FW: Updated oval def 2310
|
|
Dragos Prisaca
|
Some javascript/style in this post has been disabled (why?)
And again… with the attached
file. From: Dragos Prisaca Hi, I have updated the definition 2310 with the correct comment
information. The comments were referring to mshtml.dll but the test were
looking for rpcrt4.dll. Please see the attached file. Regards, Dragos Prisaca Secure Elements, Inc. C5 Security Labs www.secure-elements.com <?xml version="1.0" encoding="UTF-8"?> <oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <generator> <oval:product_name>The OVAL Repository</oval:product_name> <oval:schema_version>5.3</oval:schema_version> <oval:timestamp>2007-12-06T10:23:17.037-05:00</oval:timestamp> </generator> <definitions> <definition id="oval:org.mitre.oval:def:2310" version="1" class="vulnerability"> <metadata> <title>Vulnerability in RPC Could Allow Denial of Service</title> <affected family="windows"> <platform>Microsoft Windows 2000</platform> <platform>Microsoft Windows XP</platform> <platform>Microsoft Windows Server 2003</platform> <platform>Microsoft Windows Vista</platform> <product>Operating System</product> </affected> <reference source="CVE" ref_id="CVE-2007-2228" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2228"/> <description>rpcrt4.dll (aka the RPC runtime library) in Microsoft Windows XP SP2, XP Professional x64 Edition, Server 2003 SP1 and SP2, Server 2003 x64 Edition and x64 Edition SP2, and Vista and Vista x64 Edition allows remote attackers to cause a denial of service (RPCSS service stop and system restart) via an RPC request that uses NTLMSSP PACKET authentication with a zero-valued verification trailer signature, which triggers an invalid dereference. NOTE: this also affects Windows 2000 SP4, although the impact is an information leak.</description> <oval_repository> <dates> <submitted date="2007-10-10T04:39:42"> <contributor organization="ThreatGuard, Inc.">Robert L. Hollis</contributor> </submitted> <status_change date="2007-10-11T10:02:53.129-04:00">DRAFT</status_change> <status_change date="2007-10-26T10:00:30.658-04:00">INTERIM</status_change> <status_change date="2007-11-13T12:01:07.905-05:00">ACCEPTED</status_change> </dates> <status>ACCEPTED</status> </oval_repository> </metadata> <criteria operator="OR"> <criteria operator="AND" comment="Win2K,SP4"> <extend_definition comment="Microsoft Windows 2000 SP4 or later is installed" definition_ref="oval:org.mitre.oval:def:229"/> <criterion comment="the version of rpcrt4.dll is less than 5.0.2195.7090" test_ref="oval:org.mitre.oval:tst:4347"/> </criteria> <criteria operator="AND" comment="WinXP,SP2"> <extend_definition comment="Microsoft Windows XP SP2 is installed" definition_ref="oval:org.mitre.oval:def:521"/> <criterion comment="the version of rpcrt4.dll is less than 5.1.2600.3173" test_ref="oval:org.mitre.oval:tst:4317"/> </criteria> <criteria operator="AND" comment="WinXP,SP1 (64-bit)"> <extend_definition comment="Microsoft Windows XP SP1 (64-bit) is installed" definition_ref="oval:org.mitre.oval:def:480"/> <criterion comment="the version of rpcrt4.dll is less than 5.2.3790.2971" test_ref="oval:org.mitre.oval:tst:4177"/> </criteria> <criteria operator="AND" comment="WinXP,SP2 (64-bit)"> <extend_definition comment="Microsoft Windows XP SP2 (64-bit) is installed" definition_ref="oval:org.mitre.oval:def:1799"/> <criterion comment="the version of rpcrt4.dll is less than 5.2.3790.4115" test_ref="oval:org.mitre.oval:tst:4469"/> </criteria> <criteria operator="AND" comment="S03,SP1"> <extend_definition comment="Microsoft Windows Server 2003 SP1 (x86) is installed" definition_ref="oval:org.mitre.oval:def:565"/> <criterion comment="the version of rpcrt4.dll is less than 5.2.3790.2971" test_ref="oval:org.mitre.oval:tst:4177"/> </criteria> <criteria operator="AND" comment="S03,SP2"> <extend_definition comment="Microsoft Windows Server 2003 SP2 (x86) is installed" definition_ref="oval:org.mitre.oval:def:1935"/> <criterion comment="the version of rpcrt4.dll is less than 5.2.3790.4115" test_ref="oval:org.mitre.oval:tst:4469"/> </criteria> <criteria operator="AND" comment="Windows Vista"> <extend_definition comment="Microsoft Windows Vista is installed" definition_ref="oval:org.mitre.oval:def:228"/> <criterion comment="the version of rpcrt4.dll is less than 6.0.6000.16525" test_ref="oval:org.mitre.oval:tst:4232"/> </criteria> </criteria> </definition> <definition id="oval:org.mitre.oval:def:565" version="1" class="inventory"> <metadata> <title>Microsoft Windows Server 2003 SP1 (x86) is installed</title> <affected family="windows"> <platform>Microsoft Windows Server 2003</platform> </affected> <reference source="CPE" ref_id="cpe:/o:microsoft:windows-nt:2003:sp1:x86"/> <description>A version of Microsoft Windows Server 2003 Service Pack 1 (x86) is installed.