Vulnerabilities > CVE-2019-1367 - Out-of-bounds Write vulnerability in Microsoft Internet Explorer 10/11/9

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
microsoft
CWE-787
nessus

Summary

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_SEP_WIN10_IE_OOB.NASL
    descriptionThe remote Windows host is missing a security update. It is, therefore, affected by a remote code execution vulnerability in the way that the scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
    last seen2020-06-01
    modified2020-06-02
    plugin id129167
    published2019-09-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129167
    titleWindows 10, Server 2016 and Server 2019 September 2019 Security Update (CVE-2019-1367)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(129167);
      script_version("1.7");
      script_cvs_date("Date: 2020/01/30");
    
      script_cve_id("CVE-2019-1367");
      script_xref(name:"MSKB", value:"4522009");
      script_xref(name:"MSKB", value:"4522010");
      script_xref(name:"MSKB", value:"4522011");
      script_xref(name:"MSKB", value:"4522012");
      script_xref(name:"MSKB", value:"4522014");
      script_xref(name:"MSKB", value:"4522015");
      script_xref(name:"MSKB", value:"4522016");
      script_xref(name:"MSFT", value:"MS19-4522009");
      script_xref(name:"MSFT", value:"MS19-4522010");
      script_xref(name:"MSFT", value:"MS19-4522011");
      script_xref(name:"MSFT", value:"MS19-4522012");
      script_xref(name:"MSFT", value:"MS19-4522014");
      script_xref(name:"MSFT", value:"MS19-4522015");
      script_xref(name:"MSFT", value:"MS19-4522016");
    
      script_name(english:"Windows 10, Server 2016 and Server 2019 September 2019 Security Update (CVE-2019-1367)");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by a remote code execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing a security update. It is,
    therefore, affected by a remote code execution vulnerability in the
    way that the scripting engine handles objects in memory. The
    vulnerability could corrupt memory in such a way that an attacker
    could execute arbitrary code in the context of the current user. An
    attacker who successfully exploited the vulnerability could gain the
    same user rights as the current user.");
      script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4522009");
      script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4522010");
      script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4522011");
      script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4522012");
      script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4522014");
      script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4522015");
      script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4522016");
      # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6fcaf7ca");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released the following security updates to address this issue:
        -4522009
        -4522010
        -4522011
        -4522012
        -4522014
        -4522015
        -4522016");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1367");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/23");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/09/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/24");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS19-09";
    kbs = make_list(
      '4522009',
      '4522010',
      '4522011',
      '4522012',
      '4522014',
      '4522015',
      '4522016'
      );
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
        smb_check_rollup(os:"10", sp:0, os_build:"10240", rollup_date:"09_2019_oob", bulletin:bulletin, rollup_kb_list:[4522009]) ||
        smb_check_rollup(os:"10", sp:0, os_build:"14393", rollup_date:"09_2019_oob", bulletin:bulletin, rollup_kb_list:[4522010]) ||
        smb_check_rollup(os:"10", sp:0, os_build:"15063", rollup_date:"09_2019_oob", bulletin:bulletin, rollup_kb_list:[4522011]) ||
        smb_check_rollup(os:"10", sp:0, os_build:"16299", rollup_date:"09_2019_oob", bulletin:bulletin, rollup_kb_list:[4522012]) ||
        smb_check_rollup(os:"10", sp:0, os_build:"17134", rollup_date:"09_2019_oob", bulletin:bulletin, rollup_kb_list:[4522014]) ||
        smb_check_rollup(os:"10", sp:0, os_build:"17763", rollup_date:"09_2019_oob", bulletin:bulletin, rollup_kb_list:[4522015]) ||
        smb_check_rollup(os:"10", sp:0, os_build:"18362", rollup_date:"09_2019_oob", bulletin:bulletin, rollup_kb_list:[4522016]) 
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS19_SEP_IE_OOB.NASL
    descriptionThe Internet Explorer installation on the remote host is missing security updates. It is, therefore, affected by a remote code execution vulnerability in the way that the scripting engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
    last seen2020-06-01
    modified2020-06-02
    plugin id129166
    published2019-09-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129166
    titleSecurity Update for Internet Explorer (CVE-2019-1367)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(129166);
      script_version("1.6");
      script_cvs_date("Date: 2020/01/30");
    
      script_cve_id("CVE-2019-1367");
      script_xref(name:"MSKB", value:"4522007");
      script_xref(name:"MSFT", value:"MS19-4522007");
    
      script_name(english:"Security Update for Internet Explorer (CVE-2019-1367)");
      script_summary(english:"Checks for Microsoft security updates.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The Internet Explorer installation on the remote host is affected by 
    a remote code execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The Internet Explorer installation on the remote host is missing
    security  updates. It is, therefore, affected by a remote code
    execution vulnerability in the way that the scripting engine handles
    objects in memory. The vulnerability could corrupt memory in such a
    way that an attacker could execute arbitrary code in the context of
    the current user. An attacker who successfully exploited the
    vulnerability could gain the same user rights as the current user.");
      script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/help/4522007");
      # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6fcaf7ca");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released the following security update to address this issue:  
      -KB4522007");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-1367");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/23");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/09/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/24");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS19-09';
    kbs = make_list('4522007');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    os = get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0',  win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
    if ("Windows 8" >< productname && "8.1" >!< productname)
     audit(AUDIT_OS_SP_NOT_VULN);
    if ("Vista" >< productname) audit(AUDIT_OS_SP_NOT_VULN);
    
    if (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      # Windows 8.1 / Windows Server 2012 R2
      # Internet Explorer 11
        hotfix_is_vulnerable(os:"6.3", sp:0, file:"mshtml.dll", version:"11.0.9600.19467", min_version:"11.0.9600.16000", dir:"\system32", bulletin:bulletin, kb:"4522007") ||
    
      # Windows Server 2012
      # Internet Explorer 10
        hotfix_is_vulnerable(os:"6.2", sp:0, file:"mshtml.dll", version:"10.0.9200.22879", min_version:"10.0.9200.16000", dir:"\system32", bulletin:bulletin, kb:"4522007") ||
      # Internet Explorer 11
        hotfix_is_vulnerable(os:"6.2", sp:0, file:"mshtml.dll", version:"11.0.9600.19467", min_version:"11.0.9600.16000", dir:"\system32", bulletin:bulletin, kb:"4522007") ||
      
      # Windows 7 / Server 2008 R2
      # Internet Explorer 11
        hotfix_is_vulnerable(os:"6.1", sp:1, file:"mshtml.dll", version:"11.0.9600.19467", min_version:"11.0.9600.16000", dir:"\system32", bulletin:bulletin, kb:"4522007") ||
    
      # Windows Server 2008
      # Internet Explorer 9
      hotfix_is_vulnerable(os:"6.0", sp:2, file:"mshtml.dll", version:"9.0.8112.21372", min_version:"9.0.8112.16000", dir:"\system32", bulletin:bulletin, kb:"4522007")
    )
    {
      set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    

The Hacker News

idTHN:AB828E4EB75F9C7BC37B672D9FD0092E
last seen2019-09-24
modified2019-09-24
published2019-09-24
reporterThe Hacker News
sourcehttps://thehackernews.com/2019/09/windows-update-zero-day.html
titleMicrosoft Releases Emergency Patches for IE 0-Day and Windows Defender Flaw