question

ME-6236 avatar image
0 Votes"
ME-6236 asked BenjaminJohn-2954 answered

KB4538032 fails to Update Visual Studio 2015 Update 3 Executable

My Nessus vulnerability scanner suddenly picked up a finding that was originally published on March 2020, and flagged all instances of VS 2015 Update 3 in my environment as lacking KB4538032. More specifically it says that this directory here:

C:\Program Files (x86)\Microsoft Visual Studio 14.0

Has an installed version of 14.0.25420.1, but actually needs 14.0.27539.1 - some digging around seems to indicate they mean the devenv.exe in COMMON7/IDE, since that EXE has version 14.0.25420.1 according to its details.

Installing KB4538032 works - it successfully installs and I see it in the "View Installed Updates" listing on Windows 10. However, it fails to increment the target file (assumed to be devenv), as the version remains 14.0.25420.1 and Nessus still finds it and flags it as being incorrect.

(Curiously Nessus' finding itself, which you can see here: https://www.tenable.com/plugins/nessus/134381 only talks about 2017 and 2019, but the patch here https://www.catalog.update.microsoft.com/Search.aspx?q=4538032 is definitely for 2015 - and neither 2017 nor 2019 are installed on these targets, excepting one).

Is there a follow-on action that needs to be done with this KB? It doesn't appear to work quite like Nessus expects, and if there's another way to update VS to the more current version that Nessus wants I'm not sure how to go about doing it.

windows-10-generalvs-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Reza-Ameri avatar image
0 Votes"
Reza-Ameri answered ME-6236 commented

In case update is successful and no error, I advise you to report it to the Nessus support team so they investigate this issue and it might be false-positive in their scanner.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,

It would appear that the scanner is correct - I do seem to find the offending version number (on a file a few directories in).

0 Votes 0 ·
KipeGaretCGIFederal-2992 avatar image
0 Votes"
KipeGaretCGIFederal-2992 answered

I am also seeing the exact same issue as ME-6236. Nessus is picking the false-positive, even though KB4538032 has been successfully installed.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RichC-9471 avatar image
0 Votes"
RichC-9471 answered RichC-9471 published

Same issue here. VS2015 update 3 and KB4538032 applied, yet Nessus scan still fails.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ME-6236 avatar image
0 Votes"
ME-6236 answered ME-6236 rolled back

Last week, I dug through my issue-tracker here at the office and discovered that I had actually addressed this plugin before, back in April of 2020. Back then, deploying the KB patch went successfully and the vulnerability was mitigated. I simply didn't even think to look before rolling this patch out because usually if it's a recurrent issue it will be flagged as "Previously Mitigated" - which mine was not.

It would appear that the scanner is specifically looking for the DiagnosticsHub.StandardCollector.Runtime.dll file in the target directory and (as of writing) wants it to be a version greater than 14.0.27539.1 - which mine is, as manual inspection reveals (mine is 14.0.27544.0 currently).

Citation: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-the-elevation-of-privilege-vulnerability-in-microsoft-visual-studio-2015-update-3-march-10-2020-dc928afd-e065-ef34-c739-94d3978e6f58

ACAS reports the file is 14.0.25420.1 still, which doesn't appear to be the case. Thus, I believe the issue is with ACAS itself, not the KB. What's most curious is that the results explicitly point to the 2015 directory for me, but the description text only indicates 2017 and 2019 - neither of which are deployed on these machines regardless.

I'll have to find a way to contact them to see what the issue is.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BenjaminJohn-2954 avatar image
0 Votes"
BenjaminJohn-2954 answered

Anybody been able to follow up with Nessus on this issue?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.