</description> <oval_repository> <dates> <submitted date="2006-07-25T12:05:33"> <contributor organization="ThreatGuard, Inc.">Robert L. Hollis</contributor> </submitted> <status_change date="2006-07-27T20:15:00.000-04:00">DRAFT</status_change> <status_change date="2006-09-27T12:29:31.197-04:00">INTERIM</status_change> <status_change date="2006-10-16T15:58:44.696-04:00">ACCEPTED</status_change> </dates> <status>ACCEPTED</status> </oval_repository> </metadata> <criteria operator="AND"> <criterion comment="the installed operating system is part of the Microsoft Windows family" test_ref="oval:org.mitre.oval:tst:99"/> <criterion comment="a version of Microsoft Windows Server 2003 is installed" test_ref="oval:org.mitre.oval:tst:4"/> <criterion comment="a version of Windows for the x86 architecture is installed" test_ref="oval:org.mitre.oval:tst:3823"/> <criterion comment="Win2K/XP/2003 service pack 1 is installed" test_ref="oval:org.mitre.oval:tst:2843"/> </criteria> </definition> <definition id="oval:org.mitre.oval:def:521" version="2" class="inventory"> <metadata> <title>Microsoft Windows XP SP2 is installed</title> <affected family="windows"> <platform>Microsoft Windows XP</platform> </affected> <reference source="CPE" ref_id="cpe:/o:microsoft:windows-nt:xp:sp2"/> <description>The operating system installed on the system is Microsoft Windows XP SP2.</description> <oval_repository> <dates> <submitted date="2006-07-25T12:05:33"> <contributor organization="ThreatGuard, Inc.">Robert L. Hollis</contributor> </submitted> <status_change date="2006-07-27T20:15:00.000-04:00">DRAFT</status_change> <status_change date="2006-09-27T12:29:29.930-04:00">INTERIM</status_change> <status_change date="2006-10-16T15:58:43.496-04:00">ACCEPTED</status_change> <modified comment="Added CPE reference." date="2007-04-30T07:48:00.073-04:00"> <contributor organization="The MITRE Corporation">Jonathan Baker</contributor> </modified> <status_change date="2007-04-30T08:00:54.097-04:00">INTERIM</status_change> <status_change date="2007-05-23T15:05:48.210-04:00">ACCEPTED</status_change> </dates> <status>ACCEPTED</status> </oval_repository> </metadata> <criteria operator="AND"> <extend_definition comment="Microsoft Windows XP is installed" definition_ref="oval:org.mitre.oval:def:105"/> <criterion comment="Win2K/XP/2003 service pack 2 (or later) is installed" test_ref="oval:org.mitre.oval:tst:2837"/> </criteria> </definition> <definition id="oval:org.mitre.oval:def:480" version="1" class="inventory"> <metadata> <title>Microsoft Windows XP SP1 (64-bit) is installed</title> <affected family="windows"> <platform>Microsoft Windows XP</platform> </affected> <reference source="CPE" ref_id="cpe:/o:microsoft:windows-nt:xp:sp1:64bit"/> <description>The operating system installed on the system is Microsoft Windows XP SP1 (64-bit).</description> <oval_repository> <dates> <submitted date="2006-07-25T12:05:33"> <contributor organization="ThreatGuard, Inc.">Robert L. Hollis</contributor> </submitted> <status_change date="2006-07-27T20:15:00.000-04:00">DRAFT</status_change> <status_change date="2006-09-27T12:29:28.342-04:00">INTERIM</status_change> <status_change date="2006-10-16T15:58:42.090-04:00">ACCEPTED</status_change> </dates> <status>ACCEPTED</status> </oval_repository> </metadata> <criteria operator="AND"> <extend_definition comment="Microsoft Windows XP is installed" definition_ref="oval:org.mitre.oval:def:105"/> <criterion comment="a version of Windows for the ia64 architecture is installed" test_ref="oval:org.mitre.oval:tst:2747"/> <criterion comment="Win2K/XP/2003 service pack 1 is installed" test_ref="oval:org.mitre.oval:tst:2843"/> </criteria> </definition> <definition id="oval:org.mitre.oval:def:229" version="2" class="inventory"> <metadata> <title>Microsoft Windows 2000 SP4 or later is installed</title> <affected family="windows"> <platform>Microsoft Windows 2000</platform> </affected> <description>The operating system installed on the system is Microsoft Windows 2000 SP4.