Hi, On 15.08.2017 03:42, Jeremy Pennington wrote: > Thanks for this additional information. It looks like the check for > fontsub.dll is what is causing the FP. According to > https://support.microsoft.com/en-us/help/2847311/ms13-081-description-of-the-security-update-for-kernel-mode-drivers-oc, > the patched file version for 2012 is 6.2.9200.16384, which is the version > my 2012 server is reporting. > > Is this something that can be corrected in the plugin? > Thanks
thanks again for your reply. The plugin was updated to report the version of the file where the detection happened and the vulnerable range. This update arrived the feed once the plugin has reached revision 6938. But i'm still wondering about the Fontsub.dll version. According to your posted link: https://support.microsoft.com/en-us/help/2847311/ms13-081-description-of-the-security-update-for-kernel-mode-drivers-oc the Fontsub.dll is listed twice: Fontsub.dll 6.2.9200.16453 96,256 08-Nov-2012 04:20 x64 Fontsub.dll 6.2.9200.16384 96,256 26-Jul-2012 03:05 x64 The plugin is checking for a version < 6.2.9200.16453 against Windows Server 2012 but you have installed 6.2.9200.16384. Not quite sure if this is an issue in the advisory or at the target system where the second update in Nov 2012 was missed. Regards, > On Mon, Aug 14, 2017 at 3:45 AM, Christian Fischer < > christian.fisc...@greenbone.net> wrote: > >> Hi, >> >> On 14.08.2017 04:18, Jeremy Pennington wrote: >>> It appears the plugin for MS Windows Kernel-Mode Drivers Remote Code >>> Execution Vulnerabilities (2870008) is producing a false positive on >> Server >>> 2012 (version 6.2 build 9200). If I understand the plugin's logic >>> correctly, it is looking at the file version of >>> %systemroot%\Windows\System32\win32k.sys. On the server the file >> version is >>> showing as 6.2.9200.22210, which is higher than the version that >> addresses >>> this Security Bulleting according to https://support.microsoft.com/ >>> en-us/help/2883150. >>> >>> Let me know if there is any additional information that would be helpful >> in >>> reviewing this or if there is a better forum or method for discussing >> FPs. >>> >>> Thanks for reviewing this. >>> JP >> >> thanks for your report. On a Windows Server 2012 it checks not only for >> win32k.sys but also for various files and their version: >> >> %systemroot%\system32\Fontsub.dll >> -> less then 6.2.9200.16453 >> >> %systemroot%\system32\drivers\usbd.sys >> -> less then 6.2.9200.16654 >> OR >> -> in range of 6.2.9200.20000 and 6.2.9200.20760 >> >> %systemroot%\system32\drivers\hidparse.sys" >> -> less then 6.2.9200.16654 >> OR >> -> in range of 6.2.9200.20000 and 6.2.9200.20762 >> >> %systemroot%\system32\win32k.sys >> -> less then 6.2.9200.16699 >> OR >> -> in range of 6.2.9200.20000 and 6.2.9200.20806 >> >> %systemroot%\system32\Wdfres.dll" >> -> less then 6.2.9200.16384 >> >> Might be possible that either one of those files didn't get updated >> correctly on your system (not that likely IMHO) or that one of those >> version checks doesn't match what the patch has actually patched. >> >> Regards, >> >> -- >> >> Christian Fischer | PGP Key: 0x54F3CE5B76C597AD >> Greenbone Networks GmbH | http://greenbone.net >> Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460 >> Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner >> _______________________________________________ >> Openvas-discuss mailing list >> Openvas-discuss@wald.intevation.org >> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss > -- Christian Fischer | PGP Key: 0x54F3CE5B76C597AD Greenbone Networks GmbH | http://greenbone.net Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
