KB4565539: Windows 7 and Windows Server 2008 R2 July 2020 Security Update - Nessus
High Plugin ID: 138460This page contains detailed information about the KB4565539: Windows 7 and Windows Server 2008 R2 July 2020 Security Update Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 138460
Name: KB4565539: Windows 7 and Windows Server 2008 R2 July 2020 Security Update
Filename: smb_nt_ms20_jul_4565524.nasl
Vulnerability Published: 2020-07-14
This Plugin Published: 2020-07-14
Last Modification Time: 2021-11-30
Plugin Version: 1.12
Plugin Type: local
Plugin Family: Windows : Microsoft Bulletins
Dependencies:
ms_bulletin_checks_possible.nasl, smb_check_rollup.nasl, smb_hotfixes.nasl
Required KB Items [?]: SMB/MS_Bulletin_Checks/Possible
Vulnerability Information
Severity: High
Vulnerability Published: 2020-07-14
Patch Published: 2020-07-14
CVE [?]: CVE-2020-1085, CVE-2020-1147, CVE-2020-1267, CVE-2020-1333, CVE-2020-1346, CVE-2020-1351, CVE-2020-1354, CVE-2020-1359, CVE-2020-1360, CVE-2020-1365, CVE-2020-1371, CVE-2020-1373, CVE-2020-1374, CVE-2020-1384, CVE-2020-1389, CVE-2020-1390, CVE-2020-1396, CVE-2020-1397, CVE-2020-1400, CVE-2020-1401, CVE-2020-1402, CVE-2020-1403, CVE-2020-1407, CVE-2020-1408, CVE-2020-1409, CVE-2020-1410, CVE-2020-1412, CVE-2020-1419, CVE-2020-1421, CVE-2020-1427, CVE-2020-1428, CVE-2020-1430, CVE-2020-1432, CVE-2020-1435, CVE-2020-1436, CVE-2020-1437, CVE-2020-1438, CVE-2020-1468
CPE [?]: cpe:/o:microsoft:windows
Exploited by Malware: True
Synopsis
The remote Windows host is affected by multiple vulnerabilities.
Description
The remote Windows host is missing security update 4565539 or cumulative update 4565524. It is, therefore, affected by multiple vulnerabilities :
- A remote code execution vulnerability exists in the way that DirectWrite handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how DirectWrite handles objects in memory. (CVE-2020-1409)
- An elevation of privilege vulnerability exists when the Windows Profile Service improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. (CVE-2020-1360)
- A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2020-1403)
- A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1374)
- A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted fonts. For all systems except Windows 10, an attacker who successfully exploited the vulnerability could execute code remotely. For systems running Windows 10, an attacker who successfully exploited the vulnerability could execute code in an AppContainer sandbox context with limited privileges and capabilities. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are multiple ways an attacker could exploit the vulnerability: (CVE-2020-1436)
- An elevation of privilege vulnerability exists when the Windows UPnP Device Host improperly handles memory. (CVE-2020-1354, CVE-2020-1430)
- An information disclosure vulnerability exists when the Windows GDI component improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage. The security update addresses the vulnerability by correcting how the Windows GDI component handles objects in memory. (CVE-2020-1468)
- An elevation of privilege vulnerability exists when the Windows Event Logging Service improperly handles memory. (CVE-2020-1365, CVE-2020-1371)
- An elevation of privilege vulnerability exists in the way that the Windows Network Location Awareness Service handles objects in memory. An attacker who successfully exploited the vulnerability could allow an application with limited privileges on an affected system to execute code at a medium integrity level. (CVE-2020-1437)
- An information disclosure vulnerability exists in Windows when the Windows Imaging Component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. There are multiple ways an attacker could exploit this vulnerability: (CVE-2020-1397)
- A remote code execution vulnerability exists when Windows Address Book (WAB) improperly processes vcard files. (CVE-2020-1410)
- An information disclosure vulnerability exists when the Windows Graphics component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. An authenticated attacker could exploit this vulnerability by running a specially crafted application. The update addresses the vulnerability by correcting how the Windows Graphics Component handles objects in memory. (CVE-2020-1351)
- An elevation of privilege vulnerability exists when Group Policy Services Policy Processing improperly handle reparse points. An attacker who successfully exploited this vulnerability could overwrite a targeted file that would normally require elevated permissions. (CVE-2020-1333)
