete a targeted file leading to an elevated status. (CVE-2019-1342) - An elevation of privilege vulnerability exists in the Microsoft Windows Update Client when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2019-1323, CVE-2019-1336) - An information disclosure vulnerability exists when the Windows Hyper-V Network Switch on a host operating system fails to properly validate input from an authenticated user on a guest operating system. (CVE-2019-1230) - A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1371) - An elevation of privilege vulnerability exists in Microsoft Windows Setup when it does not properly handle privileges. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. (CVE-2019-1316) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1334, CVE-2019-1345) - A spoofing vulnerability exists when Transport Layer Security (TLS) accesses non- Extended Master Secret (EMS) sessions. An attacker who successfully exploited this vulnerability may gain access to unauthorized information. (CVE-2019-1318) - An elevation of privilege vulnerability exists when Windows improperly handles authentication requests. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could exploit this vulnerability by running a specially crafted application on the victim system. The update addresses the vulnerability by correcting the way Windows handles authentication requests. (CVE-2019-1320, CVE-2019-1322) - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2019-1238, CVE-2019-1239) - A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2019-1333) - A security feature bypass exists when Windows Secure Boot improperly restricts access to debugging functionality. An attacker who successfully exploited this vulnerability could disclose protected kernel memory. (CVE-2019-1368) - A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. An attacker who successfully exploited this vulnerability could gain the ability to downgrade NTLM security features. (CVE-2019-1166) - An elevation of privilege vulnerability exists in the Windows redirected drive buffering system (rdbss.sys) when the operating system improperly handles specific local calls within Windows 7 for 32-bit systems. When this vulnerability is exploited within other versions of Windows it can cause a denial of service, but not an elevation of privilege. (CVE-2019-1325) - An elevation of privilege vulnerability exists when Windows Error Reporting manager improperly handles hard links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. (CVE-2019-1315, CVE-2019-1339) - An elevation of privilege vulnerability exists when Microsoft IIS Server fails to check the length of a buffer prior to copying memory to it. An attacker who successfully exploited this vulnerability can allow an unprivileged function ran by the user to execute code in the context of NT AUTHORITY\system escaping the Sandbox. The security update addresses the vulnerability by correcting how Microsoft IIS Server sanitizes web requests. (CVE-2019-1365) - A spoofing vulnerability exists when Microsoft Browsers improperly handle browser cookies. An attacker who successfully exploited this vulnerability could trick a browser into overwriting a secure cookie with an insecure cookie. The insecure cookie could serve as a pivot to chain an attack with other vulnerabilities in web services. (CVE-2019-1357) - An elevation of privilege vulnerability exists when Windows CloudStore improperly handles file Discretionary Access Control List (DACL). An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status. (CVE-2019-1321) - A remote code execution vulnerability exists when the Microsoft XML Core Services MSXML parser processes user input. An attacker who successfully exploited the vulnerability could run malicious code remotely to take control of the users system. (CVE-2019-1060) - A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2019-1358, CVE-2019-1359) - An information disclosure vulnerability exists in the way that the Windows Code Integrity Module handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2019-1344) - A remote code execution vulnerability exists when the Windows Imaging API improperly handles objects in memory. The vulnerability could corrupt memory in a way that enables an attacker to execute arbitrary code in the context of the current user. (CVE-2019-1311) - A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests. An attacker who successfully exploited this vulnerability could cause the RDP service on the target system to stop responding. (CVE-2019-1326) - An information disclosure vulnerability exists when Windows Update Client fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could potentially disclose memory contents of an elevated process. (CVE-2019-1337) - An elevation of privilege vulnerability exists when umpo.dll of the Power Service, improperly handles a Registry Restore Key function. An attacker who successfully exploited this vulnerability could delete a targeted registry key leading to an elevated status. (CVE-2019-1341) - An elevation of privilege vulnerability exists in Windows Error Reporting (WER) when WER handles and executes files. The vulnerability could allow elevation of privilege if an attacker can successfully exploit it. An attacker who successfully exploited the vulnerability could gain greater access to sensitive information and system functionality. (CVE-2019-1319)
    last seen2020-05-06
    modified2019-10-08
    plugin id129717
    published2019-10-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129717
    titleKB4519338: Windows 10 Version 1809 and Windows Server 2019 October 2019 Security Update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    
    
    
    include('compat.inc');
    