</description> <oval_repository> <dates> <submitted date="2006-07-25T12:05:33"> <contributor organization="ThreatGuard, Inc.">Robert L. Hollis</contributor> </submitted> <status_change date="2006-07-27T20:15:00.000-04:00">DRAFT</status_change> <status_change date="2006-09-27T12:29:16.978-04:00">INTERIM</status_change> <status_change date="2006-10-16T15:58:35.885-04:00">ACCEPTED</status_change> <modified comment="Added CPE reference." date="2007-04-30T07:48:00.915-04:00"> <contributor organization="The MITRE Corporation">Jonathan Baker</contributor> </modified> <status_change date="2007-04-30T08:11:20.008-04:00">INTERIM</status_change> <status_change date="2007-05-23T15:05:40.599-04:00">ACCEPTED</status_change> </dates> <status>ACCEPTED</status> </oval_repository> </metadata> <criteria operator="AND"> <criterion comment="the installed operating system is part of the Microsoft Windows family" test_ref="oval:org.mitre.oval:tst:99"/> <criterion comment="Windows 2000 is installed" test_ref="oval:org.mitre.oval:tst:2"/> <criterion comment="SP4 or later Installed" test_ref="oval:org.mitre.oval:tst:3073"/> </criteria> </definition> <definition id="oval:org.mitre.oval:def:228" version="2" class="inventory"> <metadata> <title>Microsoft Windows Vista is installed</title> <affected family="windows"> <platform>Microsoft Windows Vista</platform> </affected> <reference source="CPE" ref_id="cpe:/o:microsoft:windows-nt:vista"/> <description>The operating system installed on the system is Microsoft Windows Vista</description> <oval_repository> <dates> <submitted date="2007-02-13T12:46:06"> <contributor organization="Secure Elements, Inc.">Dragos Prisaca</contributor> </submitted> <status_change date="2007-02-13T14:53:06-04:00">DRAFT</status_change> <status_change date="2007-03-21T16:17:12.775-04:00">INTERIM</status_change> <status_change date="2007-04-13T15:13:39.760-04:00">ACCEPTED</status_change> <modified comment="Added CPE reference." date="2007-04-30T07:48:00.893-04:00"> <contributor organization="The MITRE Corporation">Jonathan Baker</contributor> </modified> <status_change date="2007-04-30T07:56:25.929-04:00">INTERIM</status_change> <status_change date="2007-05-23T15:05:40.286-04:00">ACCEPTED</status_change> </dates> <status>ACCEPTED</status> </oval_repository> </metadata> <criteria> <criterion comment="the installed operating system is part of the Microsoft Windows family" test_ref="oval:org.mitre.oval:tst:99"/> <criterion comment="Windows Vista is installed" test_ref="oval:org.mitre.oval:tst:192"/> </criteria> </definition> <definition id="oval:org.mitre.oval:def:1935" version="1" class="inventory"> <metadata> <title>Microsoft Windows Server 2003 SP2 (x86) is installed</title> <affected family="windows"> <platform>Microsoft Windows Server 2003</platform> </affected> <reference source="CPE" ref_id="cpe:/o:microsoft:windows-nt:2003:sp2:x86"/> <description>A version of Microsoft Windows Server 2003 Service Pack 2 (x86) is installed.</description> <oval_repository> <dates> <submitted date="2007-04-09T09:49:32"> <contributor organization="Secure Elements, Inc.">Sudhir Gandhe</contributor> </submitted> <status_change date="2007-04-09T11:20:00.000-05:00">DRAFT</status_change> <status_change date="2007-04-25T19:52:21.584-04:00">INTERIM</status_change> <modified comment="Dropped tst:4078 in favor of existing tst:3019." date="2007-04-26T13:47:00.955-04:00"> <contributor organization="ThreatGuard, Inc.">Robert L. Hollis</contributor> </modified> <status_change date="2007-05-23T15:05:34.661-04:00">ACCEPTED</status_change> </dates> <status>ACCEPTED</status> </oval_repository> </metadata> <criteria operator="AND"> <criterion comment="the installed operating system is part of the Microsoft Windows family" test_ref="oval:org.mitre.oval:tst:99"/> <criterion comment="a version of Microsoft Windows Server 2003 is installed" test_ref="oval:org.mitre.oval:tst:4"/> <criterion comment="a version of Windows for the x86 architecture is installed" test_ref="oval:org.mitre.oval:tst:3823"/> <criterion comment="Win2K/XP/2003 service pack 2 is installed" test_ref="oval:org.mitre.oval:tst:3019"/> </criteria> </definition> <definition id="oval:org.mitre.oval:def:1799" version="1" class="inventory"> <metadata> <title>Microsoft Windows XP SP2 (64-bit) is installed</title> <affected family="windows"> <platform>Microsoft Windows XP</platform> </affected> <reference source="CPE" ref_id="cpe:/o:microsoft:windows-nt:xp:sp2:64bit"/> <description>The operating system installed on the system is Microsoft Windows XP SP2 (64-bit).