Blog

Archive for July 14th, 2020

Word docs with macros for IcedID (Bokbot), (Wed, Jul 15th)

Introduction

Today’s diary reviews Microsoft Word documents with macros to infect vulnerable Windows hosts with IcedID malware (also known as Bokbot) on Tuesday 2020-07-14. This campaign has previously pushed Valak or Ursnif, often with IcedID as the follow-up malware to these previous infections.


Shown above: A list for some of the Word documents seen from this campaign on 2020-07-14.


Shown above: Screenshot from one of the Word documents.

Infection activity

Enabling macros caused the victim host to generate an HTTP request ending in .cab that returned a Windows DLL file.


Shown above: HTTP request ending in .cab that returned a DLL file.

This DLL file was saved to the victim host in the same directory as the Word document, and it was run using regsvr32.exe [filename].


Shown above: Location the DLL was saved to on the victim host, run with regsvr32.exe.

During a successful infection, we saw HTTPS traffic to ldrglobal[.]casa and subsequent HTTPS traffic to various domain names ending in .top.


Shown above: Traffic from an infection filtered in Wireshark.

The IcedID installer uses steganography as part of its infection process, something reported in December 2019 by Malwarebytes and described by other vendors since then. We saw evidence of steganography typical with IcedID in the infected user’s AppDataLocalTemp directory. In this directory, we found a file name ending in .tmp that was a PNG image file, and we also found a Windows executable (EXE) file for IcedID with a file name ending in .exe.


Shown above: PNG image (file name ending in .tmp) with encoded data used to create EXE for IcedID (file name ending in .exe).

During the infection process, we saw another PNG image that also has encoded data associated with the IcedID infection.


Shown above: Another PNG file containing encoded data associated with the IcedID infection.

IcedID was made persistent on the Infected Windows host through a scheduled task as shown below.


Shown above: IcedID malware persistent on the infected Windows host.

Indicators of Compromise (IOCs)

35 examples of Word docs with macros for IcedID (read: SHA256 hash  file name)

