Lucene search

K
attackerkbAttackerKBAKB:21C170FF-C7C6-4BFB-8AED-613970EDA44C
HistoryJun 08, 2021 - 12:00 a.m.

CVE-2021-31955

2021-06-0800:00:00
attackerkb.com
409

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.97

Percentile

99.8%

Windows Kernel Information Disclosure Vulnerability
The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

The team at Kaspersky have reported threat actors are exploiting this Microsoft Windows OS kernel vulnerability

Source: <https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/&gt;

Recent assessments:

gwillcox-r7 at June 17, 2021 3:23pm UTC reported:

Ah good old NtQuerySystemInformation() strikes again, never quite going out of style :) In this case CVE-2021-31955 is an information disclosure in good old ntoskrnl.exe, aka the Windows kernel itself, that occurs due to a Windows feature supported since Windows Vista known as SuperFetch. By sending a SystemSuperfetchInformation class request of type SuperfetchPrivSourceQuery via the undocumented NtQuerySystemInformation() function, one can obtain the kernel address of the EPROCESS structure for the current process. This is REALLY bad since the EPROCESS kernel structure contains also contains a pointer to the process’s permissions token. If we know the address of this token, then, provided one has an arbitrary kernel write vulnerability, they can easily overwrite this pointer to point to the permissions token for a higher privilege process, and if this process is running as SYSTEM, they will gain SYSTEM level code execution.

According to <https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/&gt;, this was used in the wild alongside CVE-2021-31956 to escape the Chrome sandbox and gain SYSTEM on affected users computers, after first compromising Chrome and gaining execution inside the Chrome sandbox with what is suspected to be CVE-2021-21224.

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 5

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.97

Percentile

99.8%