</description> <oval_repository> <dates> <submitted date="2007-04-11T08:08:51"> <contributor organization="ThreatGuard, Inc.">Robert L. Hollis</contributor> </submitted> <status_change date="2007-04-12T20:15:00.000-04:00">DRAFT</status_change> <status_change date="2007-04-30T08:18:47.475-04:00">INTERIM</status_change> <status_change date="2007-05-23T15:05:31.948-04:00">ACCEPTED</status_change> </dates> <status>ACCEPTED</status> </oval_repository> </metadata> <criteria operator="AND"> <extend_definition comment="Microsoft Windows XP is installed" definition_ref="oval:org.mitre.oval:def:105"/> <criterion comment="a version of Windows for the ia64 architecture is installed" test_ref="oval:org.mitre.oval:tst:2747"/> <criterion comment="Win2K/XP/2003 service pack 2 (or later) is installed" test_ref="oval:org.mitre.oval:tst:2837"/> </criteria> </definition> <definition id="oval:org.mitre.oval:def:105" version="2" class="inventory"> <metadata> <title>Microsoft Windows XP is installed</title> <affected family="windows"> <platform>Microsoft Windows XP</platform> </affected> <reference source="CPE" ref_id="cpe:/o:microsoft:windows-nt:xp"/> <description>The operating system installed on the system is Microsoft Windows XP.</description> <oval_repository> <dates> <submitted date="2006-06-26T12:55:00.000-04:00"> <contributor organization="The MITRE Corporation">Andrew Buttner</contributor> </submitted> <status_change date="2006-06-26T12:55:00.000-04:00">ACCEPTED</status_change> <modified comment="Added CPE reference." date="2007-04-30T07:48:00.244-04:00"> <contributor organization="The MITRE Corporation">Jonathan Baker</contributor> </modified> <status_change date="2007-04-30T08:01:55.267-04:00">INTERIM</status_change> <status_change date="2007-05-23T15:05:25.969-04:00">ACCEPTED</status_change> </dates> <status>ACCEPTED</status> </oval_repository> </metadata> <criteria operator="AND"> <criterion comment="the installed operating system is part of the Microsoft Windows family" test_ref="oval:org.mitre.oval:tst:99"/> <criterion comment="a version of Microsoft Windows XP is installed" test_ref="oval:org.mitre.oval:tst:3"/> </criteria> </definition> </definitions> <tests> <registry_test id="oval:org.mitre.oval:tst:2843" version="1" comment="Win2K/XP/2003 service pack 1 is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:org.mitre.oval:obj:717"/> <state state_ref="oval:org.mitre.oval:ste:2662"/> </registry_test> <registry_test id="oval:org.mitre.oval:tst:3073" version="1" comment="SP4 or later Installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:org.mitre.oval:obj:717"/> <state state_ref="oval:org.mitre.oval:ste:2878"/> </registry_test> <registry_test id="oval:org.mitre.oval:tst:2" version="1" comment="Windows 2000 is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:org.mitre.oval:obj:123"/> <state state_ref="oval:org.mitre.oval:ste:2"/> </registry_test> <registry_test id="oval:org.mitre.oval:tst:192" version="1" comment="Windows Vista is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:org.mitre.oval:obj:123"/> <state state_ref="oval:org.mitre.oval:ste:182"/> </registry_test> <registry_test id="oval:org.mitre.oval:tst:4" version="1" comment="a version of Microsoft Windows Server 2003 is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:org.mitre.oval:obj:123"/> <state state_ref="oval:org.mitre.oval:ste:4"/> </registry_test> <registry_test id="oval:org.mitre.oval:tst:3823" version="1" comment="a version of Windows for the x86 architecture is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:org.mitre.oval:obj:1576"/> <state state_ref="oval:org.mitre.oval:ste:3649"/> </registry_test> <registry_test id="oval:org.mitre.oval:tst:3019" version="1" comment="Win2K/XP/2003 service pack 2 is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:org.mitre.oval:obj:717"/> <state state_ref="oval:org.mitre.oval:ste:2827"/> </registry_test> <family_test id="oval:org.mitre.oval:tst:99" version="1" comment="the installed operating system is part of the Microsoft Windows family" check_existence="at_least_one_exists" check="only one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"> <object object_ref="oval:org.mitre.oval:obj:99"/> <state state_ref="oval:org.mitre.oval:ste:99"/> </family_test> <registry_test id="oval:org.mitre.oval:tst:3" version="1" comment="a version of Microsoft Windows XP is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:org.mitre.oval:obj:123"/> <state state_ref="oval:org.mitre.oval:ste:3"/> </registry_test> <registry_test id="oval:org.mitre.oval:tst:2837" version="1" comment="Win2K/XP/2003 service pack 2 (or later) is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:org.mitre.oval:obj:717"/> <state