Hello, I’d like to propose a change to gb_ms_windows_defender_priv_escal_vuln_jul20.nasl, which reports on an insecure version of MpSigStub.exe for Windows Defender. Currently, the file only checks the registry for the expected version of the database.
Per the link:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1461
The definitions are not updating on my system. What do I do?
This security update is delivered only through definition updates. This cannot happen if Defender is in a disabled state (such as in the case of a third-party antivirus product providing real time protection).
If Defender is disabled, you can delete the vulnerable file from the system: C:\WINDOWS\System32\MpSigStub.exe.
Given the lack of ability to update the file while a third party AV is installed, and the fact that it appears Windows Defender is not a commonly used antivirus for enterprise, I would like to propose the following changes to the nasl to check for the existence of the MpSigStub.exe file, and only report if the file does exist.
diff --git a/gb_ms_windows_defender_priv_escal_vuln_jul20.nasl b/gb_ms_windows_defender_priv_escal_vuln_jul20.nasl
index 1010e3e..7e2f20b 100644
--- a/gb_ms_windows_defender_priv_escal_vuln_jul20.nasl
+++ b/gb_ms_windows_defender_priv_escal_vuln_jul20.nasl
@@ -22,11 +22,11 @@
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.817314");
- script_version("2020-07-30T04:31:19+0000");
+ script_version("2020-12-11T18:18:32+0000");
script_cve_id("CVE-2020-1461");
script_tag(name:"cvss_base", value:"3.6");
script_tag(name:"cvss_base_vector", value:"AV:L/AC:L/Au:N/C:N/I:P/A:P");
- script_tag(name:"last_modification", value:"2020-07-30 04:31:19 +0000 (Thu, 30 Jul 2020)");
+ script_tag(name:"last_modification", value:"2020-12-11 18:18:32 +0000 (Thu, 30 Jul 2020)");
script_tag(name:"creation_date", value:"2020-07-27 11:50:35 +0530 (Mon, 27 Jul 2020)");
script_name("Microsoft Defender Elevation of Privilege Vulnerability-July 2020");
@@ -63,7 +63,7 @@ if(description)
script_tag(name:"solution", value:"Run the Windows Update to update the malware
protection engine to the latest version available. Typically, no action is
required as the built-in mechanism for the automatic detection and deployment
- of updates will apply the update itself.");
+ of updates will apply the update itself. Alternatively, delete the MpSigStub.exe file.");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"executable_version");
@@ -87,6 +87,12 @@ if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2, win8_1:1, win8_1x64:1,win2012
exit(0);
}
+sysPath = smb_get_system32root();
+mpstigstubVer = fetch_file_version(sysPath:sysPath, file_name:"MpStigStub.exe");
+if (!mpstigstubVer) {
+ exit(0);
+}
+
key = "SOFTWARE\Microsoft\Windows Defender";
if(!registry_key_exists(key:key)){
exit(0);
It’s a seemingly simple change, and I’ve attempted to follow the conventions as seen by the other nasl files, but please review.
I’ve attempted to run openvas-nasl against the file and my server, but I’m not sure how to pass the credentials to the command, nor was I easily finding the config file definition.
openvas-nasl -X -B -d -i /var/lib/openvas/plugins -t <server> gb_ms_windows_defender_priv_escal_vuln_jul20.nasl
Let me know if there’s anything else I can do for this.
Thank you.