  • 0eb595354a8cdc77bf0a777c6d4ea5f0140ea5c7e26050325b1db7f7de50aa23  certificate-07.14.2020.doc
  • 10eaa9b156e265fb23cd715743f6a99529cea188ab99a3e298a6e6ae2f957ca0  legislate 07.14.2020.doc
  • 23309566de8ac0c7ae3331db0acbbc0e2d73948e83e18d17d428f38660105262  charge_07.14.20.doc
  • 27c347612d0c45694f12436b87212c0bd97c7d5c9762c47364f2ade9facf5d7a  bid,07.14.2020.doc
  • 2bfe81e6ce5bb447a54de0aa7f99f85d893d9ac2927b03265f2faacef1533ff7  document-07.14.2020.doc
  • 341c393143004d48287b363bc116151c64354ab7cbcec5dadc030e4846865486  files_07.20.doc
  • 37d476eace9a5e5658238378c20ac8c58a2f20388999c32bc5519ed922fbff6f  legal paper,07.14.20.doc
  • 3d022cb2a7f029d9c957a4f8a34df81aa344ee081625d0d074ea3301460912ff  material 07.14.20.doc
  • 4362dd22eeabc132303d483dc8af3a667a8f6e7078e86df02019141bcd6a831f  documents,07.14.2020.doc
  • 46c0995eaebefc10ea612e09933f665883317154515e31468e135b20db433473  documents-07.20.doc
  • 4a2254691a0f7724ab775469c53a01154eacb2d014cf04b71f9aa5a93834e320  instrument indenture_07.14.2020.doc
  • 54a1b9d8fde754952b2e4afacc10457bdfb13325d440988cc7424984153caab3  command 07.20.doc
  • 5ff7136ff81c7c7e4b324430a5a0ee98989ca597d40d4d395eda50031994fc7d  legislate_07.14.2020.doc
  • 67794894846550f29040574d2d2aeb8002225c17bbd47090c6d221022e9cb368  details.07.14.2020.doc
  • 6c21170ee4c310fad7a989bae8c08f591f0648c4099822d7931efbbaec99fa39  legislate.07.20.doc
  • 78a95425c0214c050fafa5a3cc6f40d8799a37910100781020120d12cf04dd00  charge.07.20.doc
  • 7bee429e343d642a0ec076b2835e59d220374d038318a3ff87e2883b2d97df46  order,07.20.doc
  • 7f4c6a6b241a89531e909def54254f995865431ae7d00ba5722b0bcdf52fb7ff  inquiry,07.20.doc
  • 9df7c9ac68abc525fbb685d88a91dc9fb0a62d565a61d99b1b4a9e64d2441da5  enjoin 07.14.2020.doc
  • b2303e5ce1a67a85d66031163421fdb221a021fda89d21a1dba1b448acfae8eb  commerce .07.20.doc
  • b4810d726b778bc2f48443157985fdc981e1065454c3dfecec758a0ba39c8789  official paper,07.20.doc
  • b7f2dddd27a7118f6f6cc3923f2af1f83ca5b8ea722ea05f6b27845469899c67  files.07.20.doc
  • bb9b7bf7e2fdefe4fcb05e44f267239955d6c75db7ebf1d6b9926b8e4b1f3330  intelligence.07.20.doc
  • bdda92c5990ded4fd7ef2c4acfa840c0c94d2d56979b99aa4c6284f33cd9d87c  input_07.14.2020.doc
  • c309791c87fb74d43b2b1717c6885ee38cc79971a843f14b46ccf9425fea40ea  instruct_07.14.20.doc
  • c91a48ee32bf0d27b05dfc3703a4ecc96941485b23055e023d0dcffccebdb802  facts_07.14.20.doc
  • d089f14ebdb9ef21a02788fc7d6ee4e32667f5b9fee4ed35e871658f612766eb  figures.07.20.doc
  • d56151602f8851a8113244d0cd38a98a04f743abc6f1b1f0cc29fa9df9c92e9a  ordain,07.14.2020.doc
  • d885d083270df417a78eef7ed4d5d45111ee20e942db3500a2c48699cf8107eb  inquiry_07.20.doc
  • db86431d984efcabaa6645e31eb1fe9bc8ba3b5cf5b80f4eff9306c792301473  order,07.14.2020.doc
  • ddf852ab72ee8ef151f6631bc3fffecd5c71ed240c53005d06d8c677a98d8725  command,07.20.doc
  • eba61461d1da64f0276919d253c8eac99c6381abbab51fcf3e61b1df18fdc1d7  details 07.14.2020.doc
  • ec4749ccc459451f550ef4203595161d31fd393ad2a7ef0147af060faa627308  input,07.14.2020.doc
  • f68bb42ce6d65902275468d5589521805e76a06b724824eb72c6bc1754359d9e  commerce _07.20.doc
  • f9255ededfb06ea33aa41c77a7e664c84951fbd6f8222cf0e49340a8510b4452  inquiry_07.14.20.doc

Domains called by the Word macros for the initial malware DLL (read: domain name – IP address)

  • 1bwsl4[.]com – 37.230.113[.]85
  • 804gtd[.]com – 185.139.70[.]165
  • m33xa3[.]com – 91.235.129[.]43
  • n9i9ep[.]com – 185.144.31[.]90
  • nm5oi0[.]com – 81.29.134[.]62
  • uhq943[.]com – 95.181.187[.]5

HTTP GET requests for the initial malware DLL

  • GET /hboneb/sol95.php?l=puom1.cab
  • GET /hboneb/sol95.php?l=puom2.cab
  • GET /hboneb/sol95.php?l=puom3.cab
  • GET /hboneb/sol95.php?l=puom4.cab
  • GET /hboneb/sol95.php?l=puom5.cab
  • GET /hboneb/sol95.php?l=puom6.cab
  • GET /hboneb/sol95.php?l=puom7.cab
  • GET /hboneb/sol95.php?l=puom8.cab
  • GET /hboneb/sol95.php?l=puom9.cab

18 examples of the initial malware DLL, all installers for IcedID (Read: SHA256 hash  file name)

