KB4103721: Windows 10 Version 1803 and Windows Server Version 1803 May 2018 Security Update - Nessus

High   Plugin ID: 109605

---

This page contains detailed information about the KB4103721: Windows 10 Version 1803 and Windows Server Version 1803 May 2018 Security Update Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Plugin Overview

---

ID: 109605
Name: KB4103721: Windows 10 Version 1803 and Windows Server Version 1803 May 2018 Security Update
Filename: smb_nt_ms18_may_4103721.nasl
Vulnerability Published: 2018-05-08
This Plugin Published: 2018-05-08
Last Modification Time: 2022-02-22
Plugin Version: 1.14
Plugin Type: local
Plugin Family: Windows : Microsoft Bulletins
Dependencies: ms_bulletin_checks_possible.nasl, smb_check_rollup.nasl, smb_hotfixes.nasl
Required KB Items [?]: SMB/MS_Bulletin_Checks/Possible

Vulnerability Information

---

Severity: High
Vulnerability Published: 2018-05-08
Patch Published: 2018-05-08
CVE [?]: CVE-2018-0765, CVE-2018-0824, CVE-2018-0943, CVE-2018-0945, CVE-2018-0946, CVE-2018-0953, CVE-2018-0954, CVE-2018-0955, CVE-2018-0958, CVE-2018-0959, CVE-2018-0961, CVE-2018-1022, CVE-2018-1025, CVE-2018-1039, CVE-2018-8112, CVE-2018-8114, CVE-2018-8122, CVE-2018-8124, CVE-2018-8126, CVE-2018-8127, CVE-2018-8128, CVE-2018-8129, CVE-2018-8130, CVE-2018-8132, CVE-2018-8133, CVE-2018-8134, CVE-2018-8136, CVE-2018-8137, CVE-2018-8139, CVE-2018-8145, CVE-2018-8164, CVE-2018-8165, CVE-2018-8166, CVE-2018-8167, CVE-2018-8174, CVE-2018-8178, CVE-2018-8179, CVE-2018-8897
CPE [?]: cpe:/a:microsoft:edge, cpe:/o:microsoft:windows
Exploited by Malware: True

Synopsis

The remote Windows host is affected by multiple vulnerabilities.

Description

The remote Windows host is missing security update 4103721. It is, therefore, affected by multiple vulnerabilities :

- A security feature bypass vulnerability exists in .Net Framework which could allow an attacker to bypass Device Guard. An attacker who successfully exploited this vulnerability could circumvent a User Mode Code Integrity (UMCI) policy on the machine. (CVE-2018-1039)

- A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8178)

- A remote code execution vulnerability exists in Microsoft COM for Windows when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. (CVE-2018-0824)

- A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate vSMB packet data. An attacker who successfully exploited these vulnerabilities could execute arbitrary code on a target operating system. To exploit these vulnerabilities, an attacker running inside a virtual machine could run a specially crafted application that could cause the Hyper-V host operating system to execute arbitrary code. The update addresses the vulnerabilities by correcting how Windows Hyper-V validates vSMB packet data. (CVE-2018-0961)

- An information disclosure vulnerability exists when affected Microsoft browsers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-1025)

- A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0955, CVE-2018-8114, CVE-2018-8122)

- An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-8167)

- A security feature bypass vulnerability exists in Windows which could allow an attacker to bypass Device Guard. An attacker who successfully exploited this vulnerability could circumvent a User Mode Code Integrity (UMCI) policy on the machine. (CVE-2018-0958, CVE-2018-8129, CVE-2018-8132)

- An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8127)

- A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8174)

- A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0943, CVE-2018-8130, CVE-2018-8133)

- A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted. (CVE-2018-8112)

- A denial of service vulnerability exists when .NET and .NET Core improperly process XML documents. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET (or .NET core) application. The update addresses the vulnerability by correcting how .NET and .NET Core applications handle XML document processing. (CVE-2018-0765)

- An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8897)

- An information disclosure vulnerability exists when Chakra improperly discloses the contents of its memory, which could provide an attacker with information to further compromise the users computer or data. (CVE-2018-8145)

- An elevation of privilege vulnerability exists when the DirectX Graphics Kernel (DXGKRNL) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-8165)

- A remote code execution vulnerability exists in the way that Windows handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code with elevated permissions on a target system. (CVE-2018-8136)

- A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2018-0959)

- An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8124, CVE-2018-8164, CVE-2018-8166)

- A security feature bypass vulnerability exists when Internet Explorer fails to validate User Mode Code Integrity (UMCI) policies. The vulnerability could allow an attacker to bypass Device Guard UMCI policies. (CVE-2018-8126)

- An elevation of privilege vulnerability exists in the way that the Windows Kernel API enforces permissions. An attacker who successfully exploited the vulnerability could impersonate processes, interject cross-process communication, or interrupt system functionality. (CVE-2018-8134)

- A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0954, CVE-2018-1022)

- A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8179)

- A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0945, CVE-2018-0946, CVE-2018-0953, CVE-2018-8128, CVE-2018-8137, CVE-2018-8139)

Solution

Apply Cumulative Update KB4103721.

Public Exploits

---

Target Network Port(s): 139, 445
Target Asset(s): Host/patch_management_checks
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Immunity Canvas, Core Impact)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the KB4103721: Windows 10 Version 1803 and Windows Server Version 1803 May 2018 Security Update vulnerability:

1. Metasploit: exploit/windows/local/mov_ss
   [Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability]
2. Metasploit: post/windows/escalate/unmarshal_cmd_exec
   [Windows unmarshal post exploitation]
3. Exploit-DB: exploits/windows/local/44697.txt
   [EDB-44697: Microsoft Windows - 'POP/MOV SS' Privilege Escalation]
4. Exploit-DB: exploits/windows/local/44906.txt
   [EDB-44906: Microsoft COM for Windows - Privilege Escalation]
5. Exploit-DB: exploits/windows/local/45024.rb
   [EDB-45024: Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit)]
6. GitHub: https://codewhitesec.blogspot.com/2018/06/cve-2018-0624.html
   [CVE-2018-0824]
7. GitHub: https://github.com/Ascotbe/Kernelhub
   [CVE-2018-0824]
8. GitHub: https://github.com/Flerov/WindowsExploitDev
   [CVE-2018-0824]
9. GitHub: https://github.com/cranelab/exploit-development
   [CVE-2018-0824]
10. GitHub: https://github.com/ycdxsb/WindowsPrivilegeEscalation
    [CVE-2018-0824]
11. GitHub: https://github.com/tunz/js-vuln-db
    [CVE-2018-0953]
12. GitHub: https://github.com/tunz/js-vuln-db/blob/master/chakra/CVE-2018-0953.md
    [CVE-2018-0953]
13. GitHub: https://github.com/ycdxsb/WindowsPrivilegeEscalation
    [CVE-2018-8124]
14. GitHub: https://github.com/punishell/WindowsLegacyCVE
    [CVE-2018-8134]
15. GitHub: https://github.com/tunz/js-vuln-db
    [CVE-2018-8139]
16. GitHub: https://github.com/tunz/js-vuln-db
    [CVE-2018-8145]
17. GitHub: https://github.com/ycdxsb/WindowsPrivilegeEscalation
    [CVE-2018-8164]
18. GitHub: https://github.com/ycdxsb/WindowsPrivilegeEscalation
    [CVE-2018-8166]
19. GitHub: https://github.com/1120362990/Paper
    [CVE-2018-8174]
20. GitHub: https://github.com/Apri1y/Red-Team-links
    [CVE-2018-8174]
21. GitHub: https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections
    [CVE-2018-8174]
22. GitHub: https://github.com/DarkFlameMaster-bit/CVE-2018-8174_EXP
    [CVE-2018-8174]
23. GitHub: https://github.com/Echocipher/Resource-list
    [CVE-2018-8174]
24. GitHub: https://github.com/HacTF/poc--exp
    [CVE-2018-8174]
25. GitHub: https://github.com/InQuest/yara-rules
    [CVE-2018-8174]
26. GitHub: https://github.com/KasperskyLab/VBscriptInternals
    [CVE-2018-8174]
27. GitHub: https://github.com/MrTcsy/Exploit
    [CVE-2018-8174]
28. GitHub: https://github.com/Panopticon-Project/panopticon-DarkHotel
    [CVE-2018-8174]
29. GitHub: https://github.com/RingLcy/VulnerabilityAnalysisAndExploit
    [CVE-2018-8174]
30. GitHub: https://github.com/dcsync/rtfkit
    [CVE-2018-8174: generate RTF exploit payload. uses cve-2017-11882, cve-2017-8570, cve-2018-0802, and ...]
31. GitHub: https://github.com/delina1/CVE-2018-8174
    [CVE-2018-8174]
32. GitHub: https://github.com/delina1/CVE-2018-8174_EXP
    [CVE-2018-8174]
33. GitHub: https://github.com/ericisnotrealname/CVE-2018-8174_EXP
    [CVE-2018-8174]
34. GitHub: https://github.com/eric-erki/APT_CyberCriminal_Campagin_Collections
    [CVE-2018-8174]
35. GitHub: https://github.com/hongriSec/Growth-Diary
    [CVE-2018-8174]
36. GitHub: https://github.com/hudunkey/Red-Team-links