    if (description)
    {
      script_id(129717);
      script_version("1.10");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2019-0608",
        "CVE-2019-1060",
        "CVE-2019-1166",
        "CVE-2019-1230",
        "CVE-2019-1238",
        "CVE-2019-1239",
        "CVE-2019-1311",
        "CVE-2019-1315",
        "CVE-2019-1316",
        "CVE-2019-1317",
        "CVE-2019-1318",
        "CVE-2019-1319",
        "CVE-2019-1320",
        "CVE-2019-1321",
        "CVE-2019-1322",
        "CVE-2019-1323",
        "CVE-2019-1325",
        "CVE-2019-1326",
        "CVE-2019-1333",
        "CVE-2019-1334",
        "CVE-2019-1336",
        "CVE-2019-1337",
        "CVE-2019-1339",
        "CVE-2019-1340",
        "CVE-2019-1341",
        "CVE-2019-1342",
        "CVE-2019-1343",
        "CVE-2019-1344",
        "CVE-2019-1345",
        "CVE-2019-1346",
        "CVE-2019-1347",
        "CVE-2019-1357",
        "CVE-2019-1358",
        "CVE-2019-1359",
        "CVE-2019-1365",
        "CVE-2019-1368",
        "CVE-2019-1371"
      );
      script_xref(name:"MSKB", value:"4519338");
      script_xref(name:"MSFT", value:"MS19-4519338");
    
      script_name(english:"KB4519338: Windows 10 Version 1809 and Windows Server 2019 October 2019 Security Update");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4519338.
    It is, therefore, affected by multiple vulnerabilities :
    
      - An elevation of privilege vulnerability exists in
        Windows AppX Deployment Server that allows file creation
        in arbitrary locations.  (CVE-2019-1340)
    
      - A spoofing vulnerability exists when Microsoft Browsers
        does not properly parse HTTP content. An attacker who
        successfully exploited this vulnerability could
        impersonate a user request by crafting HTTP queries. The
        specially crafted website could either spoof content or
        serve as a pivot to chain an attack with other
        vulnerabilities in web services.  (CVE-2019-0608)
    
      - A denial of service vulnerability exists when Windows
        improperly handles hard links. An attacker who
        successfully exploited the vulnerability could cause a
        target system to stop responding.  (CVE-2019-1317)
    
      - A denial of service vulnerability exists when Windows
        improperly handles objects in memory. An attacker who
        successfully exploited the vulnerability could cause a
        target system to stop responding.  (CVE-2019-1343,
        CVE-2019-1346, CVE-2019-1347)
    
      - An elevation of privilege vulnerability exists when
        Windows Error Reporting manager improperly handles a
        process crash. An attacker who successfully exploited
        this vulnerability could delete a targeted file leading
        to an elevated status.  (CVE-2019-1342)
    
      - An elevation of privilege vulnerability exists in the
        Microsoft Windows Update Client when it does not
        properly handle privileges. An attacker who successfully
        exploited this vulnerability could run processes in an
        elevated context. An attacker could then install
        programs; view, change or delete data.  (CVE-2019-1323,
        CVE-2019-1336)
    
      - An information disclosure vulnerability exists when the
        Windows Hyper-V Network Switch on a host operating
        system fails to properly validate input from an
        authenticated user on a guest operating system.
        (CVE-2019-1230)
    
      - A remote code execution vulnerability exists when
        Internet Explorer improperly accesses objects in memory.
        The vulnerability could corrupt memory in such a way
        that an attacker could execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2019-1371)
    
      - An elevation of privilege vulnerability exists in
        Microsoft Windows Setup when it does not properly handle
        privileges. An attacker who successfully exploited this
        vulnerability could run processes in an elevated
        context. An attacker could then install programs; view,
        change or delete data.  (CVE-2019-1316)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2019-1334, CVE-2019-1345)
    
      - A spoofing vulnerability exists when Transport Layer
        Security (TLS) accesses non- Extended Master Secret
        (EMS) sessions. An attacker who successfully exploited
        this vulnerability may gain access to unauthorized
        information.  (CVE-2019-1318)
    
      - An elevation of privilege vulnerability exists when
        Windows improperly handles authentication requests. An
        attacker who successfully exploited this vulnerability
        could run processes in an elevated context. An attacker
        could exploit this vulnerability by running a specially
        crafted application on the victim system. The update
        addresses the vulnerability by correcting the way
        Windows handles authentication requests. (CVE-2019-1320,
        CVE-2019-1322)
    
      - A remote code execution vulnerability exists in the way
        that the VBScript engine handles objects in memory. The
        vulnerability could corrupt memory in such a way that an
        attacker could execute arbitrary code in the context of
        the current user. An attacker who successfully exploited
        the vulnerability could gain the same user rights as the
        current user.  (CVE-2019-1238, CVE-2019-1239)
    
      - A remote code execution vulnerability exists in the
        Windows Remote Desktop Client when a user connects to a
        malicious server. An attacker who successfully exploited
        this vulnerability could execute arbitrary code on the
        computer of the connecting client. An attacker could
        then install programs; view, change, or delete data; or
        create new accounts with full user rights.
        (CVE-2019-1333)
    
      - A security feature bypass exists when Windows Secure
        Boot improperly restricts access to debugging
        functionality. An attacker who successfully exploited
        this vulnerability could disclose protected kernel
        memory.  (CVE-2019-1368)
    