  • 09a643588abf74030e68df106c9432ae3c5bc4fecd2afb1cca5a82b28fe30223  Tm.tmp
  • 11e539a659db77e56b85608659f513e4f97b2b2d6a757b4376141eeecd3728f5  lV.tmp
  • 135aecd78ba525b2cbb5547b3e43d5713fd43e3e5a9c14452fc6e25ce85998fc  uZ.tmp
  • 2ea61a28711cd9ac50e849c85c041faf5799e306beedaf0444df3a00a4aa0ea6  Mb.tmp
  • 2f2683e21a11c6ce0848ad2a6ecc8999c91967c15a20bf2ccafe0fb9720b7607  nl.tmp
  • 3fa22573e71c3c461a84acc5c469b5ec5955d317e506c854e7d2d1faea7868ea  Q9.tmp
  • 6fede71248803463757ea05e875e0cdb97d38245c0d28597639aa797a90987ce  qg.tmp
  • 7c06717c56a7890c1763ecc52950dbe81265e15910508e29c79a47a23804aec2  C8.tmp
  • 7eff8901e4f77417a33b4d017a84636d2d8e04c520440511743f945e29e5dda0  d6.tmp
  • a421e1ac6cd39b7709d8929329b2135cb0f1eaea48edc296d03f0b3f41058282  Hf.tmp
  • a59ac4ed7c883d86bac18305763a43e86438455f259560f21fe30a10c2adb6b8  q4.tmp
  • a8967cdcb91ea12285cd9f365ef73895bf90283dbc00f197cfb49cec3c8c3886  nl.tmp
  • b225c3f7f23b2952c54b5d6f7b68f5b90fceb57465e552be33da54e375aab57a  d6.tmp
  • c1a91bfb28f0b216ccb04c7b704dfb4167a2e498cbd4c10bb954529608033aba  nl.tmp
  • c7fd1d9a9cd1fd3351c43763d262ba441d725ad6e34f6a842edb8ce77ac7a614  yH.tmp
  • de5b9a63d071b34ca0951e2c078687d9f8ac5626eec37792c94287608da177c0  E5.tmp
  • ea01f383b43070155d6ce02e6123e53f4aa29488b087f631c9ee4c8afa9da674  FZ.tmp
  • ffb08f27fe1710bc42fed4f350c79885d1a176111b9e4fdcc0b077cb2fe983a7  FZ.tmp
     
  • Note 1: These DLL files are usually located in the same directory as the Word doc. In one case, the Word doc was in the Downloads folder, but the DLL appeared in C:Users[username]Documents instead.
     
  • Note 2: Run method for these DLLs is regsvr32.exe [filename]

Traffic from a successful IcedID infection on a Windows 7 host

  • port 443 (HTTPS) – support.apple.com – decoy traffic caused by IcedID (not malicious)
  • port 443 (HTTPS) – support.microsoft.com – decoy traffic caused by IcedID (not malicious)
  • 104.248.62[.]43 port 443 (HTTPS) – ldrglobal[.]casa – GET /background.png
  • port 443 (HTTPS) – www.intel.com – decoy traffic caused by IcedID (not malicious)
  • port 443 (HTTPS) – help.twitter.com – decoy traffic caused by IcedID (not malicious)
  • port 443 (HTTPS) – support.oracle.com – decoy traffic caused by IcedID (not malicious)
  • 194.5.249[.]158 port 443 (HTTPS) – slizilinno[.]top – HTTPS traffic caused by IcedID
  • 194.5.249[.]158 port 443 (HTTPS) – portivitto[.]top – HTTPS traffic caused by IcedID
  • 194.5.249[.]158 port 443 (HTTPS) – mramoritto[.]top – HTTPS traffic caused by IcedID

Malware and artifacts from the IcedID infection

SHA256 hash: a7ad6e44b04de2a1ee35ea4db024efd60d5d49a075491592ed666d187797dfd7

  • File size: 573,767 bytes
  • File location: C:Users[username]AppDataLocalTemp~331517.tmp
  • File type: PNG image data, 762 x 400, 8-bit/color RGB, non-interlaced
  • File description: PNG image with encoded data used to create IcedID EXE below, not inherently malicious on its own

SHA256 hash: f7ba573893a9c59c66d4d54c8259ab6ac1e6e8b90c580f267a10bf333bcfd531

  • File size: 569,344 bytes
  • File location: C:Users[username]AppDataLocalTemp~446334.exe
  • File description: Windows executable for IcedID malware created using encoded data from the above PNG file

