Scanner Identifying Vulnerabilities even after applying latest microsoft cumulative security update


#1

Microsoft Technet states that applying cumulative/monthly roll up takes care of all previous date platform related vulnerabilities.However, after applying monthly roll up,scanner is identifying platform vulnerabilities with CVE’s dated back to 2016 or 2017.


#2

Thanks for your report. When creating a post about possible problems within vulnerability tests please try to always provide as much context and information about the environment in use like:

  1. Used operating system.
  2. VT showing possible issues.
  3. Anything else which could help to find possible issues.

AFAIK all Windows related Vulnerability-Tests are not checking if a specific patch/cumulative package is installed but is checking specific files if they have a version lower then expected. This should prevent that issues with e.g. superseded updates (e.g. by a roll up) are showing up.


#3

We have done VA for Windows server 2012 R2 and November Monthly rollup is installed on server and we are getting old CVE’s in VA report.
Some of the CVE’s are following
CVE-2015-2460, CVE-2015-2462, CVE-2015-2455, CVE-2015-2456, CVE-2015-2463
CVE-2015-2464, CVE-2016-0034, CVE-2015-6108, CVE-2015-1756, CVE-2014-4114
CVE-2017-8759, CVE-2016-3367, CVE-2015-1715, CVE-2016-0014, CVE-2016-0015
CVE-2016-0016, CVE-2016-0018, CVE-2016-0019, CVE-2016-0020


#4

Thanks for providing this information. Unfortunately just naming the CVEs doesn’t help that much as many of these CVEs are covered by multiple VTs.

It would be great if you could provide the name of the VTs reporting you this vulnerability and where you think that these are reporting wrongly.

One common pattern i’m seeing is that most of the VTs are related to either Silverlight, .NET Framework, Lync or MS Live. It might be possible that the Montly-Rollup you have applied doesn’t update those components and the vulnerabilities reported are valid.


#5

shared some of the VT which seems to be platform related.

Microsoft Windows Multiple Vulnerabilities (KB4471320)
Microsoft Web Proxy Auto Discovery (WPAD) Privilege Elevation Vulnerabilities (3165191)
Microsoft Windows Multiple Vulnerabilities (KB4471320)
Microsoft Web Proxy Auto Discovery (WPAD) Privilege Elevation Vulnerabilities (3165191)
Microsoft Windows Telnet Service Remote Code Execution Vulnerability (3020393)
Microsoft Windows Common Controls Remote Code Execution Vulnerability (3059317)
Windows OLE Object Handling Arbitrary Code Execution Vulnerability (3000869)
Microsoft Windows Multiple Vulnerabilities (3124901)
Windows IExpress Untrusted Search Path Vulnerability
Microsoft Windows OLE Object Handling Code Execution Vulnerabilities (3011443)
Microsoft Windows Components Privilege Elevation Vulnerability (3025421)
Microsoft Windows Common Controls Remote Code Execution Vulnerability (3059317)
Windows OLE Object Handling Arbitrary Code Execution Vulnerability (3000869)
Microsoft Windows Multiple Vulnerabilities (3124901)
Windows IExpress Untrusted Search Path Vulnerability
Microsoft Windows OLE Object Handling Code Execution Vulnerabilities (3011443)
Microsoft Windows Components Privilege Elevation Vulnerability (3025421)
Scripting Engine Memory Corruption Vulnerability (KB4483187)
Scripting Engine Memory Corruption Vulnerability (KB4483187)
Microsoft Windows User Profile Service Privilege Escalation (3021674)
Microsoft Windows Application Compatibility Cache Privilege Escalation (3023266)
Microsoft Windows Secondary Logon Privilege Elevation Vulnerability (3143141)
Microsoft Windows Privilege Elevation Vulnerabilities (3049576)
Microsoft Windows PGM UAF Elevation of Privilege Vulnerability (3116130)
Microsoft USB Mass Storage Class Driver Privilege Elevation Vulnerability (3143142)
Microsoft Windows Multiple Vulnerabilities (3134228)
Microsoft Windows Multiple Vulnerabilities (3134228)
Microsoft Windows User Profile Service Privilege Escalation (3021674)
Microsoft Windows Application Compatibility Cache Privilege Escalation (3023266)
Microsoft Windows Secondary Logon Privilege Elevation Vulnerability (3143141)
Microsoft Windows Privilege Elevation Vulnerabilities (3049576)
Microsoft Windows PGM UAF Elevation of Privilege Vulnerability (3116130)
Microsoft USB Mass Storage Class Driver Privilege Elevation Vulnerability (3143142)
Microsoft Windows Multiple Vulnerabilities (3134228)
Microsoft Windows Multiple Vulnerabilities (3134228)


#6

Thanks for providing this additional information. Unfortunately it is currently not possible to reproduce your issue. As an example we’re taking this vulnerability:

which gives e.g. the following output against an unpatched Server 2012 R2 installation:

File checked:      C:\Windows\system32\win32k.sys
File version:      6.3.9600.17031
Vulnerable range:  Less than 6.3.9600.19208

If you open https://support.microsoft.com/en-us/help/4471320/windows-8-1-update-kb4471320 and open the “file information for update 4471320.” file you can see that applying this update will raise the Version of this file to 6.3.9600.19208 as correctly checked by this VT.

For now i would suggest to review the file version of the mentioned file and you patch process, maybe there are some issues while applying the updates?