- A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1408)
- An elevation of privilege vulnerability exists when the Windows Modules Installer improperly handles file operations. An attacker who successfully exploited this vulnerability could gain elevated privileges. (CVE-2020-1346)
- An elevation of privilege vulnerability exists when Windows improperly handles calls to Advanced Local Procedure Call (ALPC). An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1396)
- An information disclosure vulnerability exists when Skype for Business is accessed via Internet Explorer. An attacker who exploited the vulnerability could cause the user to place a call without additional consent, leading to information disclosure of the user profile. For the vulnerability to be exploited, a user must click a specially crafted URL that prompts the Skype app. (CVE-2020-1432)
- An elevation of privilege vulnerability exists when the Windows ActiveX Installer Service improperly handles memory. (CVE-2020-1402)
- A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the process responsible for deserialization of the XML content. (CVE-2020-1147)
- An elevation of privilege vulnerability exists when the Windows Cryptography Next Generation (CNG) Key Isolation service improperly handles memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2020-1359, CVE-2020-1384)
- An elevation of privilege vulnerability exists in the way that the Windows Network Connections Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1373, CVE-2020-1390, CVE-2020-1427, CVE-2020-1428, CVE-2020-1438)
- An elevation of privilege vulnerability exists in the way that the Windows Function Discovery Service handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2020-1085)
- A remote code execution vulnerability exists in the way that Microsoft Graphics Components handle objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code on a target system. (CVE-2020-1412)
- A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code on a victim system. An attacker could exploit this vulnerability by enticing a victim to open a specially crafted file. The update addresses the vulnerability by correcting the way the Windows Jet Database Engine handles objects in memory. (CVE-2020-1400, CVE-2020-1401, CVE-2020-1407)
- An information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2020-1389, CVE-2020-1419)
- This security update corrects a denial of service in the Local Security Authority Subsystem Service (LSASS) caused when an authenticated attacker sends a specially crafted authentication request. A remote attacker who successfully exploited this vulnerability could cause a denial of service on the target system's LSASS service, which triggers an automatic reboot of the system. The security update addresses the vulnerability by changing the way that LSASS handles specially crafted authentication requests. (CVE-2020-1267)
- A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2020-1435)
- A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. (CVE-2020-1421)
Solution
Apply Security Only update KB4565539 or Cumulative Update KB4565524.
Public Exploits
Target Network Port(s): 139, 445
Target Asset(s): Host/patch_management_checks
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the KB4565539: Windows 7 and Windows Server 2008 R2 July 2020 Security Update vulnerability:
- Metasploit: exploit/windows/http/sharepoint_data_deserialization
[SharePoint DataSet / DataTable Deserialization] - Exploit-DB: exploits/aspx/webapps/48747.py
[EDB-48747: Microsoft SharePoint Server 2019 - Remote Code Execution] - Exploit-DB: exploits/aspx/webapps/50151.py
[EDB-50151: Microsoft SharePoint Server 2019 - Remote Code Execution (2)] - GitHub: https://github.com/H0j3n/EzpzSharepoint
[CVE-2020-1147] - GitHub: https://github.com/amcai/myscan
[CVE-2020-1147] - GitHub: https://github.com/michael101096/cs2020_msels
[CVE-2020-1147] - GitHub: https://github.com/pwntester/ysoserial.net
[CVE-2020-1147] - GitHub: https://github.com/xinali/articles
[CVE-2020-1351]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS Score Source [?]: CVE-2020-1435
CVSS V2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C
| CVSS Base Score: | 9.3 (High) |
| Impact Subscore: | 10.0 |
| Exploitability Subscore: | 8.6 |
| CVSS Temporal Score: | 8.1 (High) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 8.1 (High) |
| CVSS Base Score: | 8.8 (High) |
| Impact Subscore: | 5.9 |
| Exploitability Subscore: | 2.8 |
| CVSS Temporal Score: | 8.4 (High) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 8.4 (High) |
STIG Risk Rating: High
Go back to menu.