SHA256 hash: 9ad02a119c0df3fb652557b2b5c3136a3fb7f80e78774f1bffd5237eb2d9a514

  • File size: 569,344 bytes
  • File location: C:Users[username]AppDataLocaljifa32Ugikio32.exe
  • File description: Windows executable IcedID malware persistent on infected host (same file as above with different hash)

SHA256 hash: e6e0adcc94c3c4979ea1659c7125a11aa7cdabe24a36f63bfe1f2aeee2c5d3a1

  • File size: 669,381 bytes
  • File location: C:Users[username]AppDataRoaming[username]haopac3.png
  • File type: PNG image data, 614 x 514, 8-bit/color RGB, non-interlaced
  • File description: PNG image with encoded data associated with IcedID infection, not inherently malicious on its own

Final words

I normally run malware in a Windows 10 environment, but when testing these Word docs, I was unable to generate a full infection chain until I used a Windows 7 host.

This is a good reminder of how Windows 10 provide a more secure environment compared to Windows 7. People who follow best security practices while running the latest version of Windows are unlikely to get infected from this malware. However, we continue to see this and other campaigns on a daily basis. So this type of distribution apparently remains profitable for the criminals behind the malware.

A pcap of the infection traffic and malware samples for today’s diary can be found here.


Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Microsoft July 2020 Patch Tuesday – Patch Now!, (Tue, Jul 14th)

This month we got patches for 123 vulnerabilities. Of these, 17 are critical and 2 were previously disclosed.

Amongst critical vulnerabilities, there is a critical remote code execution (RCE) vulnerability (CVE-2020-1350) affecting Windows DNS Server on multiple Windows Server versions, including 2008, 2012, 2016 and 2019. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account.

The DNS Server vulnerability scores a perfect 10 CVSS and is considered wormable, which means it has the potential to spread via malware vulnerable computers without user interaction. Microsoft advises everyone running DNS servers to apply the security update as soon as possible. For those unable to apply the patch right way, Microsoft recommends the application of a workaround, described on the CVE-2020-1350 vulnerability advisory details. The workarround consists on a registry modification and requires just the service restart – no need to reboot the OS. There is a special guidance for the DNS Server vulnerability including further details about the workaround here: https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability

There is also a critical RCE vulnerability affecting Windows Graphics Device Interface (GDI) (CVE-2020-1435). An attacker could exploit this vulnerability by convincing users to view a specially crafted website or sending them an e-mail attachment with a malicious attachment. The CVSS score for this one is 8.80.

A third RCE worth mentioning in today’s diary affects Hyper-V RemoteFX vGPU (CVE-2020-1036). To exploit this vulnerability, an attacker could run a specially crafted application on a guest operating system, attacking certain third-party video drivers running on the Hyper-V host. This could then cause the host operating system to execute arbitrary code. There is no patch for this vulnerability yet. According to the vulnerability FAQ, If you are running Windows Server 2016 or Windows Server 2019, Microsoft recommends the use of  Discrete Device Assignment (DDA) as opposed to RemoteFX vGPU to enable graphics virtualization. For more details, read: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1036

See Renato’s dashboard for a more detailed breakout: https://patchtuesdaydashboard.com