state_ref="oval:org.mitre.oval:ste:2656"/> </registry_test> <registry_test id="oval:org.mitre.oval:tst:2747" version="1" comment="a version of Windows for the ia64 architecture is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:org.mitre.oval:obj:1576"/> <state state_ref="oval:org.mitre.oval:ste:2568"/> </registry_test> <file_test id="oval:org.mitre.oval:tst:4469" version="1" comment="the version of rpcrt4.dll is less than 5.2.3790.4115" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:org.mitre.oval:obj:2619"/> <state state_ref="oval:org.mitre.oval:ste:3954"/> </file_test> <file_test id="oval:org.mitre.oval:tst:4347" version="1" comment="the version of rpcrt4.dll is less than 5.0.2195.7090" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:org.mitre.oval:obj:2619"/> <state state_ref="oval:org.mitre.oval:ste:3118"/> </file_test> <file_test id="oval:org.mitre.oval:tst:4317" version="1" comment="the version of rpcrt4.dll is less than 5.1.2600.3173" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:org.mitre.oval:obj:2619"/> <state state_ref="oval:org.mitre.oval:ste:3865"/> </file_test> <file_test id="oval:org.mitre.oval:tst:4232" version="1" comment="the version of rpcrt4.dll is less than 6.0.6000.16525" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:org.mitre.oval:obj:2619"/> <state state_ref="oval:org.mitre.oval:ste:3914"/> </file_test> <file_test id="oval:org.mitre.oval:tst:4177" version="1" comment="the version of rpcrt4.dll is less than 5.2.3790.2971" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:org.mitre.oval:obj:2619"/> <state state_ref="oval:org.mitre.oval:ste:3190"/> </file_test> </tests> <objects> <family_object id="oval:org.mitre.oval:obj:99" version="1" comment="This is the default family object. Only one family object should exist." xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"/> <registry_object id="oval:org.mitre.oval:obj:123" version="1" comment="Registry key that hold the current windows os version" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <hive>HKEY_LOCAL_MACHINE</hive> <key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key> <name>CurrentVersion</name> </registry_object> <registry_object id="oval:org.mitre.oval:obj:717" version="1" comment="This registry key holds the service pack installed on the host if one is present." xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <hive>HKEY_LOCAL_MACHINE</hive> <key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key> <name>CSDVersion</name> </registry_object> <registry_object id="oval:org.mitre.oval:obj:1576" version="1" comment="This registry key identifies the architecture on the system" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <hive>HKEY_LOCAL_MACHINE</hive> <key>SYSTEM\CurrentControlSet\Control\Session Manager\Environment</key> <name>PROCESSOR_ARCHITECTURE</name> </registry_object> <file_object id="oval:org.mitre.oval:obj:2619" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <path var_ref="oval:org.mitre.oval:var:200"/> <filename>rpcrt4.dll</filename> </file_object> <registry_object id="oval:org.mitre.oval:obj:219" version="1" comment="This registry key identifies the system root." xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <hive>HKEY_LOCAL_MACHINE</hive> <key>SOFTWARE\Microsoft\Windows NT\CurrentVersion</key> <name>SystemRoot</name> </registry_object> </objects> <states> <registry_state id="oval:org.mitre.oval:ste:2662" version="1" comment="The registry key has a value of Service Pack 1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <value>Service Pack 1</value> </registry_state> <registry_state id="oval:org.mitre.oval:ste:2878" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <value operation="pattern match">^Service Pack [4-9]|\d{2,}$</value> </registry_state> <registry_state id="oval:org.mitre.oval:ste:2" version="1" comment="Registry key has a value of 5.0" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <value>5.0</value> </registry_state> <registry_state id="oval:org.mitre.oval:ste:182" version="1" comment="The registry key has a value of 6.0" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <value>6.0</value> </registry_state> <registry_state id="oval:org.mitre.oval:ste:4" version="1" comment="The registry key has a value of 5.2" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <value>5.2</value> </registry_state> <registry_state id="oval:org.mitre.oval:ste:3649" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <value>x86</value> </registry_state> <registry_state