Plugin Source
This is the smb_nt_ms20_jul_4565524.nasl nessus plugin source code. This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#
include('compat.inc');
if (description)
{
script_id(138460);
script_version("1.12");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/11/30");
script_cve_id(
"CVE-2020-1085",
"CVE-2020-1147",
"CVE-2020-1267",
"CVE-2020-1333",
"CVE-2020-1346",
"CVE-2020-1351",
"CVE-2020-1354",
"CVE-2020-1359",
"CVE-2020-1360",
"CVE-2020-1365",
"CVE-2020-1371",
"CVE-2020-1373",
"CVE-2020-1374",
"CVE-2020-1384",
"CVE-2020-1389",
"CVE-2020-1390",
"CVE-2020-1396",
"CVE-2020-1397",
"CVE-2020-1400",
"CVE-2020-1401",
"CVE-2020-1402",
"CVE-2020-1403",
"CVE-2020-1407",
"CVE-2020-1408",
"CVE-2020-1409",
"CVE-2020-1410",
"CVE-2020-1412",
"CVE-2020-1419",
"CVE-2020-1421",
"CVE-2020-1427",
"CVE-2020-1428",
"CVE-2020-1430",
"CVE-2020-1432",
"CVE-2020-1435",
"CVE-2020-1436",
"CVE-2020-1437",
"CVE-2020-1438",
"CVE-2020-1468"
);
script_xref(name:"MSKB", value:"4565539");
script_xref(name:"MSKB", value:"4565524");
script_xref(name:"MSFT", value:"MS20-4565539");
script_xref(name:"MSFT", value:"MS20-4565524");
script_xref(name:"IAVA", value:"2020-A-0306-S");
script_xref(name:"IAVA", value:"2020-A-0313-S");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");
script_name(english:"KB4565539: Windows 7 and Windows Server 2008 R2 July 2020 Security Update");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The remote Windows host is missing security update 4565539
or cumulative update 4565524. It is, therefore, affected by
multiple vulnerabilities :
- A remote code execution vulnerability exists in the way
that DirectWrite handles objects in memory. An attacker
who successfully exploited this vulnerability could take
control of the affected system. An attacker could then
install programs; view, change, or delete data; or
create new accounts with full user rights. There are
multiple ways an attacker could exploit the
vulnerability, such as by convincing a user to open a
specially crafted document, or by convincing a user to
visit an untrusted webpage. The security update
addresses the vulnerability by correcting how
DirectWrite handles objects in memory. (CVE-2020-1409)
- An elevation of privilege vulnerability exists when the
Windows Profile Service improperly handles file
operations. An attacker who successfully exploited this
vulnerability could gain elevated privileges.
(CVE-2020-1360)
- A remote code execution vulnerability exists in the way
that the VBScript engine handles objects in memory. The
vulnerability could corrupt memory in such a way that an
attacker could execute arbitrary code in the context of
the current user. An attacker who successfully exploited
the vulnerability could gain the same user rights as the
current user. (CVE-2020-1403)
- A remote code execution vulnerability exists in the
Windows Remote Desktop Client when a user connects to a
malicious server. An attacker who successfully exploited
this vulnerability could execute arbitrary code on the
computer of the connecting client. An attacker could
then install programs; view, change, or delete data; or
create new accounts with full user rights.
(CVE-2020-1374)
- A remote code execution vulnerability exists when the
Windows font library improperly handles specially
crafted fonts. For all systems except Windows 10, an
attacker who successfully exploited the vulnerability
could execute code remotely. For systems running Windows
10, an attacker who successfully exploited the
vulnerability could execute code in an AppContainer
sandbox context with limited privileges and
capabilities. An attacker could then install programs;
view, change, or delete data; or create new accounts
with full user rights. There are multiple ways an
attacker could exploit the vulnerability:
(CVE-2020-1436)
- An elevation of privilege vulnerability exists when the
Windows UPnP Device Host improperly handles memory.
(CVE-2020-1354, CVE-2020-1430)
- An information disclosure vulnerability exists when the
Windows GDI component improperly discloses the contents
of its memory. An attacker who successfully exploited
the vulnerability could obtain information to further
compromise the users system. There are multiple ways an
attacker could exploit the vulnerability, such as by
convincing a user to open a specially crafted document,
or by convincing a user to visit an untrusted webpage.
The security update addresses the vulnerability by
correcting how the Windows GDI component handles objects
in memory. (CVE-2020-1468)
- An elevation of privilege vulnerability exists when the
Windows Event Logging Service improperly handles memory.
(CVE-2020-1365, CVE-2020-1371)
- An elevation of privilege vulnerability exists in the
way that the Windows Network Location Awareness Service
handles objects in memory. An attacker who successfully
exploited the vulnerability could allow an application
with limited privileges on an affected system to execute
code at a medium integrity level. (CVE-2020-1437)
- An information disclosure vulnerability exists in
Windows when the Windows Imaging Component fails to
properly handle objects in memory. An attacker who
successfully exploited this vulnerability could obtain
information to further compromise the user's system.
There are multiple ways an attacker could exploit this
vulnerability: (CVE-2020-1397)
- A remote code execution vulnerability exists when
Windows Address Book (WAB) improperly processes vcard
files. (CVE-2020-1410)
- An information disclosure vulnerability exists when the
Windows Graphics component improperly handles objects in
memory. An attacker who successfully exploited this
vulnerability could obtain information to further
compromise the users system. An authenticated attacker
could exploit this vulnerability by running a specially
crafted application. The update addresses the
vulnerability by correcting how the Windows Graphics
Component handles objects in memory. (CVE-2020-1351)
- An elevation of privilege vulnerability exists when
Group Policy Services Policy Processing improperly
handle reparse points. An attacker who successfully
exploited this vulnerability could overwrite a targeted
file that would normally require elevated permissions.
