Proposed change for nasl to check for file existence

Hello, I’d like to propose a change to gb_ms_windows_defender_priv_escal_vuln_jul20.nasl, which reports on an insecure version of MpSigStub.exe for Windows Defender. Currently, the file only checks the registry for the expected version of the database.
Per the link:

The definitions are not updating on my system. What do I do?
This security update is delivered only through definition updates. This cannot happen if Defender is in a disabled state (such as in the case of a third-party antivirus product providing real time protection).
If Defender is disabled, you can delete the vulnerable file from the system: C:\WINDOWS\System32\MpSigStub.exe.

Given the lack of ability to update the file while a third party AV is installed, and the fact that it appears Windows Defender is not a commonly used antivirus for enterprise, I would like to propose the following changes to the nasl to check for the existence of the MpSigStub.exe file, and only report if the file does exist.

diff --git a/gb_ms_windows_defender_priv_escal_vuln_jul20.nasl b/gb_ms_windows_defender_priv_escal_vuln_jul20.nasl
index 1010e3e..7e2f20b 100644
--- a/gb_ms_windows_defender_priv_escal_vuln_jul20.nasl
+++ b/gb_ms_windows_defender_priv_escal_vuln_jul20.nasl
@@ -22,11 +22,11 @@
-  script_version("2020-07-30T04:31:19+0000");
+  script_version("2020-12-11T18:18:32+0000");
   script_tag(name:"cvss_base", value:"3.6");
   script_tag(name:"cvss_base_vector", value:"AV:L/AC:L/Au:N/C:N/I:P/A:P");
-  script_tag(name:"last_modification", value:"2020-07-30 04:31:19 +0000 (Thu, 30 Jul 2020)");
+  script_tag(name:"last_modification", value:"2020-12-11 18:18:32 +0000 (Thu, 30 Jul 2020)");
   script_tag(name:"creation_date", value:"2020-07-27 11:50:35 +0530 (Mon, 27 Jul 2020)");
   script_name("Microsoft Defender Elevation of Privilege Vulnerability-July 2020");

@@ -63,7 +63,7 @@ if(description)
   script_tag(name:"solution", value:"Run the Windows Update to update the malware
   protection engine to the latest version available. Typically, no action is
   required as the built-in mechanism for the automatic detection and deployment
-  of updates will apply the update itself.");
+  of updates will apply the update itself. Alternatively, delete the MpSigStub.exe file.");

   script_tag(name:"solution_type", value:"VendorFix");
   script_tag(name:"qod_type", value:"executable_version");
@@ -87,6 +87,12 @@ if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2, win8_1:1, win8_1x64:1,win2012

+sysPath = smb_get_system32root();
+mpstigstubVer = fetch_file_version(sysPath:sysPath, file_name:"MpStigStub.exe");
+if (!mpstigstubVer) {
+  exit(0);
 key = "SOFTWARE\Microsoft\Windows Defender";

It’s a seemingly simple change, and I’ve attempted to follow the conventions as seen by the other nasl files, but please review.
I’ve attempted to run openvas-nasl against the file and my server, but I’m not sure how to pass the credentials to the command, nor was I easily finding the config file definition.

openvas-nasl -X -B -d -i /var/lib/openvas/plugins -t <server> gb_ms_windows_defender_priv_escal_vuln_jul20.nasl

Let me know if there’s anything else I can do for this.

Thank you.

1 Like


Just checking- has this been reviewed? Is there something else I can provide regarding this?

Thank you.

Thanks for your report. It seems this thread was missed by the team working on this topic.

I have created an internal issue to review your suggestion.