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
.NET Framework, SharePoint Server, and Visual Studio Remote Code Execution Vulnerability
%%cve:2020-1147%% No No More Likely More Likely Critical    
Azure DevOps Server Cross-site Scripting Vulnerability
%%cve:2020-1326%% No No Less Likely Less Likely Important    
Bond Denial of Service Vulnerability
%%cve:2020-1469%% No No Less Likely Less Likely Important    
Connected User Experiences and Telemetry Service Information Disclosure Vulnerability
%%cve:2020-1386%% No No Less Likely Less Likely Important 5.5 5.0
DirectWrite Remote Code Execution Vulnerability
%%cve:2020-1409%% No No Less Likely Less Likely Critical 7.8 7.0
GDI+ Remote Code Execution Vulnerability
%%cve:2020-1435%% No No Less Likely Less Likely Critical 8.8 7.9
Group Policy Services Policy Processing Elevation of Privilege Vulnerability
%%cve:2020-1333%% No No Less Likely Less Likely Important 6.7 6.0
Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
%%cve:2020-1032%% No No Less Likely Less Likely Critical 8.0 7.6
%%cve:2020-1036%% No No Less Likely Less Likely Critical 8.0 7.6
%%cve:2020-1040%% No No Less Likely Less Likely Critical 8.0 7.6
%%cve:2020-1041%% No No Less Likely Less Likely Critical 8.0 7.6
%%cve:2020-1043%% No No Less Likely Less Likely Critical 8.0 7.6
%%cve:2020-1042%% No No Less Likely Less Likely Critical 8.0 7.6
Jet Database Engine Remote Code Execution Vulnerability
%%cve:2020-1400%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1401%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1407%% No No Less Likely Less Likely Important 7.8 7.0
LNK Remote Code Execution Vulnerability
%%cve:2020-1421%% No No Less Likely Less Likely Critical 7.5 6.7
Local Security Authority Subsystem Service Denial of Service Vulnerability
%%cve:2020-1267%% No No Less Likely Less Likely Important 4.9 4.4
Microsoft Defender Elevation of Privilege Vulnerability
%%cve:2020-1461%% No No Less Likely Less Likely Important 7.8 7.0
Microsoft Edge PDF Information Disclosure Vulnerability
%%cve:2020-1433%% No No Less Likely Less Likely Important 4.3 3.9
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2020-1240%% No No Less Likely Less Likely Important    
Microsoft Graphics Component Information Disclosure Vulnerability
%%cve:2020-1351%% No No Less Likely Less Likely Important 5.5 5.0
Microsoft Graphics Components Remote Code Execution Vulnerability
%%cve:2020-1412%% No No Less Likely Less Likely Important 7.5 6.7
Microsoft Graphics Remote Code Execution Vulnerability
%%cve:2020-1408%% No No Less Likely Less Likely Important 8.8 7.9
Microsoft Guidance for Enabling Request Smuggling Filter on IIS Servers
ADV200008 No No Less Likely Less Likely Important    
Microsoft Office Elevation of Privilege Vulnerability
%%cve:2020-1025%% No No Less Likely Less Likely Critical    
Microsoft Office Information Disclosure Vulnerability
%%cve:2020-1342%% No No Less Likely Less Likely Important    
%%cve:2020-1445%% No No Less Likely Less Likely Important    
Microsoft Office Remote Code Execution Vulnerability
%%cve:2020-1458%% No No Less Likely Less Likely Important    
Microsoft Office SharePoint XSS Vulnerability
%%cve:2020-1456%% No No Less Likely Less Likely Important    
%%cve:2020-1450%% No No Less Likely Less Likely Important    
%%cve:2020-1451%% No No Less Likely Less Likely Important    
Microsoft OneDrive Elevation of Privilege Vulnerability
%%cve:2020-1465%% No No Less Likely Less Likely Important    
Microsoft Outlook Remote Code Execution Vulnerability
%%cve:2020-1349%% No No Less Likely Less Likely Critical    
Microsoft Project Remote Code Execution Vulnerability
%%cve:2020-1449%% No No Less Likely Less Likely Important    
Microsoft SharePoint Reflective XSS Vulnerability
%%cve:2020-1454%% No No Less Likely Less Likely Important    
Microsoft SharePoint Remote Code Execution Vulnerability
%%cve:2020-1444%% No No Less Likely Less Likely Important    
Microsoft SharePoint Spoofing Vulnerability
%%cve:2020-1443%% No No Less Likely Less Likely Important    
Microsoft Word Remote Code Execution Vulnerability
%%cve:2020-1446%% No No Less Likely Less Likely Important    
%%cve:2020-1447%% No No Less Likely Less Likely Important    
%%cve:2020-1448%% No No Less Likely Less Likely Important    
Office Web Apps XSS Vulnerability
%%cve:2020-1442%% No No Less Likely Less Likely Important    