    [CVE-2018-8174]
37. GitHub: https://github.com/iwarsong/apt
    [CVE-2018-8174]
38. GitHub: https://github.com/john-80/-007
    [CVE-2018-8174]
39. GitHub: https://github.com/likescam/APT_CyberCriminal_Campagin_Collections
    [CVE-2018-8174]
40. GitHub: https://github.com/likescam/CVE-2018-8174-msf
    [CVE-2018-8174]
41. GitHub: https://github.com/likescam/CyberMonitor-APT_CyberCriminal_Campagin_Collections
    [CVE-2018-8174]
42. GitHub: https://github.com/lisinan988/CVE-2018-8174-exp
    [CVE-2018-8174]
43. GitHub: https://github.com/lp008/Hack-readme
    [CVE-2018-8174]
44. GitHub: https://github.com/qazbnm456/awesome-cve-poc/blob/master/CVE-2018-8174.md
    [CVE-2018-8174]
45. GitHub: https://github.com/sinisterghost/https-github.com-iBearcat-CVE-2018-8174_EXP
    [CVE-2018-8174]
46. GitHub: https://github.com/slimdaddy/RedTeam
    [CVE-2018-8174]
47. GitHub: https://github.com/sumas/APT_CyberCriminal_Campagin_Collections
    [CVE-2018-8174]
48. GitHub: https://github.com/w16692926717/CVE-2018-8174_EXP
    [CVE-2018-8174]
49. GitHub: https://github.com/washgo/HackTool
    [CVE-2018-8174]
50. GitHub: https://github.com/wateroot/poc-exp
    [CVE-2018-8174]
51. GitHub: https://github.com/wrlu/Vulnerabilities
    [CVE-2018-8174]
52. GitHub: https://github.com/www201001/https-github.com-iBearcat-CVE-2018-8174_EXP
    [CVE-2018-8174]
53. GitHub: https://github.com/www201001/https-github.com-iBearcat-CVE-2018-8174_EXP.git-
    [CVE-2018-8174]
54. GitHub: https://github.com/xiaoZ-hc/redtool
    [CVE-2018-8174]
55. GitHub: https://github.com/Apri1y/Red-Team-links
    [CVE-2018-8897]
56. GitHub: https://github.com/CrackerCat/Kernel-Security-Development
    [CVE-2018-8897]
57. GitHub: https://github.com/Echocipher/Resource-list
    [CVE-2018-8897]
58. GitHub: https://github.com/ExpLife0011/awesome-windows-kernel-security-development
    [CVE-2018-8897]
59. GitHub: https://github.com/Ondrik8/exploit
    [CVE-2018-8897]
60. GitHub: https://github.com/hudunkey/Red-Team-links
    [CVE-2018-8897]
61. GitHub: https://github.com/john-80/-007
    [CVE-2018-8897]
62. GitHub: https://github.com/lp008/Hack-readme
    [CVE-2018-8897]
63. GitHub: https://github.com/pr0code/https-github.com-ExpLife0011-awesome-windows-kernel-security-development
    [CVE-2018-8897]
64. GitHub: https://github.com/pravinsrc/NOTES-windows-kernel-links
    [CVE-2018-8897]
65. GitHub: https://github.com/slimdaddy/RedTeam
    [CVE-2018-8897]
66. GitHub: https://github.com/whiteHat001/Kernel-Security
    [CVE-2018-8897]
67. GitHub: https://github.com/xiaoZ-hc/redtool
    [CVE-2018-8897]
68. GitHub: https://www.triplefault.io/2018/05/spurious-db-exceptions-with-pop-ss.html
    [CVE-2018-8897]
69. GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/44697.zip
    [EDB-44697]
70. GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/44906.zip
    [EDB-44906]
71. GitHub: https://github.com/codewhitesec/UnmarshalPwn
    [CVE-2018-0824: POC for CVE-2018-0824]
72. GitHub: https://github.com/0x09AL/CVE-2018-8174-msf
    [CVE-2018-8174: CVE-2018-8174 - VBScript memory corruption exploit.]
73. GitHub: https://github.com/orf53975/Rig-Exploit-for-CVE-2018-8174
    [CVE-2018-8174: Rig Exploit for CVE-2018-8174 As with its previous campaigns, Rig’s Seamless ...]
74. GitHub: https://github.com/piotrflorczyk/cve-2018-8174_analysis
    [CVE-2018-8174: Analysis of VBS exploit CVE-2018-8174]
75. GitHub: https://github.com/ruthlezs/ie11_vbscript_exploit
    [CVE-2018-8174: Exploit Generator for CVE-2018-8174 & CVE-2019-0768 (RCE via VBScript Execution in ...]
76. GitHub: https://github.com/SyFi/CVE-2018-8174
    [CVE-2018-8174: MS Word MS WordPad via IE VBS Engine RCE]
77. GitHub: https://github.com/Yt1g3r/CVE-2018-8174_EXP
    [CVE-2018-8174: CVE-2018-8174_python]
78. GitHub: https://github.com/can1357/CVE-2018-8897
    [CVE-2018-8897: Arbitrary code execution with kernel privileges using CVE-2018-8897.]
79. GitHub: https://github.com/jiazhang0/pop-mov-ss-exploit
    [CVE-2018-8897: The exploitation for CVE-2018-8897]
80. GitHub: https://github.com/nmulasmajic/CVE-2018-8897
    [CVE-2018-8897: Implements the POP/MOV SS (CVE-2018-8897) vulnerability by bugchecking the machine ...]
81. GitHub: https://github.com/nmulasmajic/syscall_exploit_CVE-2018-8897
    [CVE-2018-8897: Implements the POP/MOV SS (CVE-2018-8897) vulnerability by leveraging SYSCALL to ...]
82. Immunity Canvas: CANVAS

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

---

CVSS Score Source [?]: CVE-2018-8136
CVSS V2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C

CVSS Base Score:	9.3 (High)
Impact Subscore:	10.0
Exploitability Subscore:	8.6
CVSS Temporal Score:	8.1 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	8.1 (High)

CVSS V3 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CVSS Base Score:	7.8 (High)
Impact Subscore:	5.9
Exploitability Subscore:	1.8
CVSS Temporal Score:	7.5 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	7.5 (High)

Go back to menu.

Plugin Source

---

This is the smb_nt_ms18_may_4103721.nasl nessus plugin source code. This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#

include('compat.inc');

if (description)
{
  script_id(109605);
  script_version("1.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/02/22");

  script_cve_id(
    "CVE-2018-0765",
    "CVE-2018-0824",
    "CVE-2018-0943",
    "CVE-2018-0945",
    "CVE-2018-0946",
    "CVE-2018-0953",
    "CVE-2018-0954",
    "CVE-2018-0955",
    "CVE-2018-0958",
    "CVE-2018-0959",
    "CVE-2018-0961",
    "CVE-2018-1022",
    "CVE-2018-1025",
    "CVE-2018-1039",
    "CVE-2018-8112",
    "CVE-2018-8114",
    "CVE-2018-8122",
    "CVE-2018-8124",
    "CVE-2018-8126",
    "CVE-2018-8127",
    "CVE-2018-8128",
    "CVE-2018-8129",
    "CVE-2018-8130",
    "CVE-2018-8132",
    "CVE-2018-8133",
    "CVE-2018-8134",
    "CVE-2018-8136",
    "CVE-2018-8137",
    "CVE-2018-8139",
    "CVE-2018-8145",
    "CVE-2018-8164",
    "CVE-2018-8165",
    "CVE-2018-8166",
    "CVE-2018-8167",
    "CVE-2018-8174",
    "CVE-2018-8178",
    "CVE-2018-8179",
    "CVE-2018-8897"
  );
  script_xref(name:"MSKB", value:"4103721");
  script_xref(name:"MSFT", value:"MS18-4103721");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/08/15");

  script_name(english:"KB4103721: Windows 10 Version 1803 and Windows Server Version 1803 May 2018 Security Update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is missing security update 4103721.
It is, therefore, affected by multiple vulnerabilities :

  - A security feature bypass vulnerability exists in .Net
    Framework which could allow an attacker to bypass Device
    Guard. An attacker who successfully exploited this
    vulnerability could circumvent a User Mode Code
    Integrity (UMCI) policy on the machine.  (CVE-2018-1039)

  - A remote code execution vulnerability exists in the way
    that Microsoft browsers access objects in memory. The
    vulnerability could corrupt memory in a way that could
    allow an attacker to execute arbitrary code in the
    context of the current user. An attacker who
    successfully exploited the vulnerability could gain the
    same user rights as the current user.  (CVE-2018-8178)

  - A remote code execution vulnerability exists in
    Microsoft COM for Windows when it fails to
    properly handle serialized objects. An attacker who
    successfully exploited the vulnerability could use a
    specially crafted file or script to perform actions. In
    an email attack scenario, an attacker could exploit the
    vulnerability by sending the specially crafted file to
    the user and convincing the user to open the file.
    (CVE-2018-0824)

  - A remote code execution vulnerability exists when
    Windows Hyper-V on a host server fails to properly
    validate vSMB packet data. An attacker who successfully
    exploited these vulnerabilities could execute arbitrary
    code on a target operating system. To exploit these
    vulnerabilities, an attacker running inside a virtual
    machine could run a specially crafted application that
    could cause the Hyper-V host operating system to execute
    arbitrary code. The update addresses the vulnerabilities
    by correcting how Windows Hyper-V validates vSMB packet
    data. (CVE-2018-0961)

  - An information disclosure vulnerability exists when
    affected Microsoft browsers improperly handle objects in
    memory. An attacker who successfully exploited this
    vulnerability could obtain information to further
    compromise the users system.  (CVE-2018-1025)

  - A remote code execution vulnerability exists in the way
    that the scripting engine handles objects in memory in
    Internet Explorer. The vulnerability could corrupt
    memory in such a way that an attacker could execute
    arbitrary code in the context of the current user. An
    attacker who successfully exploited the vulnerability
    could gain the same user rights as the current user.
    (CVE-2018-0955, CVE-2018-8114, CVE-2018-8122)

  - An elevation of privilege vulnerability exists when the
    Windows Common Log File System (CLFS) driver improperly
    handles objects in memory. An attacker who successfully
    exploited this vulnerability could run processes in an
    elevated context.  (CVE-2018-8167)

  - A security feature bypass vulnerability exists in
    Windows which could allow an attacker to bypass Device
    Guard. An attacker who successfully exploited this
    vulnerability could circumvent a User Mode Code
    Integrity (UMCI) policy on the machine.  (CVE-2018-0958,
    CVE-2018-8129, CVE-2018-8132)

  - An information disclosure vulnerability exists when the
    Windows kernel improperly handles objects in memory. An
    attacker who successfully exploited this vulnerability
    could obtain information to further compromise the users
    system.  (CVE-2018-8127)

  - A remote code execution vulnerability exists in the way
    that the VBScript engine handles objects in memory. The
    vulnerability could corrupt memory in such a way that an
    attacker could execute arbitrary code in the context of
    the current user. An attacker who successfully exploited
    the vulnerability could gain the same user rights as the
    current user.  (CVE-2018-8174)

  - A remote code execution vulnerability exists in the way
    that the Chakra scripting engine handles objects in
    memory in Microsoft Edge. The vulnerability could
    corrupt memory in such a way that an attacker could
    execute arbitrary code in the context of the current
    user. An attacker who successfully exploited the
    vulnerability could gain the same user rights as the
    current user.  (CVE-2018-0943, CVE-2018-8130,
    CVE-2018-8133)

  - A security feature bypass vulnerability exists when
    Microsoft Edge improperly handles requests of different
    origins. The vulnerability allows Microsoft Edge to
    bypass Same-Origin Policy (SOP) restrictions, and to
    allow requests that should otherwise be ignored. An
    attacker who successfully exploited the vulnerability
    could force the browser to send data that would
    otherwise be restricted.  (CVE-2018-8112)

  - A denial of service vulnerability exists when .NET and
    .NET Core improperly process XML documents. An attacker
    who successfully exploited this vulnerability could
    cause a denial of service against a .NET application. A
    remote unauthenticated attacker could exploit this
    vulnerability by issuing specially crafted requests to a
    .NET (or .NET core) application. The update addresses
    the vulnerability by correcting how .NET and .NET Core
    applications handle XML document processing.
    (CVE-2018-0765)

  - An elevation of privilege vulnerability exists when the
    Windows kernel fails to properly handle objects in
    memory. An attacker who successfully exploited this
    vulnerability could run arbitrary code in kernel mode.
    An attacker could then install programs; view, change,
    or delete data; or create new accounts with full user
    rights.  (CVE-2018-8897)

  - An information disclosure vulnerability exists when
    Chakra improperly discloses the contents of its memory,
    which could provide an attacker with information to
    further compromise the users computer or data.
    (CVE-2018-8145)

  - An elevation of privilege vulnerability exists when the
    DirectX Graphics Kernel (DXGKRNL) driver improperly
    handles objects in memory. An attacker who successfully
    exploited this vulnerability could run processes in an
    elevated context.  (CVE-2018-8165)

  - A remote code execution vulnerability exists in the way
    that Windows handles objects in memory. An attacker who
    successfully exploited the vulnerability could execute
    arbitrary code with elevated permissions on a target
    system.  (CVE-2018-8136)

  - A remote code execution vulnerability exists when
    Windows Hyper-V on a host server fails to properly
    validate input from an authenticated user on a guest
    operating system.  (CVE-2018-0959)

  - An elevation of privilege vulnerability exists in
    Windows when the Win32k component fails to properly
    handle objects in memory. An attacker who successfully
    exploited this vulnerability could run arbitrary code in
    kernel mode. An attacker could then install programs;
    view, change, or delete data; or create new accounts
    with full user rights.  (CVE-2018-8124, CVE-2018-8164,
    CVE-2018-8166)

  - A security feature bypass vulnerability exists when
    Internet Explorer fails to validate User Mode Code
    Integrity (UMCI) policies. The vulnerability could allow
    an attacker to bypass Device Guard UMCI policies.
    (CVE-2018-8126)

  - An elevation of privilege vulnerability exists in the
    way that the Windows Kernel API enforces permissions. An
    attacker who successfully exploited the vulnerability
    could impersonate processes, interject cross-process
    communication, or interrupt system functionality.
    (CVE-2018-8134)

  - A remote code execution vulnerability exists in the way
    the scripting engine handles objects in memory in
    Microsoft browsers. The vulnerability could corrupt
    memory in such a way that an attacker could execute
    arbitrary code in the context of the current user. An
    attacker who successfully exploited the vulnerability
    could gain the same user rights as the current user.
    (CVE-2018-0954, CVE-2018-1022)

  - A remote code execution vulnerability exists when
    Microsoft Edge improperly accesses objects in memory.
    The vulnerability could corrupt memory in such a way
    that enables an attacker to execute arbitrary code in
    the context of the current user. An attacker who
    successfully exploited the vulnerability could gain the
    same user rights as the current user.  (CVE-2018-8179)

  - A remote code execution vulnerability exists in the way
    that the scripting engine handles objects in memory in
    Microsoft Edge. The vulnerability could corrupt memory
    in such a way that an attacker could execute arbitrary
    code in the context of the current user. An attacker who
    successfully exploited the vulnerability could gain the
    same user rights as the current user.  (CVE-2018-0945,
    CVE-2018-0946, CVE-2018-0953, CVE-2018-8128,
    CVE-2018-8137, CVE-2018-8139)");
  # https://support.microsoft.com/en-us/help/4103721/windows-10-update-kb4103721
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9d0d5cd2");
  script_set_attribute(attribute:"solution", value:
"Apply Cumulative Update KB4103721.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8136");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/05/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:edge");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = "MS18-05";
kbs = make_list('4103721');

if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  smb_check_rollup(os:"10",
                   sp:0,
                   os_build:"17134",
                   rollup_date:"05_2018",
                   bulletin:bulletin,
                   rollup_kb_list:[4103721])
)
{
  replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
}

The latest version of this script can be found in these locations depending on your platform:

• Linux / Unix:
  /opt/nessus/lib/nessus/plugins/smb_nt_ms18_may_4103721.nasl
• Windows:
  C:\ProgramData\Tenable\Nessus\nessus\plugins\smb_nt_ms18_may_4103721.nasl
• Mac OS X:
  /Library/Nessus/run/lib/nessus/plugins/smb_nt_ms18_may_4103721.nasl

Go back to menu.

How to Run

---

Here is how to run the KB4103721: Windows 10 Version 1803 and Windows Server Version 1803 May 2018 Security Update as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

1. Click to start a New Scan.
2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select Windows : Microsoft Bulletins plugin family.
6. On the right side table select KB4103721: Windows 10 Version 1803 and Windows Server Version 1803 May 2018 Security Update plugin ID 109605.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl smb_nt_ms18_may_4103721.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a smb_nt_ms18_may_4103721.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - smb_nt_ms18_may_4103721.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state smb_nt_ms18_may_4103721.nasl -t <IP/HOST>

Go back to menu.

References

---

MSKB | Microsoft Knowledge Base:

• 4103721

MSFT | Microsoft Security Bulletin:

• MS18-4103721

See also:

• https://www.tenable.com/plugins/nessus/109605
• http://www.nessus.org/u?9d0d5cd2
• https://vulners.com/nessus/SMB_NT_MS18_MAY_4103721.NASL

Similar and related Nessus plugins:

• 128551 - Drupal PHPUnit/Mailchimp Code Execution Vulnerability
• 119462 - Adobe Flash Player <= 31.0.0.153 (APSB18-42)
• 104693 - FreeBSD : mediawiki -- multiple vulnerabilities (298829e2-ccce-11e7-92e4-000c29649f92)
• 119481 - FreeBSD : Flash Player -- multiple vulnerabilities (49cbe200-f92a-11e8-a89d-d43d7ef03aa6)
• 104696 - GLSA-201711-15 : PHPUnit: Remote code execution
• 119424 - Adobe Flash Player for Mac <= 31.0.0.153 (APSB18-42)
• 73414 - MS14-017: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660) (Mac OS X)
• 119489 - RHEL 6 : flash-plugin (RHSA-2018:3795)
• 71311 - MS13-096: Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution (2908005)
• 73413 - MS14-017: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660)
• 109603 - KB4103716: Windows 10 May 2018 Security Update
• 109604 - KB4103712: Windows 7 and Windows Server 2008 R2 May 2018 Security Update
• 109606 - KB4103723: Windows 10 Version 1607 and Windows Server 2016 May 2018 Security Update
• 109607 - KB4103715: Windows 8.1 and Windows Server 2012 R2 May 2018 Security Update
• 109608 - KB4103727: Windows 10 Version 1709 and Windows Server Version 1709 May 2018 Security Update
• 109610 - KB4103726: Windows Server 2012 May 2018 Security Update
• 109611 - KB4103731: Windows 10 Version 1703 May 2018 Security Update
• 109651 - Security Updates for Windows Server 2008 (May 2018)
• 119463 - KB4471331: Security update for Adobe Flash Player (December 2018)
• 123940 - KB4493467: Windows 8.1 and Windows Server 2012 R2 April 2019 Security Update
• 123941 - KB4493450: Windows Server 2012 April 2019 Security Update
• 123943 - KB4493470: Windows 10 Version 1607 and Windows Server 2016 April 2019 Security Update
• 123945 - KB4493448: Windows 7 and Windows Server 2008 R2 April 2019 Security Update
• 123946 - KB4493474: Windows 10 Version 1703 April 2019 Security Update
• 123947 - KB4493475: Windows 10 April 2019 Security Update
• 123948 - KB4493509: Windows 10 Version 1809 and Windows Server 2019 April 2019 Security Update
• 123951 - Security Updates for Internet Explorer (April 2019)
• 122448 - RARLAB WinRAR < 5.70 Beta 1 Multiple Vulnerabilities

Version

---

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file smb_nt_ms18_may_4103721.nasl version 1.14. For more plugins, visit the Nessus Plugin Library.

Go back to menu.