(CVE-2020-1333)
- A remote code execution vulnerability exists when the
Windows font library improperly handles specially
crafted embedded fonts. An attacker who successfully
exploited the vulnerability could take control of the
affected system. An attacker could then install
programs; view, change, or delete data; or create new
accounts with full user rights. (CVE-2020-1408)
- An elevation of privilege vulnerability exists when the
Windows Modules Installer improperly handles file
operations. An attacker who successfully exploited this
vulnerability could gain elevated privileges.
(CVE-2020-1346)
- An elevation of privilege vulnerability exists when
Windows improperly handles calls to Advanced Local
Procedure Call (ALPC). An attacker who successfully
exploited this vulnerability could run arbitrary code in
the security context of the local system. An attacker
could then install programs; view, change, or delete
data; or create new accounts with full user rights.
(CVE-2020-1396)
- An information disclosure vulnerability exists when
Skype for Business is accessed via Internet Explorer. An
attacker who exploited the vulnerability could cause the
user to place a call without additional consent, leading
to information disclosure of the user profile. For the
vulnerability to be exploited, a user must click a
specially crafted URL that prompts the Skype app.
(CVE-2020-1432)
- An elevation of privilege vulnerability exists when the
Windows ActiveX Installer Service improperly handles
memory. (CVE-2020-1402)
- A remote code execution vulnerability exists in .NET
Framework, Microsoft SharePoint, and Visual Studio when
the software fails to check the source markup of XML
file input. An attacker who successfully exploited the
vulnerability could run arbitrary code in the context of
the process responsible for deserialization of the XML
content. (CVE-2020-1147)
- An elevation of privilege vulnerability exists when the
Windows Cryptography Next Generation (CNG) Key Isolation
service improperly handles memory. An attacker who
successfully exploited this vulnerability could run
processes in an elevated context. (CVE-2020-1359,
CVE-2020-1384)
- An elevation of privilege vulnerability exists in the
way that the Windows Network Connections Service handles
objects in memory. An attacker who successfully
exploited the vulnerability could execute code with
elevated permissions. (CVE-2020-1373, CVE-2020-1390,
CVE-2020-1427, CVE-2020-1428, CVE-2020-1438)
- An elevation of privilege vulnerability exists in the
way that the Windows Function Discovery Service handles
objects in memory. An attacker who successfully
exploited the vulnerability could execute code with
elevated permissions. (CVE-2020-1085)
- A remote code execution vulnerability exists in the way
that Microsoft Graphics Components handle objects in
memory. An attacker who successfully exploited the
vulnerability could execute arbitrary code on a target
system. (CVE-2020-1412)
- A remote code execution vulnerability exists when the
Windows Jet Database Engine improperly handles objects
in memory. An attacker who successfully exploited this
vulnerability could execute arbitrary code on a victim
system. An attacker could exploit this vulnerability by
enticing a victim to open a specially crafted file. The
update addresses the vulnerability by correcting the way
the Windows Jet Database Engine handles objects in
memory. (CVE-2020-1400, CVE-2020-1401, CVE-2020-1407)
- An information disclosure vulnerability exists when the
Windows kernel fails to properly initialize a memory
address. An attacker who successfully exploited this
vulnerability could obtain information to further
compromise the users system. (CVE-2020-1389,
CVE-2020-1419)
- This security update corrects a denial of service in the
Local Security Authority Subsystem Service (LSASS)
caused when an authenticated attacker sends a specially
crafted authentication request. A remote attacker who
successfully exploited this vulnerability could cause a
denial of service on the target system's LSASS service,
which triggers an automatic reboot of the system. The
security update addresses the vulnerability by changing
the way that LSASS handles specially crafted
authentication requests. (CVE-2020-1267)
- A remote code execution vulnerability exists in the way
that the Windows Graphics Device Interface (GDI) handles
objects in the memory. An attacker who successfully
exploited this vulnerability could take control of the
affected system. An attacker could then install
programs; view, change, or delete data; or create new
accounts with full user rights. (CVE-2020-1435)
- A remote code execution vulnerability exists in
Microsoft Windows that could allow remote code execution
if a .LNK file is processed. An attacker who
successfully exploited this vulnerability could gain the
same user rights as the local user. (CVE-2020-1421)");
# https://support.microsoft.com/en-us/help/4565539/windows-7-update-kb4565539
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f84b756f");
# https://support.microsoft.com/en-us/help/4565524/windows-7-update-kb4565524
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d3552b4f");
script_set_attribute(attribute:"solution", value:
"Apply Security Only update KB4565539 or Cumulative Update KB4565524.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1435");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'SharePoint DataSet / DataTable Deserialization');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/07/14");
script_set_attribute(attribute:"patch_publication_date", value:"2020/07/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/07/14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, "Host/patch_management_checks");
exit(0);
}
include('smb_func.inc');
include('smb_hotfixes.inc');
include('smb_hotfixes_fcheck.inc');
include('smb_reg_query.inc');
include('install_func.inc');
get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');
bulletin = 'MS20-07';
kbs = make_list(
'4565524',
'4565539'
);
if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
get_kb_item_or_exit('SMB/Registry/Enumerated');
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);
if (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
if (
smb_check_rollup(os:'6.1',
sp:1,
rollup_date:'07_2020',
bulletin:bulletin,
rollup_kb_list:[4565524, 4565539])
)
{
replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
hotfix_security_hole();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
}
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/smb_nt_ms20_jul_4565524.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\smb_nt_ms20_jul_4565524.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/smb_nt_ms20_jul_4565524.nasl
Go back to menu.