id="oval:org.mitre.oval:ste:2827" version="1" comment="The registry key has a value of Service Pack 2" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <value>Service Pack 2</value> </registry_state> <family_state id="oval:org.mitre.oval:ste:99" version="1" comment="Microsoft Windows family" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"> <family>windows</family> </family_state> <registry_state id="oval:org.mitre.oval:ste:3" version="1" comment="The registry key has a value of 5.1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <value>5.1</value> </registry_state> <registry_state id="oval:org.mitre.oval:ste:2656" version="1" comment="Regex that matches Service Pack 2 or later" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <value operation="pattern match">^Service Pack [2-9]|\d{2,}$</value> </registry_state> <registry_state id="oval:org.mitre.oval:ste:2568" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <value>ia64</value> </registry_state> <file_state id="oval:org.mitre.oval:ste:3954" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <version operation="less than" datatype="version">5.2.3790.4115</version> </file_state> <file_state id="oval:org.mitre.oval:ste:3118" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <version operation="less than" datatype="version">5.0.2195.7090</version> </file_state> <file_state id="oval:org.mitre.oval:ste:3865" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <version operation="less than" datatype="version">5.1.2600.3173</version> </file_state> <file_state id="oval:org.mitre.oval:ste:3914" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <version operation="less than" datatype="version">6.0.6000.16525</version> </file_state> <file_state id="oval:org.mitre.oval:ste:3190" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <version operation="less than" datatype="version">5.2.3790.2971</version> </file_state> </states> <variables> <local_variable id="oval:org.mitre.oval:var:200" version="1" comment="Windows system 32 directory" datatype="string"> <concat> <object_component item_field="value" object_ref="oval:org.mitre.oval:obj:219"/> <literal_component>\System32</literal_component> </concat> </local_variable> </variables> </oval_definitions> |
bakerj
|
Thanks for the correction. The repository has been updated.
Jon ============================================ Jonathan O. Baker The MITRE Corporation Email: bakerj@... >-----Original Message----- >From: Dragos Prisaca [mailto:dprisaca@...] >Sent: Thursday, December 06, 2007 4:09 PM >To: oval-discussion-list OVAL Discussion List/Closed Public Discussi >Subject: [OVAL-DISCUSSION-LIST] FW: Updated oval def 2310 > >And again... with the attached file. > > > >From: Dragos Prisaca >Sent: Thursday, December 06, 2007 3:48 PM >To: OVAL-DISCUSSION-LIST@... >Subject: Updated oval def 2310 > > > >Hi, > > > >I have updated the definition 2310 with the correct comment >information. The comments were referring to mshtml.dll but the >test were looking for rpcrt4.dll. > >Please see the attached file. > > > > > >Regards, > >Dragos Prisaca > > > >Secure Elements, Inc. > >C5 Security Labs > >dprisaca@... > >www.secure-elements.com > >To unsubscribe, send an email message to >LISTSERV@... with SIGNOFF OVAL-DISCUSSION-LIST in >the BODY of the message. If you have difficulties, write to >OVAL-DISCUSSION-LIST-request@.... > To unsubscribe, send an email message to LISTSERV@... with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to OVAL-DISCUSSION-LIST-request@.... |
||||||||||||||||||
|
Dragos Prisaca
|
In reply to this post by Dragos Prisaca
Some javascript/style in this post has been disabled (why?)
Hi, It looks like the comment and
the oval note does not match. I think the oval note should be update.
<unknown_test id="oval:org.mitre.oval:tst:2531"
version="1" comment="Word 97 is installed"
check="all" check_existence="at_least_one_exists"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent">
<oval-def:notes xmlns:oval1="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<oval-def:note>We think, but are not sure that the affected version of
bkupexec.exe is 3.60.1.298 The file should be found in C:Program
Files\VERITAS\Backup Exec\NT\bkupexec.exe</oval-def:note> </oval-def:notes>
</unknown_test> Regards, Dragos Prisaca Secure Elements, Inc. C5 Security Labs www.secure-elements.com |
||||||||||||||||||
|
Dragos Prisaca
|
Some javascript/style in this post has been disabled (why?)
