Please see Issue #1923https://github.com/CISecurity/OVALRepo/issues/1923 from the CISecurity OVAL Repo: Windows OVAL Definition for CVE-2012-41338 False Positive Issue
Submitted by https://github.com/l4s09. The text is as follows:
Hello,
This is regarding Windows OVAL Definition for CVE-2012-41338 - Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability.
Microsoft indicates that this firewallAPI.dll has two binary versions depending on the location, System32 or WoW64. The issue is that OVAL checks only the version number regardless of its location.
For example:
Microsoft indicates that Windows Server 2016 is vulnerable if:
The firewallapi.dll version in the "%WinDir%\System32" directory is less than 10.0.14393.4169.
OR
The firewallapi.dll version in the "%WinDir%\sysWoW64" directory is less than 10.0.14393.4704.
However, Windows OVAL Definition simply indicates that Windows Server 2016 is vulnerable if the firewallAPI.dll version is less than 10.0.14393.4704. Therefore, it marks a server running Windows Server 2016 as vulnerable to this CVE-2012-41338 because the firewallapi.dll version in the "%WinDir%\System32" directory is less than 10.0.14393.4704.
I've attached the section of the Windows OVAL Definition containing this vulnerability for your reference.
Can some please provide me how to remediate this?
Your help will be much appreciated.
Thank you.
CVE-2021-41338.txt
Thank you!
Jan Cooper
Sr. Software Engineer - Optimus
31 Tech Valley Drive
East Greenbush, NY 12061
Jan.Cooper@cisecurity.org<mailto:Jan.Cooper@cisecurity.org>
518-516-3083
[signature_1336986160]https://www.cisecurity.org/
[signature_446125074] https://www.linkedin.com/company/the-center-for-internet-security/ [signature_1797773547] https://twitter.com/CISecurity [signature_2131813201] https://www.facebook.com/CenterforIntSec [signature_1949181898] https://www.youtube.com/user/TheCISecurity [signature_264086150] https://www.instagram.com/cisecurity
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
Please see Issue #1923<https://github.com/CISecurity/OVALRepo/issues/1923> from the CISecurity OVAL Repo: Windows OVAL Definition for CVE-2012-41338 False Positive Issue
Submitted by https://github.com/l4s09. The text is as follows:
Hello,
This is regarding Windows OVAL Definition for CVE-2012-41338 - Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability.
Microsoft indicates that this firewallAPI.dll has two binary versions depending on the location, System32 or WoW64. The issue is that OVAL checks only the version number regardless of its location.
For example:
Microsoft indicates that Windows Server 2016 is vulnerable if:
The firewallapi.dll version in the "%WinDir%\System32" directory is less than 10.0.14393.4169.
OR
The firewallapi.dll version in the "%WinDir%\sysWoW64" directory is less than 10.0.14393.4704.
However, Windows OVAL Definition simply indicates that Windows Server 2016 is vulnerable if the firewallAPI.dll version is less than 10.0.14393.4704. Therefore, it marks a server running Windows Server 2016 as vulnerable to this CVE-2012-41338 because the firewallapi.dll version in the "%WinDir%\System32" directory is less than 10.0.14393.4704.
I've attached the section of the Windows OVAL Definition containing this vulnerability for your reference.
Can some please provide me how to remediate this?
Your help will be much appreciated.
Thank you.
CVE-2021-41338.txt
Thank you!
Jan Cooper
Sr. Software Engineer - Optimus
31 Tech Valley Drive
East Greenbush, NY 12061
Jan.Cooper@cisecurity.org<mailto:Jan.Cooper@cisecurity.org>
518-516-3083
[signature_1336986160]<https://www.cisecurity.org/>
[signature_446125074] <https://www.linkedin.com/company/the-center-for-internet-security/> [signature_1797773547] <https://twitter.com/CISecurity> [signature_2131813201] <https://www.facebook.com/CenterforIntSec> [signature_1949181898] <https://www.youtube.com/user/TheCISecurity> [signature_264086150] <https://www.instagram.com/cisecurity>
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
