8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.97 High
EPSS
Percentile
99.6%
Windows Kernel Information Disclosure Vulnerability
The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.
The team at Kaspersky have reported threat actors are exploiting this Microsoft Windows OS kernel vulnerability
Source: <https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>
Recent assessments:
gwillcox-r7 at June 17, 2021 3:23pm UTC reported:
Ah good old NtQuerySystemInformation()
strikes again, never quite going out of style :) In this case CVE-2021-31955 is an information disclosure in good old ntoskrnl.exe
, aka the Windows kernel itself, that occurs due to a Windows feature supported since Windows Vista known as SuperFetch. By sending a SystemSuperfetchInformation
class request of type SuperfetchPrivSourceQuery
via the undocumented NtQuerySystemInformation()
function, one can obtain the kernel address of the EPROCESS
structure for the current process. This is REALLY bad since the EPROCESS
kernel structure contains also contains a pointer to the process’s permissions token. If we know the address of this token, then, provided one has an arbitrary kernel write vulnerability, they can easily overwrite this pointer to point to the permissions token for a higher privilege process, and if this process is running as SYSTEM, they will gain SYSTEM level code execution.
According to <https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>, this was used in the wild alongside CVE-2021-31956 to escape the Chrome sandbox and gain SYSTEM on affected users computers, after first compromising Chrome and gaining execution inside the Chrome sandbox with what is suspected to be CVE-2021-21224.
Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 5
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.97 High
EPSS
Percentile
99.6%