Hi, I have update def:188 to test
for Microsoft Word 97 and Word 2000 based on MS bulletin: http://www.microsoft.com/technet/security/bulletin/ms03-035.mspx. Regards, Dragos Prisaca Secure Elements, Inc. C5 Security Labs www.secure-elements.com <?xml version="1.0" encoding="UTF-8"?> <oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <generator> <oval:product_name>The OVAL Repository</oval:product_name> <oval:schema_version>5.3</oval:schema_version> <oval:timestamp>2008-02-27T15:56:49.736-05:00</oval:timestamp> </generator> <definitions> <definition id="oval:org.mitre.oval:def:188" version="3" class="vulnerability"> <metadata> <title>MS Word Macro Security Bypass Vulnerability</title> <affected family="windows"> <platform>Microsoft Windows 2000</platform> <platform>Microsoft Windows XP</platform> <platform>Microsoft Windows Server 2003</platform> <product>Microsoft Word 2000</product> <product>Microsoft Word 2002</product> <product>Microsoft Word 97</product> </affected> <reference source="CVE" ref_id="CVE-2003-0664" ref_url="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0664"/> <description>Microsoft Word 2002, 2000, 97, and 98(J) does not properly check certain properties of a document, which allows attackers to bypass the macro security model and automatically execute arbitrary macros via a malicious document.</description> <oval_repository> <dates> <submitted date="2004-08-25T12:00:00.000-04:00"> <contributor organization="The MITRE Corporation">Christine Walzer</contributor> </submitted> <modified date="2004-08-25T10:31:00.000-04:00" comment="Added word 2000 and winword.exe information"> <contributor organization="The MITRE Corporation">Christine Walzer</contributor> </modified> <status_change date="2004-08-25T12:00:00.000-04:00">DRAFT</status_change> <status_change date="2004-09-09T12:00:00.000-04:00">INTERIM</status_change> <status_change date="2004-09-29T12:00:00.000-04:00">ACCEPTED</status_change> <modified date="2005-04-11T12:00:00.000-04:00" comment="modified wft-470 - corrected literal string"> <contributor organization="The MITRE Corporation">Ingrid Skoog</contributor> </modified> <status_change date="2005-04-11T08:48:00.000-04:00">INTERIM</status_change> <status_change date="2005-04-27T12:07:00.000-04:00">ACCEPTED</status_change> <modified date="2006-08-28T12:00:00.000-04:00" comment="modified obj 1626 to use xsi:nil instead of a .* pattern match"> <contributor organization="Centennial Software">John Hoyland</contributor> </modified> <status_change date="2006-08-28T12:00:00.000-04:00">INTERIM</status_change> <status_change date="2006-09-27T12:29:03.613-04:00">ACCEPTED</status_change> </dates> <status>ACCEPTED</status> </oval_repository> </metadata> <criteria operator="OR"> <criteria comment="Software section" operator="AND"> <criterion comment="Word 2000 is installed" negate="false" test_ref="oval:org.mitre.oval:tst:2836"/> <criterion comment="the version of winword.exe is less than 9.0.0.7924" negate="false" test_ref="oval:org.mitre.oval:tst:2835"/> </criteria> <criteria operator="AND"> <extend_definition comment="Microsoft Word 2002 is installed" definition_ref="oval:org.mitre.oval:def:973"/> <criterion comment="the version of Winword.exe is less than 10.0.5522.0" test_ref="oval:com.secure-elements.oval:tst:9001"/> </criteria> <criteria operator="AND"> <criterion comment="Word 97 is installed" negate="false" test_ref="oval:org.mitre.oval:tst:2531"/> <criterion comment="the version of winword.exe is less than 8.0.0.9125 " negate="false" test_ref="oval:com.secure-elements.oval:tst:9002"/> </criteria> </criteria> </definition> <definition id="oval:org.mitre.oval:def:973" version="1" class="inventory"> <metadata> <title>Microsoft Word 2002 is installed</title> <affected family="windows"> <platform>Microsoft Windows 2000</platform> <platform>Microsoft Windows XP</platform> <platform>Microsoft Windows Server 2003</platform> </affected> <reference source="CPE" ref_id="cpe:/a:microsoft:word:2002"/> <description>The application Microsoft Word 2002 is installed.</description> <oval_repository> <dates> <submitted date="2006-10-11T05:29:41"> <contributor organization="ThreatGuard, Inc.">Robert L. Hollis</contributor> </submitted> <status_change date="2006-10-13T14:55:00.000-04:00">DRAFT</status_change> <status_change date="2006-10-31T19:35:52.155-05:00">INTERIM</status_change> <status_change date="2006-11-21T21:28:03.268-05:00">ACCEPTED</status_change> </dates> <status>ACCEPTED</status> </oval_repository> </metadata> <criteria> <criterion comment="Word 2002 is installed" test_ref="oval:org.mitre.oval:tst:2641"/> </criteria> </definition> </definitions> <tests> <registry_test id="oval:org.mitre.oval:tst:2836" version="1" comment="Word 2000 is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:org.mitre.oval:obj:1626"/> </registry_test> <file_test id="oval:org.mitre.oval:tst:2835" version="1" check="at least one" comment="the version of winword.exe is less than 9.0.0.7924" check_existence="at_least_one_exists" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:org.mitre.oval:obj:492"/> <state state_ref="oval:org.mitre.oval:ste:2655"/> </file_test> <registry_test id="oval:org.mitre.oval:tst:2641" version="1" comment="Word 2002 is installed" check_existence="at_least_one_exists" check="at least one" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:org.mitre.oval:obj:1510"/> </registry_test> <file_test id="oval:com.secure-elements.oval:tst:9001" version="1" comment="the version of Winword.exe is less than 10.0.5522.0" check_existence="at_least_one_exists" check="all" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:org.mitre.oval:obj:492"/> <state state_ref="oval:com.secure-elements.oval:ste:9001"/> </file_test> <unknown_test id="oval:org.mitre.oval:tst:2531" version="1" comment="Word 97 is installed" check="all" check_existence="at_least_one_exists" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"> <oval-def:notes xmlns:oval1="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <oval-def:note>Word 97 is installed.</oval-def:note> </oval-def:notes> </unknown_test> <file_test id="oval:com.secure-elements.oval:tst:9002" version="1" check="at least one" comment="the version of winword.exe is less than 8.0.0.9125 " check_existence="at_least_one_exists" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <object object_ref="oval:org.mitre.oval:obj:492"/> <state state_ref="oval:com.secure-elements.oval:ste:9002"/> </file_test> </tests> <objects> <registry_object id="oval:org.mitre.oval:obj:1626" version="2" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <hive>HKEY_LOCAL_MACHINE</hive> <key>SOFTWARE\Microsoft\Office\9.0\Word\InstallRoot</key> <name xsi:nil="true"/> </registry_object> <file_object id="oval:org.mitre.oval:obj:492" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <path var_ref="oval:org.mitre.oval:var:221"/> <filename>winword.exe</filename> </file_object> <registry_object id="oval:org.mitre.oval:obj:493" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <hive>HKEY_LOCAL_MACHINE</hive> <key>SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe</key> <name>Path</name> </registry_object> <registry_object id="oval:org.mitre.oval:obj:1510" version="2" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <hive>HKEY_LOCAL_MACHINE</hive> <key>SOFTWARE\Microsoft\Office\10.0\Word\InstallRoot</key> <name xsi:nil="true"/> </registry_object> </objects> <states> <file_state id="oval:org.mitre.oval:ste:2655" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <version datatype="version" operation="less than">9.0.0.7924</version> </file_state> <file_state id="oval:com.secure-elements.oval:ste:9001" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <version datatype="version" operation="less than">10.0.5522.0</version> </file_state> <file_state id="oval:com.secure-elements.oval:ste:9002" version="1" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows"> <version datatype="version" operation="less than">8.0.0.9125</version> </file_state> </states> <variables> <local_variable id="oval:org.mitre.oval:var:221" version="1" comment="Word install directory" datatype="string"> <object_component item_field="value" object_ref="oval:org.mitre.oval:obj:493"/> </local_variable> </variables> </oval_definitions> |
||||||||||||||||||
Worrell, Bryan A.
|
Dragos,
Thank you for your submission to the OVAL Repository. Your updates have been posted for further community review. Thank you, Bryan Worrell __ Bryan Worrell The MITRE Corporation bworrell@... >-----Original Message----- >From: Dragos Prisaca [mailto:dprisaca@...] >Sent: Wednesday, February 27, 2008 5:40 PM >To: oval-discussion-list OVAL Discussion List/Closed Public Discussi >Subject: [OVAL-DISCUSSION-LIST] Updated oval def:188 > >Hi, > > > >I have update def:188 to test for Microsoft Word 97 and Word >2000 based on MS bulletin: >http://www.microsoft.com/technet/security/bulletin/ms03-035.mspx. > > > >Regards, > >Dragos Prisaca > > > >Secure Elements, Inc. > >C5 Security Labs > >dprisaca@... > >www.secure-elements.com > >To unsubscribe, send an email message to >LISTSERV@... with SIGNOFF OVAL-DISCUSSION-LIST in >the BODY of the message. If you have difficulties, write to >OVAL-DISCUSSION-LIST-request@.... > To unsubscribe, send an email message to LISTSERV@... with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to OVAL-DISCUSSION-LIST-request@.... |
||||||||||||||||||
|
Dragos Prisaca
|
In reply to this post by Dragos Prisaca
Some javascript/style in this post has been disabled (why?)
Hi, Here is an updated version of
def:3556 with the correct affected product: .NET Framework. Regards, Dragos Prisaca Secure Elements, Inc. C5 Security Labs www.secure-elements.com <?xml version="1.0" encoding="UTF-8"?> <oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5#windows windows-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <generator> <oval:product_name>The OVAL Repository</oval:product_name> <oval:schema_version>5.4</oval:schema_version> <oval:timestamp>2008-04-11T17:27:12.012-04:00</oval:timestamp> </generator> <definitions> <definition id="oval:org.mitre.oval:def:3556" version="5" class="vulnerability"> <metadata> <title>.NET Framework v1.1 Security Bypass</title> | ||||||||||||||||||