Incorrect DLL referenced in CVE-2018-0886 for all Windows Versions

[t3sl45]

Hello, I'm using the latest OVAL file to scan for CVE-2018-0886 for "CredSSP Remote Code Execution Vulnerability", I've attached the section of the file containing this vulnerability below.

The issue is that Microsoft indicates that credssp.dll is not the file that was updated, the file updated is tspkg.dll. This can be found here (https://support.microsoft.com/en-us/topic/credssp-updates-for-cve-2018-0886-5cbf9e5f-dc6d-744f-9e97-7ba400d6d3ea).

Can this be looked at?

CVE-2018-0886.txt

[JanCooper]

Hi @t3sl45 ,
Thanks for bringing this issue to our attention. We are looking into it and will let you know what we find.
Jan

[t3sl45]

Thank you @JanCooper!

[JanCooper]

Hi @t3sl45
Per the Ad Hoc Contribution section of the Contributing.md, I've submitted your request to the OVAL Repository mailing list. You can sign up for the mailing list at https://lists.cisecurity.org/list/oval_repository.lists.cisecurity.org

I will post any responses here, until you indicate you have access to them yourself. I will also update the documentation to include the mailing list URL, as it currently is missing.

I hope this helps.
Jan

[t3sl45]

Good morning @JanCooper ,
Following up, I have signed up for the mailing list, but I have not received any update or mail from this list. What is a normal timeframe?

[JanCooper]

Hi Chris, The mailing list is made up of interested members of the OVAL community. As such, there is no specified timeline for a response. That said, it appears the response to your post occurred before you completed signing up. I’ve included it below: Hi @t3sl45<https://github.com/t3sl45>, Thank you for this feedback. As you probably know, the OVAL Community Repository is an open, community-driven project. This kind of feedback is terrific and we’d welcome updates to the repo to improve the quality of these detections. Would you (or someone from your organization) be interested in making these updates and submitting a PR for review? David

…

-- David Ries / Distinguished Security Developer Pronouns: he/him/his From: Chris ***@***.***> Sent: Friday, October 14, 2022 11:29 AM To: CISecurity/OVALRepo ***@***.***> Cc: Jan Cooper ***@***.***>; Mention ***@***.***> Subject: [External] Re: [CISecurity/OVALRepo] Incorrect DLL referenced in CVE-2018-0886 for all Windows Versions (Issue #1922) Good morning @JanCooper<https://github.com/JanCooper> , Following up, I have signed up for the mailing list, but I have not received any update or mail from this list. What is a normal timeframe? — Reply to this email directly, view it on GitHub<#1922 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AE52ZIYMUROIGGLECNDA5JTWDF3Z5ANCNFSM6AAAAAAQOULK4Q>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>> ..... This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . . . .

[t3sl45]

Yes, I can give it an attempt. I'll look at the references for doing a PR, I've not completed one before.

[t3sl45]

Good afternoon @JanCooper,
Thank you for getting this updated! Question as this was my first PR, was I supposed to input this as ACCEPTED? I left it as DRAFT thinking that it would be updated when the PR was reviewed, I may have misunderstood?

[JanCooper]

Hi Chris, You were correct in submitting the PR as DRAFT. I submitted my changes as DRAFT as well. Since we did not make changes to every aspect of the definition, those we didn’t touch kept their ACCEPTED status. ***@***.*** (Looking at the screenshot I realize I should have changed the submitter name to myself as well…) Jan From: Chris ***@***.***> Sent: Wednesday, November 2, 2022 12:43 PM To: CISecurity/OVALRepo ***@***.***> Cc: Jan Cooper ***@***.***>; Mention ***@***.***> Subject: [External] Re: [CISecurity/OVALRepo] Incorrect DLL referenced in CVE-2018-0886 for all Windows Versions (Issue #1922) Good afternoon @JanCooper<https://github.com/JanCooper>, Thank you for getting this updated! Question as this was my first PR, was I supposed to input this as ACCEPTED? I left it as DRAFT thinking that it would be updated when the PR was reviewed, I may have misunderstood? — Reply to this email directly, view it on GitHub<#1922 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AE52ZI25JKUNM7N77RJ4E2TWGKKY7ANCNFSM6AAAAAAQOULK4Q>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>> ..... This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . . . .

[t3sl45]

@JanCooper,

Apolgoies, just for clarification, it's supposed to say DRAFT going forward? I don't see anything else that has a DRAFT status in the Windows.xml?

[JanCooper]

Hi Chris, The submission process can get a bit confusing, and the documentation is not always easy to follow. I found the following information in Contributing.md<https://github.com/CISecurity/OVALRepo/blob/master/CONTRIBUTING.md>, under QA: If you submit a new definition, the <status> element should be set to INITIAL SUBMISSION. There should be no <status_ change> element. For an updated definition, there should be a <status_change> element. * If the <status> element for the original is DRAFT, <status_change> should also be DRAFT * If the <status> element for the original is INTERIM, <status_change> should also be INTERIM * If the <status> element for the original is ACCEPTED, <status_change> should be set to INTERIM. In this case, the <status> element must be updated to match the <status_change> element value. So for your updated definition, <status> and <status_change> should both have been set to INTERIM. Having set them to DRAFT is not a problem though. Status updates on repo submissions go through INITIAL SUBMISSION, DRAFT, INTERIM, and ACCEPTED stages. Having set the status to DRAFT has in essence given the community more time to review the submission before it reaches ACCEPTED status. Jan From: Chris ***@***.***> Sent: Friday, November 4, 2022 11:39 AM To: CISecurity/OVALRepo ***@***.***> Cc: Jan Cooper ***@***.***>; Mention ***@***.***> Subject: [External] Re: [CISecurity/OVALRepo] Incorrect DLL referenced in CVE-2018-0886 for all Windows Versions (Issue #1922) @JanCooper<https://github.com/JanCooper>, Apolgoies, just for clarification, it's supposed to say DRAFT going forward? I don't see anything else that has a DRAFT status in the Windows.xml? — Reply to this email directly, view it on GitHub<#1922 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AE52ZI5LKL54CHUA424UNCLWGUUZHANCNFSM6AAAAAAQOULK4Q>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>> ..... This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . . . .

[t3sl45]

Apologies @JanCooper, @DavidRies
I have to make more modifications to this. I didn't realize at the time that I needed to also update the Tests, Objects and State instead of just leaving them be. I may have some questions as I proceed to do this. Are these the only places that need to be modified for this considering the file being targeted and version numbers have changed?

[DavidRies]

Hi @t3sl45 , I'm not sure... what are you attempting to edit. is there a PR?

[t3sl45]

@DavidRies,
Yes #1925 was completed a while back due to the credssp.dll file being referenced instead of the tspkg.dll file. I modified the definition to replace credssp.dll with tspkg.dll and the version numbers of each, but I didn't change anything related to the tests, objects or state which appear to still be referencing the credssp.dll file.

[DavidRies]

I see! It looks like you primarily changed the text in the comments of the definition criteria. This won't actually change the way the definition works. The specification of which files to check, etc. actually happens in the tests, objects, states and variables.

[t3sl45]

I see. I'll start putting that together and refer to you with questions I may have along the way.