ID CVE-2018-0886
Summary The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709 Windows Server 2016 and Windows Server, version 1709 allows a remote code execution vulnerability due to how CredSSP validates request during the authentication process, aka "CredSSP Remote Code Execution Vulnerability".
References
Vulnerable Configurations
  • cpe:2.3:o:microsoft:windows_10
    cpe:2.3:o:microsoft:windows_10
  • cpe:2.3:o:microsoft:windows_10:1511
    cpe:2.3:o:microsoft:windows_10:1511
  • cpe:2.3:o:microsoft:windows_10:1607
    cpe:2.3:o:microsoft:windows_10:1607
  • Microsoft Windows 10 1703
    cpe:2.3:o:microsoft:windows_10:1703
  • Microsoft Windows 10 1709
    cpe:2.3:o:microsoft:windows_10:1709
  • cpe:2.3:o:microsoft:windows_10:1803
    cpe:2.3:o:microsoft:windows_10:1803
  • cpe:2.3:o:microsoft:windows_7:-:sp1
    cpe:2.3:o:microsoft:windows_7:-:sp1
  • cpe:2.3:o:microsoft:windows_8.1
    cpe:2.3:o:microsoft:windows_8.1
  • Microsoft Windows RT 8.1
    cpe:2.3:o:microsoft:windows_rt_8.1
  • Microsoft Windows Server 2008 Service Pack 2
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2
  • cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:-:-:-:-:itanium
    cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:-:-:-:-:itanium
  • cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:-:-:-:-:x64
    cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:-:-:-:-:x64
  • Microsoft Windows Server 2012
    cpe:2.3:o:microsoft:windows_server_2012
  • cpe:2.3:o:microsoft:windows_server_2012:r2
    cpe:2.3:o:microsoft:windows_server_2012:r2
  • Microsoft Windows Server 2016
    cpe:2.3:o:microsoft:windows_server_2016
  • Microsoft Windows Server 2016 1709
    cpe:2.3:o:microsoft:windows_server_2016:1709
  • Microsoft Windows Server 2016 1803
    cpe:2.3:o:microsoft:windows_server_2016:1803
CVSS
Base: 7.6
Impact:
Exploitability:
CWE CWE-287
CAPEC
  • Authentication Abuse
    An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Utilizing REST's Trust in the System Resource to Register Man in the Middle
    This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
  • Man in the Middle Attack
    This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.
exploit-db via4
description Microsoft Credential Security Support Provider - Remote Code Execution. CVE-2018-0886. Remote exploit for Windows platform
file exploits/windows/remote/44453.md
id EDB-ID:44453
last seen 2018-05-24
modified 2018-04-13
platform windows
port
published 2018-04-13
reporter Exploit-DB
source https://www.exploit-db.com/download/44453/
title Microsoft Credential Security Support Provider - Remote Code Execution
type remote
msbulletin via4
bulletin_SOURCE_FILE https://portal.msrc.microsoft.com/api/security-guidance/en-us/
cves_url https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0886
impact Remote Code Execution
knowledgebase_SOURCE_FILE
knowledgebase_id
name Windows Server, version 1803 (Server Core Installation)
publishedDate 2018-03-13T07:00:00
severity Important
nessus via4
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS18_MAR_4088875.NASL
    description The remote Windows host is missing security update 4088878 or cumulative update 4088875. It is, therefore, affected by multiple vulnerabilities : - An vulnerability exists within microprocessors utilizing speculative execution and indirect branch prediction, which may allow an attacker with local user access to disclose information via a side-channel analysis. Note: this patch applies to only 32-bit Windows 7 systems. (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) - An information disclosure vulnerability exists when Windows Remote Assistance incorrectly processes XML External Entities (XXE). An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0878) - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0929) - A remote code execution vulnerability exists when Windows Shell does not properly validate file copy destinations. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2018-0883) - An elevation of privilege vulnerability exists in Windows when the Microsoft Video Control mishandles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in system mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0881) - An information disclosure vulnerability exists when affected Microsoft browsers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-0927, CVE-2018-0932) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0889, CVE-2018-0935) - An elevation of privilege vulnerability exists when Internet Explorer fails a check, allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. The update addresses the vulnerability by correcting how Internet Explorer handles zone and integrity settings. (CVE-2018-0942) - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. (CVE-2018-0811, CVE-2018-0813, CVE-2018-0814) - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2018-0885) - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2018-0894, CVE-2018-0895, CVE-2018-0896, CVE-2018-0897, CVE-2018-0898, CVE-2018-0899, CVE-2018-0900, CVE-2018-0901, CVE-2018-0904) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-0868) - A remote code execution vulnerability exists in the Credential Security Support Provider protocol (CredSSP). An attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system. CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack. As an example of how an attacker would exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process. To be fully protected against this vulnerability users must enable Group Policy settings on their systems and update their Remote Desktop clients. The Group Policy settings are disabled by default to prevent connectivity problems and users must follow the instructions documented HERE to be fully protected. (CVE-2018-0886) - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0815, CVE-2018-0816, CVE-2018-0817) - An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system. (CVE-2018-0888) - An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft browsers. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0891)
    last seen 2019-02-21
    modified 2019-01-30
    plugin id 108290
    published 2018-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108290
    title KB4088878: Windows 7 and Windows Server 2008 R2 March 2018 Security Update (Meltdown)(Spectre)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS18_MAY_WIN2008.NASL
    description The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the Credential Security Support Provider protocol (CredSSP). An attacker who successfully exploits this vulnerability could relay user credentials and use them to execute code on the target host. (CVE-2018-0886) - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8897) - An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-8167) - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8120, CVE-2018-8124, CVE-2018-8164, CVE-2018-8166) - A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. (CVE-2018-0824) - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8174) - A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2018-0959)
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 109651
    published 2018-05-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109651
    title Security Updates for Windows Server 2008 (May 2018)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS18_MAR_4088877.NASL
    description The remote Windows host is missing security update 4088880 or cumulative update 4088877. It is, therefore, affected by multiple vulnerabilities : - An vulnerability exists within microprocessors utilizing speculative execution and indirect branch prediction, which may allow an attacker with local user access to disclose information via a side-channel analysis. (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) - An information disclosure vulnerability exists when Windows Remote Assistance incorrectly processes XML External Entities (XXE). An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0878) - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0929) - A remote code execution vulnerability exists when Windows Shell does not properly validate file copy destinations. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2018-0883) - An elevation of privilege vulnerability exists in Windows when the Microsoft Video Control mishandles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in system mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0881) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0889, CVE-2018-0935) - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. (CVE-2018-0811, CVE-2018-0813, CVE-2018-0814) - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2018-0885) - A remote code execution vulnerability exists in the Credential Security Support Provider protocol (CredSSP). An attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system. CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack. As an example of how an attacker would exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process. To be fully protected against this vulnerability users must enable Group Policy settings on their systems and update their Remote Desktop clients. The Group Policy settings are disabled by default to prevent connectivity problems and users must follow the instructions documented HERE to be fully protected. (CVE-2018-0886) - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2018-0894, CVE-2018-0895, CVE-2018-0896, CVE-2018-0897, CVE-2018-0898, CVE-2018-0899, CVE-2018-0900, CVE-2018-0901, CVE-2018-0904) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-0868) - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0816, CVE-2018-0817) - An information disclosure vulnerability exists when affected Microsoft browsers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-0927) - An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system. (CVE-2018-0888) - An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft browsers. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0891)
    last seen 2019-02-21
    modified 2019-01-30
    plugin id 108292
    published 2018-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108292
    title KB4088880: Windows Server 2012 March 2018 Security Update (Meltdown)(Spectre)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS18_MAR_4088782.NASL
    description The remote Windows host is missing security update 4088782. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists in Windows when Desktop Bridge does not properly manage the virtual registry. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0880, CVE-2018-0882) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0872, CVE-2018-0873, CVE-2018-0874, CVE-2018-0931, CVE-2018-0933, CVE-2018-0934, CVE-2018-0937) - An elevation of privilege vulnerability exists when Storage Services improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-0983) - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2018-0894, CVE-2018-0895, CVE-2018-0896, CVE-2018-0897, CVE-2018-0898, CVE-2018-0899, CVE-2018-0900, CVE-2018-0901, CVE-2018-0904) - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0977) - A security feature bypass vulnerability exists in Windows Scripting Host which could allow an attacker to bypass Device Guard. An attacker who successfully exploited this vulnerability could circumvent a User Mode Code Integrity (UMCI) policy on the machine. (CVE-2018-0884) - An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft Edge. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0939) - An elevation of privilege vulnerability exists in Windows when the Microsoft Video Control mishandles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in system mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0881) - An elevation of privilege vulnerability exists when Internet Explorer fails a check, allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. The update addresses the vulnerability by correcting how Internet Explorer handles zone and integrity settings. (CVE-2018-0942) - A remote code execution vulnerability exists in the Credential Security Support Provider protocol (CredSSP). An attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system. CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack. As an example of how an attacker would exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process. To be fully protected against this vulnerability users must enable Group Policy settings on their systems and update their Remote Desktop clients. The Group Policy settings are disabled by default to prevent connectivity problems and users must follow the instructions documented HERE to be fully protected. (CVE-2018-0886) - An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft browsers. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0891) - A remote code execution vulnerability exists when Windows Shell does not properly validate file copy destinations. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2018-0883) - An information disclosure vulnerability exists when affected Microsoft browsers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-0927, CVE-2018-0932) - A security feature bypass vulnerability exists in the Cryptography Next Generation (CNG) kernel-mode driver (cng.sys) when it fails to properly validate and enforce impersonation levels. An attacker could exploit this vulnerability by convincing a user to run a specially crafted application that is designed to cause CNG to improperly validate impersonation levels, potentially allowing the attacker to gain access to information beyond the access level of the local user. The security update addresses the vulnerability by correcting how the kernel-mode driver validates and enforces impersonation levels. (CVE-2018-0902) - An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system. (CVE-2018-0888) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0876, CVE-2018-0893) - An information disclosure vulnerability exists when Windows Remote Assistance incorrectly processes XML External Entities (XXE). An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0878) - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0929) - An elevation of privilege vulnerability exists in Windows when the Desktop Bridge VFS does not take into acccount user/kernel mode when managing file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0877) - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0817) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-0868) - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2018-0885) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0889, CVE-2018-0935) - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. (CVE-2018-0811, CVE-2018-0813, CVE-2018-0814, CVE-2018-0926)
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 108286
    published 2018-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108286
    title KB4088782: Windows 10 Version 1703 March 2018 Security Update
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS18_MAR_4088876.NASL
    description The remote Windows host is missing security update 4088879 or cumulative update 4088876. It is, therefore, affected by multiple vulnerabilities : - An vulnerability exists within microprocessors utilizing speculative execution and indirect branch prediction, which may allow an attacker with local user access to disclose information via a side-channel analysis. (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) - An information disclosure vulnerability exists when Windows Remote Assistance incorrectly processes XML External Entities (XXE). An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0878) - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0929) - A remote code execution vulnerability exists when Windows Shell does not properly validate file copy destinations. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2018-0883) - An elevation of privilege vulnerability exists in Windows when the Microsoft Video Control mishandles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in system mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0881) - An information disclosure vulnerability exists when affected Microsoft browsers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-0927, CVE-2018-0932) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0889, CVE-2018-0935) - An elevation of privilege vulnerability exists when Internet Explorer fails a check, allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. The update addresses the vulnerability by correcting how Internet Explorer handles zone and integrity settings. (CVE-2018-0942) - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. (CVE-2018-0811, CVE-2018-0813, CVE-2018-0814) - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2018-0885) - A remote code execution vulnerability exists in the Credential Security Support Provider protocol (CredSSP). An attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system. CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack. As an example of how an attacker would exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process. To be fully protected against this vulnerability users must enable Group Policy settings on their systems and update their Remote Desktop clients. The Group Policy settings are disabled by default to prevent connectivity problems and users must follow the instructions documented HERE to be fully protected. (CVE-2018-0886) - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2018-0894, CVE-2018-0895, CVE-2018-0896, CVE-2018-0897, CVE-2018-0898, CVE-2018-0899, CVE-2018-0900, CVE-2018-0901, CVE-2018-0904) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-0868) - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0816, CVE-2018-0817) - An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system. (CVE-2018-0888) - An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft browsers. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0891)
    last seen 2019-02-21
    modified 2019-01-30
    plugin id 108291
    published 2018-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108291
    title KB4088879: Windows 8.1 and Windows Server 2012 R2 March 2018 Security Update (Meltdown)(Spectre)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS18_MAR_4088776.NASL
    description The remote Windows host is missing security update 4088776. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when Microsoft Edge improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0879) - An elevation of privilege vulnerability exists when Storage Services improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-0983) - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2018-0894, CVE-2018-0895, CVE-2018-0896, CVE-2018-0897, CVE-2018-0898, CVE-2018-0899, CVE-2018-0900, CVE-2018-0901, CVE-2018-0904) - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0977) - A security feature bypass vulnerability exists in Windows Scripting Host which could allow an attacker to bypass Device Guard. An attacker who successfully exploited this vulnerability could circumvent a User Mode Code Integrity (UMCI) policy on the machine. (CVE-2018-0884) - An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft Edge. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0939) - An elevation of privilege vulnerability exists in Windows when the Microsoft Video Control mishandles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in system mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0881) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0872, CVE-2018-0873, CVE-2018-0874, CVE-2018-0930, CVE-2018-0931, CVE-2018-0933, CVE-2018-0934, CVE-2018-0936, CVE-2018-0937) - A remote code execution vulnerability exists in the Credential Security Support Provider protocol (CredSSP). An attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system. CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack. As an example of how an attacker would exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process. To be fully protected against this vulnerability users must enable Group Policy settings on their systems and update their Remote Desktop clients. The Group Policy settings are disabled by default to prevent connectivity problems and users must follow the instructions documented HERE to be fully protected. (CVE-2018-0886) - An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft browsers. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0891) - A remote code execution vulnerability exists when Windows Shell does not properly validate file copy destinations. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2018-0883) - An information disclosure vulnerability exists when affected Microsoft browsers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-0927, CVE-2018-0932) - A security feature bypass vulnerability exists in the Cryptography Next Generation (CNG) kernel-mode driver (cng.sys) when it fails to properly validate and enforce impersonation levels. An attacker could exploit this vulnerability by convincing a user to run a specially crafted application that is designed to cause CNG to improperly validate impersonation levels, potentially allowing the attacker to gain access to information beyond the access level of the local user. The security update addresses the vulnerability by correcting how the kernel-mode driver validates and enforces impersonation levels. (CVE-2018-0902) - An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system. (CVE-2018-0888) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0876, CVE-2018-0893) - An information disclosure vulnerability exists when Windows Remote Assistance incorrectly processes XML External Entities (XXE). An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0878) - An elevation of privilege vulnerability exists in Windows when Desktop Bridge does not properly manage the virtual registry. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0880) - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0929) - An elevation of privilege vulnerability exists in Windows when the Desktop Bridge VFS does not take into acccount user/kernel mode when managing file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0877) - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0817) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-0868) - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2018-0885) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0889, CVE-2018-0935) - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. (CVE-2018-0811, CVE-2018-0813, CVE-2018-0814, CVE-2018-0926)
    last seen 2019-02-21
    modified 2018-11-05
    plugin id 108284
    published 2018-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108284
    title KB4088776: Windows 10 Version 1709 and Windows Server Version 1709 March 2018 Security Update
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS18_MAR_4088787.NASL
    description The remote Windows host is missing security update 4088787. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists in Windows when Desktop Bridge does not properly manage the virtual registry. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0880, CVE-2018-0882) - An elevation of privilege vulnerability exists when Storage Services improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-0983) - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2018-0894, CVE-2018-0895, CVE-2018-0896, CVE-2018-0897, CVE-2018-0898, CVE-2018-0899, CVE-2018-0900, CVE-2018-0901, CVE-2018-0904) - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0816, CVE-2018-0817) - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0977) - A security feature bypass vulnerability exists in Windows Scripting Host which could allow an attacker to bypass Device Guard. An attacker who successfully exploited this vulnerability could circumvent a User Mode Code Integrity (UMCI) policy on the machine. (CVE-2018-0884) - An elevation of privilege vulnerability exists in Windows when the Microsoft Video Control mishandles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in system mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0881) - An elevation of privilege vulnerability exists when Internet Explorer fails a check, allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. The update addresses the vulnerability by correcting how Internet Explorer handles zone and integrity settings. (CVE-2018-0942) - A remote code execution vulnerability exists in the Credential Security Support Provider protocol (CredSSP). An attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system. CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack. As an example of how an attacker would exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process. To be fully protected against this vulnerability users must enable Group Policy settings on their systems and update their Remote Desktop clients. The Group Policy settings are disabled by default to prevent connectivity problems and users must follow the instructions documented HERE to be fully protected. (CVE-2018-0886) - An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft browsers. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0891) - A remote code execution vulnerability exists when Windows Shell does not properly validate file copy destinations. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2018-0883) - An information disclosure vulnerability exists when affected Microsoft browsers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-0927, CVE-2018-0932) - A security feature bypass vulnerability exists in the Cryptography Next Generation (CNG) kernel-mode driver (cng.sys) when it fails to properly validate and enforce impersonation levels. An attacker could exploit this vulnerability by convincing a user to run a specially crafted application that is designed to cause CNG to improperly validate impersonation levels, potentially allowing the attacker to gain access to information beyond the access level of the local user. The security update addresses the vulnerability by correcting how the kernel-mode driver validates and enforces impersonation levels. (CVE-2018-0902) - An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system. (CVE-2018-0888) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0876, CVE-2018-0893) - An information disclosure vulnerability exists when Windows Remote Assistance incorrectly processes XML External Entities (XXE). An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0878) - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0929) - An elevation of privilege vulnerability exists in Windows when the Desktop Bridge VFS does not take into acccount user/kernel mode when managing file paths. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0877) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-0868) - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2018-0885) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0889, CVE-2018-0935) - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. (CVE-2018-0811, CVE-2018-0813, CVE-2018-0814, CVE-2018-0926) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0872, CVE-2018-0873, CVE-2018-0874, CVE-2018-0931, CVE-2018-0933, CVE-2018-0934)
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 108289
    published 2018-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108289
    title KB4088787: Windows 10 Version 1607 and Windows Server 2016 March 2018 Security Update
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2019-96.NASL
    description This update for freerdp fixes the following issues : Security issues fixed : - CVE-2018-0886: Fix a remote code execution vulnerability (CredSSP) (bsc#1085416, bsc#1087240, bsc#1104918) - CVE-2018-8789: Fix several denial of service vulnerabilities in the in the NTLM Authentication module (bsc#1117965) - CVE-2018-8785: Fix a potential remote code execution vulnerability in the zgfx_decompress function (bsc#1117967) - CVE-2018-8786: Fix a potential remote code execution vulnerability in the update_read_bitmap_update function (bsc#1117966) - CVE-2018-8787: Fix a potential remote code execution vulnerability in the gdi_Bitmap_Decompress function (bsc#1117964) - CVE-2018-8788: Fix a potential remote code execution vulnerability in the nsc_rle_decode function (bsc#1117963) - CVE-2018-8784: Fix a potential remote code execution vulnerability in the zgfx_decompress_segment function (bsc#1116708) - CVE-2018-1000852: Fixed a remote memory access in the drdynvc_process_capability_request function (bsc#1120507) This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen 2019-02-21
    modified 2019-01-30
    plugin id 121462
    published 2019-01-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121462
    title openSUSE Security Update : freerdp (openSUSE-2019-96)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS18_MAR_4088779.NASL
    description The remote Windows host is missing security update 4088779. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when Windows Remote Assistance incorrectly processes XML External Entities (XXE). An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0878) - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0929) - A remote code execution vulnerability exists when Windows Shell does not properly validate file copy destinations. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2018-0883) - An elevation of privilege vulnerability exists in Windows when the Microsoft Video Control mishandles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in system mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0881) - An information disclosure vulnerability exists when affected Microsoft browsers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-0927, CVE-2018-0932) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0889, CVE-2018-0935) - An elevation of privilege vulnerability exists when Internet Explorer fails a check, allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. The update addresses the vulnerability by correcting how Internet Explorer handles zone and integrity settings. (CVE-2018-0942) - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. (CVE-2018-0811, CVE-2018-0813, CVE-2018-0814) - An elevation of privilege vulnerability exists when Storage Services improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-0983) - A remote code execution vulnerability exists in the Credential Security Support Provider protocol (CredSSP). An attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system. CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack. As an example of how an attacker would exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process. To be fully protected against this vulnerability users must enable Group Policy settings on their systems and update their Remote Desktop clients. The Group Policy settings are disabled by default to prevent connectivity problems and users must follow the instructions documented HERE to be fully protected. (CVE-2018-0886) - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2018-0894, CVE-2018-0895, CVE-2018-0896, CVE-2018-0897, CVE-2018-0898, CVE-2018-0899, CVE-2018-0900, CVE-2018-0901, CVE-2018-0904) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-0868) - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0816, CVE-2018-0817) - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0977) - A security feature bypass vulnerability exists in Windows Scripting Host which could allow an attacker to bypass Device Guard. An attacker who successfully exploited this vulnerability could circumvent a User Mode Code Integrity (UMCI) policy on the machine. (CVE-2018-0884) - A security feature bypass vulnerability exists in the Cryptography Next Generation (CNG) kernel-mode driver (cng.sys) when it fails to properly validate and enforce impersonation levels. An attacker could exploit this vulnerability by convincing a user to run a specially crafted application that is designed to cause CNG to improperly validate impersonation levels, potentially allowing the attacker to gain access to information beyond the access level of the local user. The security update addresses the vulnerability by correcting how the kernel-mode driver validates and enforces impersonation levels. (CVE-2018-0902) - An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system. (CVE-2018-0888) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0876, CVE-2018-0893) - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2018-0885) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0872, CVE-2018-0873, CVE-2018-0874, CVE-2018-0931, CVE-2018-0933, CVE-2018-0934) - An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft browsers. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0891)
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 108285
    published 2018-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108285
    title KB4088779: Windows 10 Version 1511 March 2018 Security Update
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS18_MAR_4088786.NASL
    description The remote Windows host is missing security update 4088786. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when Windows Remote Assistance incorrectly processes XML External Entities (XXE). An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0878) - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0929) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0876) - An elevation of privilege vulnerability exists in Windows when the Microsoft Video Control mishandles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in system mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0881) - An information disclosure vulnerability exists when affected Microsoft browsers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-0927, CVE-2018-0932) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0889, CVE-2018-0935) - An elevation of privilege vulnerability exists when Internet Explorer fails a check, allowing sandbox escape. An attacker who successfully exploited the vulnerability could use the sandbox escape to elevate privileges on an affected system. This vulnerability by itself does not allow arbitrary code execution; however, it could allow arbitrary code to be run if the attacker uses it in combination with another vulnerability (such as a remote code execution vulnerability or another elevation of privilege vulnerability) that is capable of leveraging the elevated privileges when code execution is attempted. The update addresses the vulnerability by correcting how Internet Explorer handles zone and integrity settings. (CVE-2018-0942) - A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0872, CVE-2018-0874, CVE-2018-0931, CVE-2018-0933, CVE-2018-0934) - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. (CVE-2018-0811, CVE-2018-0813, CVE-2018-0814) - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2018-0885) - A remote code execution vulnerability exists in the Credential Security Support Provider protocol (CredSSP). An attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system. CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack. As an example of how an attacker would exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process. To be fully protected against this vulnerability users must enable Group Policy settings on their systems and update their Remote Desktop clients. The Group Policy settings are disabled by default to prevent connectivity problems and users must follow the instructions documented HERE to be fully protected. (CVE-2018-0886) - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2018-0894, CVE-2018-0895, CVE-2018-0896, CVE-2018-0897, CVE-2018-0898, CVE-2018-0899, CVE-2018-0900, CVE-2018-0901, CVE-2018-0904) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-0868) - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0816, CVE-2018-0817) - A remote code execution vulnerability exists when Windows Shell does not properly validate file copy destinations. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2018-0883) - An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0977) - A security feature bypass vulnerability exists in Windows Scripting Host which could allow an attacker to bypass Device Guard. An attacker who successfully exploited this vulnerability could circumvent a User Mode Code Integrity (UMCI) policy on the machine. (CVE-2018-0884) - A security feature bypass vulnerability exists in the Cryptography Next Generation (CNG) kernel-mode driver (cng.sys) when it fails to properly validate and enforce impersonation levels. An attacker could exploit this vulnerability by convincing a user to run a specially crafted application that is designed to cause CNG to improperly validate impersonation levels, potentially allowing the attacker to gain access to information beyond the access level of the local user. The security update addresses the vulnerability by correcting how the kernel-mode driver validates and enforces impersonation levels. (CVE-2018-0902) - An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system. (CVE-2018-0888) - An information disclosure vulnerability exists when the scripting engine does not properly handle objects in memory in Microsoft browsers. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0891)
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 108288
    published 2018-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108288
    title KB4088786: Windows 10 March 2018 Security Update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2019-0134-1.NASL
    description This update for freerdp fixes the following issues : Security issues fixed : CVE-2018-0886: Fix a remote code execution vulnerability (CredSSP) (bsc#1085416, bsc#1087240, bsc#1104918) CVE-2018-8789: Fix several denial of service vulnerabilities in the in the NTLM Authentication module (bsc#1117965) CVE-2018-8785: Fix a potential remote code execution vulnerability in the zgfx_decompress function (bsc#1117967) CVE-2018-8786: Fix a potential remote code execution vulnerability in the update_read_bitmap_update function (bsc#1117966) CVE-2018-8787: Fix a potential remote code execution vulnerability in the gdi_Bitmap_Decompress function (bsc#1117964) CVE-2018-8788: Fix a potential remote code execution vulnerability in the nsc_rle_decode function (bsc#1117963) CVE-2018-8784: Fix a potential remote code execution vulnerability in the zgfx_decompress_segment function (bsc#1116708) CVE-2018-1000852: Fixed a remote memory access in the drdynvc_process_capability_request function (bsc#1120507) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-22
    plugin id 121302
    published 2019-01-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121302
    title SUSE SLED12 Security Update : freerdp (SUSE-SU-2019:0134-1)
  • NASL family Windows : Microsoft Bulletins
    NASL id SMB_NT_MS18_MAR_WIN2008.NASL
    description The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when Windows Remote Assistance incorrectly processes XML External Entities (XXE). An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0878) - An information disclosure vulnerability exists when Internet Explorer improperly handles objects in memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. (CVE-2018-0929) - A remote code execution vulnerability exists when Windows Shell does not properly validate file copy destinations. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. (CVE-2018-0883) - An information disclosure vulnerability exists when the Windows kernel improperly initializes objects in memory. (CVE-2018-0811, CVE-2018-0813, CVE-2018-0814) - A denial of service vulnerability exists when Microsoft Hyper-V Network Switch on a host server fails to properly validate input from a privileged user on a guest operating system. An attacker who successfully exploited the vulnerability could cause the host server to crash. (CVE-2018-0885) - An information disclosure vulnerability exists in the Windows kernel that could allow an attacker to retrieve information that could lead to a Kernel Address Space Layout Randomization (ASLR) bypass. An attacker who successfully exploited the vulnerability could retrieve the memory address of a kernel object. (CVE-2018-0894, CVE-2018-0895, CVE-2018-0896, CVE-2018-0897, CVE-2018-0898, CVE-2018-0899, CVE-2018-0900, CVE-2018-0901, CVE-2018-0904) - An elevation of privilege vulnerability exists in the Windows Installer when the Windows Installer fails to properly sanitize input leading to an insecure library loading behavior. A locally authenticated attacker could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting the input sanitization error to preclude unintended elevation. (CVE-2018-0868) - A remote code execution vulnerability exists in the Credential Security Support Provider protocol (CredSSP). An attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system. CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack. As an example of how an attacker would exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process. To be fully protected against this vulnerability users must enable Group Policy settings on their systems and update their Remote Desktop clients. The Group Policy settings are disabled by default to prevent connectivity problems and users must follow the instructions documented HERE to be fully protected. (CVE-2018-0886) - An elevation of privilege vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0815, CVE-2018-0816, CVE-2018-0817) - An information disclosure vulnerability exists when Windows Hyper-V on a host operating system fails to properly validate input from an authenticated user on a guest operating system. (CVE-2018-0888)
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 108300
    published 2018-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108300
    title Security Updates for Windows Server 2008 (March 2018)
refmap via4
bid 103265
confirm https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0886
misc
sectrack 1040506
the hacker news via4
id THN:CF7BA9D2C2B4187B1B2CD905F798D8A2
last seen 2018-03-13
modified 2018-03-13
published 2018-03-13
reporter Mohit Kumar
source https://thehackernews.com/2018/03/credssp-rdp-exploit.html
title CredSSP Flaw in Remote Desktop Protocol Affects All Versions of Windows
Last major update 14-03-2018 - 13:29
Published 14-03-2018 - 13:29
Last modified 13-03-2019 - 09:45
Back to Top