      - A tampering vulnerability exists in Microsoft Windows
        when a man-in-the-middle attacker is able to
        successfully bypass the NTLM MIC (Message Integrity
        Check) protection. An attacker who successfully
        exploited this vulnerability could gain the ability to
        downgrade NTLM security features.  (CVE-2019-1166)
    
      - An elevation of privilege vulnerability exists in the
        Windows redirected drive buffering system (rdbss.sys)
        when the operating system improperly handles specific
        local calls within Windows 7 for 32-bit systems. When
        this vulnerability is exploited within other versions of
        Windows it can cause a denial of service, but not an
        elevation of privilege.  (CVE-2019-1325)
    
      - An elevation of privilege vulnerability exists when
        Windows Error Reporting manager improperly handles hard
        links. An attacker who successfully exploited this
        vulnerability could overwrite a targeted file leading to
        an elevated status.  (CVE-2019-1315, CVE-2019-1339)
    
      - An elevation of privilege vulnerability exists when
        Microsoft IIS Server fails to check the length of a
        buffer prior to copying memory to it. An attacker who
        successfully exploited this vulnerability can allow an
        unprivileged function ran by the user to execute code in
        the context of NT AUTHORITY\system escaping the Sandbox.
        The security update addresses the vulnerability by
        correcting how Microsoft IIS Server sanitizes web
        requests. (CVE-2019-1365)
    
      - A spoofing vulnerability exists when Microsoft Browsers
        improperly handle browser cookies. An attacker who
        successfully exploited this vulnerability could trick a
        browser into overwriting a secure cookie with an
        insecure cookie. The insecure cookie could serve as a
        pivot to chain an attack with other vulnerabilities in
        web services.  (CVE-2019-1357)
    
      - An elevation of privilege vulnerability exists when
        Windows CloudStore improperly handles file Discretionary
        Access Control List (DACL). An attacker who successfully
        exploited this vulnerability could overwrite a targeted
        file leading to an elevated status.  (CVE-2019-1321)
    
      - A remote code execution vulnerability exists when the
        Microsoft XML Core Services MSXML parser processes user
        input. An attacker who successfully exploited the
        vulnerability could run malicious code remotely to take
        control of the users system.  (CVE-2019-1060)
    
      - A remote code execution vulnerability exists when the
        Windows Jet Database Engine improperly handles objects
        in memory. An attacker who successfully exploited this
        vulnerability could execute arbitrary code on a victim
        system. An attacker could exploit this vulnerability by
        enticing a victim to open a specially crafted file. The
        update addresses the vulnerability by correcting the way
        the Windows Jet Database Engine handles objects in
        memory. (CVE-2019-1358, CVE-2019-1359)
    
      - An information disclosure vulnerability exists in the
        way that the Windows Code Integrity Module handles
        objects in memory. An attacker who successfully
        exploited this vulnerability could obtain information to
        further compromise the users system.  (CVE-2019-1344)
    
      - A remote code execution vulnerability exists when the
        Windows Imaging API improperly handles objects in
        memory. The vulnerability could corrupt memory in a way
        that enables an attacker to execute arbitrary code in
        the context of the current user.  (CVE-2019-1311)
    
      - A denial of service vulnerability exists in Remote
        Desktop Protocol (RDP) when an attacker connects to the
        target system using RDP and sends specially crafted
        requests. An attacker who successfully exploited this
        vulnerability could cause the RDP service on the target
        system to stop responding.  (CVE-2019-1326)
    
      - An information disclosure vulnerability exists when
        Windows Update Client fails to properly handle objects
        in memory. An attacker who successfully exploited the
        vulnerability could potentially disclose memory contents
        of an elevated process.  (CVE-2019-1337)
    
      - An elevation of privilege vulnerability exists when
        umpo.dll of the Power Service, improperly handles a
        Registry Restore Key function. An attacker who
        successfully exploited this vulnerability could delete a
        targeted registry key leading to an elevated status.
        (CVE-2019-1341)
    
      - An elevation of privilege vulnerability exists in
        Windows Error Reporting (WER) when WER handles and
        executes files. The vulnerability could allow elevation
        of privilege if an attacker can successfully exploit it.
        An attacker who successfully exploited the vulnerability
        could gain greater access to sensitive information and
        system functionality.  (CVE-2019-1319)");
      # https://support.microsoft.com/en-us/help/4519338/windows-10-update-kb4519338
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ef69aa73");
      script_set_attribute(attribute:"solution", value:
    "Apply Cumulative Update KB4519338.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1359");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Microsoft UPnP Local Privilege Elevation Vulnerability');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-10";
    kbs = make_list('4519338');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"10",
                       sp:0,
                       os_build:"17763",
                       rollup_date:"10_2019",
                       bulletin:bulletin,
                       rollup_kb_list:[4519338])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }