Nessus Output :
Description
The remote Windows Server
2012 host is missing either the KB4025331 or KB4025343 security updates.
It is, therefore, affected by the following vulnerabilities :
- An information disclosure vulnerability exists in the Windows Performance Monitor Console due to improper parsing of XML input that contains a reference to an external entity. An unauthenticated, remote attacker can exploit this, by convincing a user to create a Data Collector Set and import a specially crafted XML file, to disclose arbitrary files via an XML external entity (XXE) declaration. (CVE-2017-0170)
- A remote code execution vulnerability exists in Windows Explorer due to improper handling of executable files and shares during rename operations. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted file, to execute arbitrary code in the context of the current user. (CVE-2017-8463)
- An elevation of privilege vulnerability exists in the Microsoft Graphics component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-8467)
- An information disclosure vulnerability exists in Win32k due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information.
(CVE-2017-8486)
- A security bypass vulnerability exists in Microsoft Windows when handling Kerberos ticket exchanges due to a failure to prevent tampering with the SNAME field. A man-in-the-middle attacker can exploit this to bypass the Extended Protection for Authentication security feature. (CVE-2017-8495)
- An elevation of privilege vulnerability exists in the Microsoft Graphics component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-8556)
- An information disclosure vulnerability exists in the Windows System Information Console due to improper parsing of XML input that contains a reference to an external entity. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted file, to disclose arbitrary files via an XML external entity (XXE) declaration.
(CVE-2017-8557)
- An elevation of privilege vulnerability exists in the Windows kernel due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated permissions. (CVE-2017-8561)
- An elevation of privilege vulnerability exists in the Windows due to improper handling of calls to Advanced Local Procedure Call (ALPC). An authenticated, remote attacker can exploit this via a specially crafted application, to run processes in an elevated context.
(CVE-2017-8562)
- An elevation of privilege vulnerability exists in Windows due to Kerberos falling back to NT LAN Manager (NTLM) Authentication Protocol as the default authentication protocol. An authenticated, remote attacker can exploit this, via an application that sends specially crafted traffic to a domain controller, to run processes in an elevated context. (CVE-2017-8563)
- An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. An authenticated, remote attacker can exploit this, via a specially crafted application, to bypass Kernel Address Space Layout Randomization (KASLR) and disclose the base address of the kernel driver.
(CVE-2017-8564)
- A remote code execution vulnerability exists in PowerShell when handling a PSObject that wraps a CIM instance. An authenticated, remote attacker can exploit this, via a specially crafted script, to execute arbitrary code in a PowerShell remote session.
(CVE-2017-8565)
- An elevation of privilege vulnerability exists in the Microsoft Graphics component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-8573)
- An elevation of privilege vulnerability exists in the Microsoft Graphics Component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-8577)
- An elevation of privilege vulnerability exists in the Microsoft Graphics component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-8578)
- An elevation of privilege vulnerability exists in the Microsoft Graphics Component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-8580)
- An elevation of privilege vulnerability exists in Windows due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode.
(CVE-2017-8581)
- An information disclosure vulnerability exists in the HTTP.sys server application component due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to disclose sensitive information.
(CVE-2017-8582)
- A denial of service vulnerability exists in Windows Explorer that is triggered when Explorer attempts to open a non-existent file. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause a user's system to stop responding. (CVE-2017-8587)
- A remote code execution vulnerability exists in WordPad due to improper parsing of specially crafted files. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted file, to execute arbitrary code in the context of the current user. (CVE-2017-8588)
- A remote code execution vulnerability exists in the Windows Search component due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by sending specially crafted messages to the Windows Search service, to elevate privileges and execute arbitrary code. (CVE-2017-8589)
- An elevation of privilege vulnerability exists in the Windows Common Log File System (CLFS) driver due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run processes in an elevated context. (CVE-2017-8590)
- A security bypass vulnerability exists in Microsoft browsers due to improper handling of redirect requests.
An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to bypass CORS redirect restrictions. (CVE-2017-8592)
- A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-8606)
- A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-8607)
- A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-8608)
- A remote code execution vulnerability exists in Microsoft Edge in the scripting engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user.
(CVE-2017-8610)
- An information disclosure vulnerability exists in the Windows Performance Monitor Console due to improper parsing of XML input that contains a reference to an external entity. An unauthenticated, remote attacker can exploit this, by convincing a user to create a Data Collector Set and import a specially crafted XML file, to disclose arbitrary files via an XML external entity (XXE) declaration. (CVE-2017-0170)
- A remote code execution vulnerability exists in Windows Explorer due to improper handling of executable files and shares during rename operations. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted file, to execute arbitrary code in the context of the current user. (CVE-2017-8463)
- An elevation of privilege vulnerability exists in the Microsoft Graphics component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-8467)
- An information disclosure vulnerability exists in Win32k due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information.
(CVE-2017-8486)
- A security bypass vulnerability exists in Microsoft Windows when handling Kerberos ticket exchanges due to a failure to prevent tampering with the SNAME field. A man-in-the-middle attacker can exploit this to bypass the Extended Protection for Authentication security feature. (CVE-2017-8495)
- An elevation of privilege vulnerability exists in the Microsoft Graphics component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-8556)
- An information disclosure vulnerability exists in the Windows System Information Console due to improper parsing of XML input that contains a reference to an external entity. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted file, to disclose arbitrary files via an XML external entity (XXE) declaration.
(CVE-2017-8557)
- An elevation of privilege vulnerability exists in the Windows kernel due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated permissions. (CVE-2017-8561)
- An elevation of privilege vulnerability exists in the Windows due to improper handling of calls to Advanced Local Procedure Call (ALPC). An authenticated, remote attacker can exploit this via a specially crafted application, to run processes in an elevated context.
(CVE-2017-8562)
- An elevation of privilege vulnerability exists in Windows due to Kerberos falling back to NT LAN Manager (NTLM) Authentication Protocol as the default authentication protocol. An authenticated, remote attacker can exploit this, via an application that sends specially crafted traffic to a domain controller, to run processes in an elevated context. (CVE-2017-8563)
- An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. An authenticated, remote attacker can exploit this, via a specially crafted application, to bypass Kernel Address Space Layout Randomization (KASLR) and disclose the base address of the kernel driver.
(CVE-2017-8564)
- A remote code execution vulnerability exists in PowerShell when handling a PSObject that wraps a CIM instance. An authenticated, remote attacker can exploit this, via a specially crafted script, to execute arbitrary code in a PowerShell remote session.
(CVE-2017-8565)
- An elevation of privilege vulnerability exists in the Microsoft Graphics component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-8573)
- An elevation of privilege vulnerability exists in the Microsoft Graphics Component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-8577)
- An elevation of privilege vulnerability exists in the Microsoft Graphics component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-8578)
- An elevation of privilege vulnerability exists in the Microsoft Graphics Component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-8580)
- An elevation of privilege vulnerability exists in Windows due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode.
(CVE-2017-8581)
- An information disclosure vulnerability exists in the HTTP.sys server application component due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to disclose sensitive information.
(CVE-2017-8582)
- A denial of service vulnerability exists in Windows Explorer that is triggered when Explorer attempts to open a non-existent file. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause a user's system to stop responding. (CVE-2017-8587)
- A remote code execution vulnerability exists in WordPad due to improper parsing of specially crafted files. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted file, to execute arbitrary code in the context of the current user. (CVE-2017-8588)
- A remote code execution vulnerability exists in the Windows Search component due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by sending specially crafted messages to the Windows Search service, to elevate privileges and execute arbitrary code. (CVE-2017-8589)
- An elevation of privilege vulnerability exists in the Windows Common Log File System (CLFS) driver due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run processes in an elevated context. (CVE-2017-8590)
- A security bypass vulnerability exists in Microsoft browsers due to improper handling of redirect requests.
An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to bypass CORS redirect restrictions. (CVE-2017-8592)
- A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-8606)
- A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-8607)
- A remote code execution vulnerability exists in Microsoft browsers in the JavaScript engines due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user. (CVE-2017-8608)
- A remote code execution vulnerability exists in Microsoft Edge in the scripting engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to execute arbitrary code in the context of the current user.
(CVE-2017-8610)
Solution
Apply one of the following security updates :
- KB4025331
- KB4025343
- KB4025331
- KB4025343
See Also
Output
-
The registry key "SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LdapEnforceChannelBinding" is missing or is not equal to "1" or "2"
Remediation :
Even after applying the update you will see that Nessus still detects it as an vulnerability. In order to fully mitigate it you need to create the following entries
To help make LDAP authentication over SSL\TLS more secure, administrators can configure the following registry settings:
- Path for Active Directory Domain Services (AD DS) domain controllers: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
- Path for Active Directory Lightweight Directory Services (AD LDS) servers: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<LDS instance name>\Parameters
- DWORD Name: LdapEnforceChannelBinding (Microsoft article has made a mistake and lists the DWORD Name as a Key which is incorrect )
- DWORD value: 0 indicates disabled. No channel binding validation is performed. This is the behavior of all servers that have not been updated.
- DWORD value: 1 indicates enabled, when supported. All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server. Clients that are running a version of Windows that has not been updated to support CBT do not have to do so. This is an intermediate option that allows for application compatibility.
- DWORD value: 2 indicates enabled, always.
All clients must provide channel binding information. The server
rejects authentication requests from clients that do not do so.
The Reluctant Sysad : Kb4025331: Windows Server 2012 July 2017 Cumulative Update >>>>> Download Now
ReplyDelete>>>>> Download Full
The Reluctant Sysad : Kb4025331: Windows Server 2012 July 2017 Cumulative Update >>>>> Download LINK
>>>>> Download Now
The Reluctant Sysad : Kb4025331: Windows Server 2012 July 2017 Cumulative Update >>>>> Download Full
>>>>> Download LINK