PerformancePoint Services Remote Code Execution Vulnerability
%%cve:2020-1439%% No No Less Likely Less Likely Critical    
Remote Desktop Client Remote Code Execution Vulnerability
%%cve:2020-1374%% No No More Likely More Likely Critical 7.5 6.7
Skype for Business via Internet Explorer Information Disclosure Vulnerability
%%cve:2020-1432%% No No Less Likely Less Likely Important 2.4 2.2
Skype for Business via Microsoft Edge (EdgeHTML-based) Information Disclosure Vulnerability
%%cve:2020-1462%% No No Less Likely Less Likely Important 4.3 3.9
VBScript Remote Code Execution Vulnerability
%%cve:2020-1403%% No No More Likely More Likely Critical 6.4 5.8
Visual Studio Code ESLint Extention Remote Code Execution Vulnerability
%%cve:2020-1481%% No No Less Likely Less Likely Important    
Visual Studio and Visual Studio Code Elevation of Privilege Vulnerability
%%cve:2020-1416%% No No Less Likely Less Likely Important    
Windows ALPC Elevation of Privilege Vulnerability
%%cve:2020-1396%% No No Less Likely Less Likely Important 7.8 7.0
Windows ActiveX Installer Service Elevation of Privilege Vulnerability
%%cve:2020-1402%% No No Less Likely Less Likely Important 7.8 7.0
Windows Address Book Remote Code Execution Vulnerability
%%cve:2020-1410%% No No Less Likely Less Likely Critical 7.8 7.0
Windows Agent Activation Runtime Information Disclosure Vulnerability
%%cve:2020-1391%% No No Less Likely Less Likely Important 5.5 5.0
Windows AppX Deployment Extensions Elevation of Privilege Vulnerability
%%cve:2020-1431%% No No Less Likely Less Likely Important 7.1 6.4
Windows CNG Key Isolation Service Elevation of Privilege Vulnerability
%%cve:2020-1359%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1384%% No No Less Likely Less Likely Important 7.0 6.3
Windows COM Server Elevation of Privilege Vulnerability
%%cve:2020-1375%% No No Less Likely Less Likely Important 7.8 7.0
Windows Credential Enrollment Manager Service Elevation of Privilege Vulnerability
%%cve:2020-1368%% No No Less Likely Less Likely Important 7.8 7.0
Windows Credential Picker Elevation of Privilege Vulnerability
%%cve:2020-1385%% No No Less Likely Less Likely Important 4.5 4.1
Windows DNS Server Remote Code Execution Vulnerability
%%cve:2020-1350%% No No More Likely More Likely Critical 10.0 9.0
Windows Diagnostics Hub Elevation of Privilege Vulnerability
%%cve:2020-1418%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1393%% No No Less Likely Less Likely Important 7.8 7.0
Windows Elevation of Privilege Vulnerability
%%cve:2020-1388%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2020-1392%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1394%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1395%% No No Less Likely Less Likely Important 7.8 7.0
Windows Error Reporting Information Disclosure Vulnerability
%%cve:2020-1420%% No No Less Likely Less Likely Important 5.5 5.0
Windows Error Reporting Manager Elevation of Privilege Vulnerability
%%cve:2020-1429%% No No Less Likely Less Likely Important 7.0 6.3
Windows Event Logging Service Elevation of Privilege Vulnerability
%%cve:2020-1365%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1371%% No No Less Likely Less Likely Important 7.8 7.0
Windows Font Driver Host Remote Code Execution Vulnerability
%%cve:2020-1355%% No No Less Likely Less Likely Important 7.8 7.0
Windows Font Library Remote Code Execution Vulnerability
%%cve:2020-1436%% No No Less Likely Less Likely Critical 8.8 7.9
Windows Function Discovery Service Elevation of Privilege Vulnerability
%%cve:2020-1085%% No No Less Likely Less Likely Important 7.8 7.0
Windows GDI Information Disclosure Vulnerability
%%cve:2020-1468%% No No Less Likely Less Likely Important 5.5 5.0
Windows Graphics Component Elevation of Privilege Vulnerability
%%cve:2020-1381%% No No More Likely More Likely Important 7.8 7.0
%%cve:2020-1382%% No No More Likely More Likely Important 7.8 7.0
Windows Imaging Component Information Disclosure Vulnerability
%%cve:2020-1397%% No No Less Likely Less Likely Important 4.3 3.9
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2020-1336%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1411%% No No Less Likely Less Likely Important 7.8 7.0
Windows Kernel Information Disclosure Vulnerability
%%cve:2020-1419%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2020-1367%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2020-1389%% No No Less Likely Less Likely Important 5.5 5.0