How to Run
Here is how to run the KB4565539: Windows 7 and Windows Server 2008 R2 July 2020 Security Update as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select Windows : Microsoft Bulletins plugin family.
- On the right side table select KB4565539: Windows 7 and Windows Server 2008 R2 July 2020 Security Update plugin ID 138460.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl smb_nt_ms20_jul_4565524.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a smb_nt_ms20_jul_4565524.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - smb_nt_ms20_jul_4565524.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state smb_nt_ms20_jul_4565524.nasl -t <IP/HOST>Go back to menu.
References
MSKB | Microsoft Knowledge Base: MSFT | Microsoft Security Bulletin:
- MS20-4565524, MS20-4565539
- 2020-A-0306-S, 2020-A-0313-S
- https://www.tenable.com/plugins/nessus/138460
- http://www.nessus.org/u?d3552b4f
- http://www.nessus.org/u?f84b756f
- https://vulners.com/nessus/SMB_NT_MS20_JUL_4565524.NASL
- 145867 - CentOS 8 : .NET Core (CESA-2020:2938)
- 145908 - CentOS 8 : .NET Core 3.1 (CESA-2020:2954)
- 138660 - Oracle Linux 8 : .NET / Core (ELSA-2020-2938)
- 138661 - Oracle Linux 8 : .NET / 3.1 / Core (ELSA-2020-2954)
- 138504 - RHEL 7 : .NET Core 2.1 on Red Hat Enterprise Linux (RHSA-2020:2937)
- 138500 - RHEL 8 : .NET Core (RHSA-2020:2938)
- 138505 - RHEL 7 : .NET Core 3.1 on Red Hat Enterprise Linux (RHSA-2020:2939)
- 138609 - RHEL 8 : .NET Core 3.1 (RHSA-2020:2954)
- 138842 - RHEL 8 : .NET Core (RHSA-2020:2988)
- 138606 - RHEL 8 : .NET Core (RHSA-2020:2989)
- 138453 - KB4558998: Windows 10 Version 1809 and Windows Server 2019 July 2020 Security Update
- 138454 - KB4565483: Windows 10 Version 1903 and Windows 10 Version 1909 July 2020 Security Update
- 138455 - KB4565489: Windows 10 Version 1803 July 2020 Security Update
- 138456 - KB4565503: Windows 10 Version 2004 July 2020 Security Update
- 138457 - KB4565508: Windows 10 Version 1709 July 2020 Security Update
- 138458 - KB4565511: Windows 10 Version 1607 and Windows Server 2016 July 2020 Security Update
- 138459 - KB4565513: Windows 10 July 2020 Security Update
- 138461 - KB4565529: Windows Server 2008 July 2020 Security Update
- 138462 - KB4565535: Windows Server 2012 July 2020 Security Update
- 138463 - KB4565540: Windows 8.1 and Windows Server 2012 R2 July 2020 Security Update
- 138465 - Security Update for .NET Core (July 2020)
- 138466 - Security Update for .NET Core SDK (July 2020)
- 138464 - Security Updates for Microsoft .NET Framework (July 2020)
- 138512 - Security Updates for Microsoft SharePoint Server (July 2020)
- 138473 - Security Updates for Microsoft Visual Studio Products (July 2020)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file smb_nt_ms20_jul_4565524.nasl version 1.12. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