%%cve:2020-1426%% No No More Likely More Likely Important 5.5 5.0
Windows Lockscreen Elevation of Privilege Vulnerability
%%cve:2020-1398%% No No Less Likely Less Likely Important 6.8 6.1
Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability
%%cve:2020-1372%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1405%% No No Less Likely Less Likely Important 7.1 6.4
Windows Mobile Device Management Diagnostics Information Disclosure Vulnerability
%%cve:2020-1330%% No No Less Likely Less Likely Important 5.5 5.0
Windows Modules Installer Elevation of Privilege Vulnerability
%%cve:2020-1346%% No No Less Likely Less Likely Important 7.8 7.0
Windows Network Connections Service Elevation of Privilege Vulnerability
%%cve:2020-1373%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1390%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1427%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2020-1428%% No No Less Likely Less Likely Important 7.0 6.3
%%cve:2020-1438%% No No Less Likely Less Likely Important 7.0 6.3
Windows Network List Service Elevation of Privilege Vulnerability
%%cve:2020-1406%% No No Less Likely Less Likely Important 7.0 6.3
Windows Network Location Awareness Service Elevation of Privilege Vulnerability
%%cve:2020-1437%% No No Less Likely Less Likely Important 7.0 6.3
Windows Picker Platform Elevation of Privilege Vulnerability
%%cve:2020-1363%% No No Less Likely Less Likely Important 7.8 7.0
Windows Print Workflow Service Elevation of Privilege Vulnerability
%%cve:2020-1366%% No No Less Likely Less Likely Important 7.0 6.3
Windows Profile Service Elevation of Privilege Vulnerability
%%cve:2020-1360%% No No Less Likely Less Likely Important 7.8 7.0
Windows Push Notification Service Elevation of Privilege Vulnerability
%%cve:2020-1387%% No No Less Likely Less Likely Important 7.0 6.3
Windows Resource Policy Information Disclosure Vulnerability
%%cve:2020-1358%% No No Less Likely Less Likely Important 5.5 5.0
Windows Runtime Elevation of Privilege Vulnerability
%%cve:2020-1422%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1353%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1370%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1399%% No No More Likely More Likely Important 7.8 7.0
%%cve:2020-1404%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1413%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1414%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1415%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1249%% No No Less Likely Less Likely Important 7.8 7.0
Windows SharedStream Library Elevation of Privilege Vulnerability
%%cve:2020-1463%% No No Less Likely Less Likely Important 7.8 7.0
Windows Storage Services Elevation of Privilege Vulnerability
%%cve:2020-1347%% No No Less Likely Less Likely Important 7.8 7.0
Windows Subsystem for Linux Elevation of Privilege Vulnerability
%%cve:2020-1423%% No No Less Likely Less Likely Important 7.8 7.0
Windows Sync Host Service Elevation of Privilege Vulnerability
%%cve:2020-1434%% No No Less Likely Less Likely Important 4.5 4.1
Windows System Events Broker Elevation of Privilege Vulnerability
%%cve:2020-1357%% No No Less Likely Less Likely Important 7.8 7.0
Windows UPnP Device Host Elevation of Privilege Vulnerability
%%cve:2020-1354%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1430%% No No Less Likely Less Likely Important 7.8 7.0
Windows USO Core Worker Elevation of Privilege Vulnerability
%%cve:2020-1352%% No No Less Likely Less Likely Important 7.8 7.0
Windows Update Stack Elevation of Privilege Vulnerability
%%cve:2020-1424%% No No Less Likely Less Likely Important 7.8 7.0
Windows WalletService Denial of Service Vulnerability
%%cve:2020-1364%% No No Less Likely Less Likely Important 7.1 6.4
Windows WalletService Elevation of Privilege Vulnerability
%%cve:2020-1344%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1362%% No No Less Likely Less Likely Important 7.8 7.0
%%cve:2020-1369%% No No Less Likely Less Likely Important 7.8 7.0
Windows WalletService Information Disclosure Vulnerability
%%cve:2020-1361%% No No Less Likely Less Likely Important 5.5 5.0
Windows iSCSI Target Service Elevation of Privilege Vulnerability
%%cve:2020-1356%% No No Less Likely Less Likely Important 7.8 7.0


Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →