{"id": "MALWAREBYTES:42218FB85F05643E0B2C2C7D259EFEB5", "type": "malwarebytes", "bulletinFamily": "blog", "title": "Four in-the-wild exploits, 13 critical patches headline bumper Patch Tuesday", "description": "The list of July 2021 Patch Tuesday updates looks endless. 117 patches with no less than 42 CVEs assigned to them that have FAQs, mitigations details or workarounds listed for them. Looking at the urgency levels Microsoft has assigned to them, system administrators have their work cut out for them once again:\n\n * 13 criticial patches\n * 103 important patches\n\nYou can find the list of CVEs that have FAQs, mitigations, or workarounds on the Microsoft [July release notes](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jul>) page.\n\nSix vulnerabilities were previously disclosed and four are being exploited in-the-wild, according to Microsoft. One of those CVE\u2019s is a familiar one, [2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) aka the anyone-can-run-code-as-domain-admin RCE known as [PrintNightmare](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/printnightmare-0-day-can-be-used-to-take-over-windows-domain-controllers/>). Microsoft issued out-of-band patches for that vulnerability a week ago, but those were [not as comprehensive](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/>) as one might have hoped. \n\nSince then, the Cybersecurity and Infrastructure Security Agency\u2019s (CISA) has issued [Emergency Directive 21-04](<https://cyber.dhs.gov/ed/21-04/>), \u201cMitigate Windows Print Spooler Service Vulnerability\u201d because it is aware of active exploitation, by multiple threat actors, of the PrintNightmare vulnerability. These directive list required actions for all Federal Civilian Executive Branch agencies.\n\n### Priorities\n\nBesides the ongoing PrintNightmare, er, nightmare, there are some others that deserve your undivided attention. Vulnerabilities being exploited in the wild, besides PrintNightmare, are:\n\n * [CVE-2021-34448](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34448>) Scripting Engine Memory Corruption Vulnerability for Windows Server 2012 R2 and Windows 10.\n * [CVE-2021-33771](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33771>) Windows Kernel Elevation of Privilege Vulnerability for Windows Server 2012, Server 2016, Windows 8.1, and Windows 10.\n * [CVE-2021-31979](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31979>) Windows Kernel Elevation of Privilege Vulnerability for Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, Windows Server 2016, and Windows Server 2019.\n\nOther vulnerabilities that are not seen exploited in the wild yet, but are likely candidates to make that list soon:\n\n * [CVE-2021-34458](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34458>) Windows Kernel Remote Code Execution Vulnerability for some Windows Server versions, if the system is hosting virtual machines, or the Server includes hardware with SR-IOV devices.\n * [CVE-2021-34494](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34494>) Windows DNS Server Remote Code Execution Vulnerability for Windows Server versions if the server is configured to be a DNS server.\n\n### Exchange Server\n\nAnother ongoing effort to patch vulnerable systems has to do with Microsoft Exchange Server. Flaws that were actually already [patched in April](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/03/patch-now-exchange-servers-attacked-by-hafnium-zero-days/>) have now been assigned new CVE numbers [CVE-2021-34473](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34473>) (Microsoft Exchange Server Remote Code Execution Vulnerability) and [CVE-2021-34523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34523>) (Microsoft Exchange Server Elevation of Privilege Vulnerability). As you may remember this combo of elevation of privilege (EOP) and remote code execution (RCE) caused quite the [panic](<https://blog.malwarebytes.com/malwarebytes-news/2021/03/microsoft-exchange-attacks-cause-panic-as-criminals-go-shell-collecting/>) when attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.\n\nIf you applied the patches in April, you are already protected. If you didn\u2019t, move them to the top of your to-do-list.\n\n### Windows Media Foundation\n\nTwo other critical vulnerabilities, and one considered important, were found in Microsoft Windows Media Foundation. Microsoft Media Foundation enables the development of applications and components for using digital media on Windows Vista and later. If you do have this multimedia platform installed on your system you are advised to apply the patches, but note that many of them include the [Flash](<https://blog.malwarebytes.com/awareness/2021/01/adobe-flash-player-reaches-end-of-life/>) Removal Package. So do the patches for [CVE-2021-34497](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34497>) a critical Windows MSHTML Platform RCE vulnerability.\n\nStay safe, everyone!\n\nThe post [Four in-the-wild exploits, 13 critical patches headline bumper Patch Tuesday](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/four-in-the-wild-exploits-13-critical-patches-headline-bumper-patch-tuesday/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "published": "2021-07-14T11:56:06", "modified": "2021-07-14T11:56:06", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/four-in-the-wild-exploits-13-critical-patches-headline-bumper-patch-tuesday/", "reporter": "Pieter Arntz", "references": [], "cvelist": ["CVE-2021-31979", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34458", "CVE-2021-34473", "CVE-2021-34494", "CVE-2021-34497", "CVE-2021-34523", "CVE-2021-34527"], "immutableFields": [], "lastseen": "2021-07-20T08:33:57", "viewCount": 52, "enchantments": {"dependencies": {"modified": "2021-07-20T08:33:57", "references": [{"idList": ["MS:CVE-2021-34458", "MS:CVE-2021-1675", "MS:CVE-2021-34448", "MS:CVE-2021-34497", "MS:CVE-2021-34527", "MS:CVE-2021-34494", "MS:CVE-2021-34523", "MS:CVE-2021-31979", "MS:CVE-2021-34473", "MS:CVE-2021-33771"], "type": "mscve"}, {"idList": ["RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "RAPID7BLOG:8DADA7B6B3B1BA6ED3D6EDBA37A79204", "RAPID7BLOG:45A121567763FF457DE6E50439C2605A"], "type": "rapid7blog"}, {"idList": ["MALWAREBYTES:DB34937B6474073D9444648D34438225", "MALWAREBYTES:DA59FECA8327C8353EA012EA1B957C7E"], "type": "malwarebytes"}, {"idList": ["VU:383432"], "type": "cert"}, {"idList": ["SECURELIST:0C07A61E6D92865F5B58728A60866991"], "type": "securelist"}, {"idList": ["THN:CDCF433A7837180E1F294791C672C5BB", "THN:10A732F6ED612DC7431BDC9A3CEC3A29", "THN:9CE630030E0F3E3041E633E498244C8D", "THN:9FD8A70F9C17C3AF089A104965E48C95", "THN:CAFA6C5C5A34365636215CFD7679FD50", "THN:42B8A8C00254E7187FE0F1EF2AF6F5D7", "THN:CF5E93184467C7B8F56A517CE724ABCF"], "type": "thn"}, {"idList": ["MSRC:CB3C49E52425E7C1B0CFB151C6D488A4", "MSRC:239E65C8BEB88185329D9990C80B10DF"], "type": "msrc"}, {"idList": ["MSSECURE:FA096F112DC9423A9C4E3850DD8721F3"], "type": "mssecure"}, {"idList": ["ZDI-21-821", "ZDI-21-822"], "type": "zdi"}, {"idList": ["THREATPOST:D112254AD1BEFC1317E4CFFA015742B2", "THREATPOST:6F7C157D4D3EB409080D90F02185E728", "THREATPOST:933913B1D9B9CF84D33FECFC77C2FDC8", "THREATPOST:A8242348917526090B7A1B23735D5C6C", "THREATPOST:98D815423018872E6E596DAA8131BF3F"], "type": "threatpost"}, {"idList": ["SCHNEIER:34FA6921AD55EB5CAC146C5F516AF062"], "type": "schneier"}, {"idList": ["CISA:6C836D217FB0329B2D68AD71789D1BB0", "CISA:367C27124C09604830E0725F5F3123F7", "CISA:4F4185688CEB9B9416A98FE75E7AFE02"], "type": "cisa"}, {"idList": ["KB5004947", "KB5004950", "KB5004955", "KB5004951", "KB5004233", "KB5004948", "KB5004958", "KB5004953", "KB5004954", "KB5004956"], "type": "mskb"}, {"idList": ["TALOSBLOG:44F665C3D577FC52EF671E9C0CB1750F"], "type": "talosblog"}, {"idList": ["SMB_NT_MS21_JUL_5004946.NASL", "SMB_NT_MS21_JUL_5004948.NASL", "SMB_NT_MS21_JUL_5004947.NASL", "SMB_NT_MS21_JUL_INTERNET_EXPLORER.NASL", "SMB_NT_MS21_APR_EXCHANGE.NASL", "SMB_NT_MS21_JUL_CVE-2021-34527_REG_CHECK.NASL", "SMB_NT_MS21_JUL_5004951.NASL", "SMB_NT_MS21_JUL_5004950.NASL", "SMB_NT_MS21_JUL_5004959.NASL", "SMB_NT_MS21_JUL_5004958.NASL"], "type": "nessus"}, {"idList": ["CVE-2021-34494", "CVE-2021-34473", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34523", "CVE-2021-34458", "CVE-2021-34497", "CVE-2021-34527", "CVE-2021-31979"], "type": "cve"}, {"idList": ["KREBS:831FD0B726B800B2995A68BA50BD8BE3", "KREBS:3CC49021549439F95A2EDEB2029CF54E"], "type": "krebs"}, {"idList": ["MMPC:FA096F112DC9423A9C4E3850DD8721F3"], "type": "mmpc"}, {"idList": ["AVLEONOV:BAA1E4E49B508F98138C7EBA9B9C07E6", "AVLEONOV:30285D85FDB40C8D55F6A24D9D446ECF"], "type": "avleonov"}, {"idList": ["AKB:2034EF9D-C938-410E-8DB8-9CDEB9C41A7A", "AKB:9ADF44D2-FA0D-4643-8B97-8B46983B6917", "AKB:25996325-FA5B-4DD4-ACED-28622F416D0A", "AKB:C4CD066B-E590-48F0-96A7-FFFAFC3D23CC", "AKB:CDA9C43E-015D-4B04-89D3-D6CABC5729B9", "AKB:F285551F-85D9-4674-BAB6-921B4A20A97A", "AKB:BDCF4DDE-714E-40C0-B4D9-2B4ECBAD31FF", "AKB:7575B82F-7B7A-4416-B1AA-B8A2DF4D0800"], "type": "attackerkb"}, {"idList": ["MSF:ILITIES/MSFT-CVE-2021-34527/"], "type": "metasploit"}, {"idList": ["QUALYSBLOG:485C0D608A0A8288FF38D618D185D2A2", "QUALYSBLOG:12BC089A56EB28CFD168EC09B070733D"], "type": "qualysblog"}], "rev": 2}, "score": {"modified": "2021-07-20T08:33:57", "rev": 2, "value": 5.6, "vector": "NONE"}, "vulnersScore": 5.6}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "edition": 2, "scheme": null}

{"krebs": [{"lastseen": "2021-07-28T14:33:34", "description": "\n\n**Microsoft** today released updates to patch at least 116 security holes in its **Windows** operating systems and related software. At least four of the vulnerabilities addressed today are under active attack, according to Microsoft.\n\nThirteen of the security bugs quashed in this month&#x27;s release earned Microsoft&#x27;s most-dire &quot;critical&quot; rating, meaning they can be exploited by malware or miscreants to seize remote control over a vulnerable system without any help from users.\n\nAnother 103 of the security holes patched this month were flagged as &quot;important,&quot; which Microsoft assigns to vulnerabilities &quot;whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.&quot;\n\nAmong the critical bugs is of course the official fix for the **PrintNightmare** print spooler flaw in most versions of Windows ([CVE-2021-34527](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527>)) that prompted Microsoft [to rush out a patch for a week ago](<https://krebsonsecurity.com/2021/07/microsoft-issues-emergency-patch-for-windows-flaw/>) in response to exploit code for the flaw that got accidentally published online. That patch seems to have caused a number of problems for Windows users. Here&#x27;s hoping the updated fix resolves some of those issues for readers who&#x27;ve been holding out.\n\n[CVE-2021-34448](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34448>) is a critical remote code execution vulnerability in the scripting engine built into every supported version of Windows -- including server versions. Microsoft says this flaw is being exploited in the wild.\n\nBoth [CVE-2021-33771](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33771>) and [CVE-2021-31979](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31979>) are elevation of privilege flaws in the Windows kernel. Both are seeing active exploitation, according to Microsoft.\n\n**Chad McNaughton**, technical community manager at **Automox**, called attention to [CVE-2021-34458](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34458>), a remote code execution flaw in the deepest areas of the operating system. McNaughton said this vulnerability is likely to be exploited because it is a &quot;low-complexity vulnerability requiring low privileges and no user interaction.&quot;\n\nAnother concerning critical vulnerability in the July batch is [CVE-2021-34494](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34494>), a dangerous bug in the Windows DNS Server.\n\n&quot;Both core and full installations are affected back to Windows Server 2008, including versions 2004 and 20H2,&quot; said **Aleks Haugom**, also with Automox.\n\n&quot;DNS is used to translate IP addresses to more human-friendly names, so you don\u2019t have to remember the jumble of numbers that represents your favorite social media site,&quot; Haugom said. &quot;In a Windows Domain environment, Windows DNS Server is critical to business operations and often installed on the domain controller. This vulnerability could be particularly dangerous if not patched promptly.&quot;\n\nMicrosoft also patched six vulnerabilities in **Exchange Server**, an email product that has been under siege all year from attackers. **Satnam Narang**, staff research engineer at **Tenable**, noted that while Microsoft says two of the Exchange bugs tackled this month ([CVE-2021-34473](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>) and [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523>)) were addressed as part of its security updates from April 2021, both CVEs were somehow omitted from that April release. Translation: If you already applied the bevy of Exchange updates Microsoft made available in April, your Exchange systems have protection against these flaws.\n\nOther products that got patches today include **Microsoft Office**, **Bing**, **SharePoint Server**, **Internet Explorer**, and **Visual Studio**. The **SANS Internet Storm Center** as always has [a nice visual breakdown of all the patches by severity](<https://isc.sans.org/forums/diary/Microsoft+July+2021+Patch+Tuesday/27628/>).\n\n**Adobe** also [issued security updates today](<https://helpx.adobe.com/security.html>) for **Adobe Acrobat** and **Reader**, as well as **Dimension**, **Illustrator**, Framemaker and Adobe Bridge.\n\n**Chrome** and **Firefox** also recently have shipped important security updates, so if you haven&#x27;t done so recently take a moment to save your tabs/work, completely close out and restart the browser, which should apply any pending updates.\n\nThe usual disclaimer:\n\nBefore you update with this month\u2019s patch batch, please make sure you have backed up your system and/or important files. It\u2019s not uncommon for Windows updates to hose one\u2019s system or prevent it from booting properly, and some updates even have been known to erase or corrupt files.\n\nSo do yourself a favor and backup _before_ installing any patches. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nAnd if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see [this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nAs always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, check out [AskWoody](<https://www.askwoody.com/>), which keeps a close eye out for specific patches that may be causing problems for users.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-13T21:41:47", "type": "krebs", "title": "Microsoft Patch Tuesday, July 2021 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34494", "CVE-2021-34473", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34523", "CVE-2021-34458", "CVE-2021-34527", "CVE-2021-31979"], "modified": "2021-07-13T21:41:47", "id": "KREBS:831FD0B726B800B2995A68BA50BD8BE3", "href": "https://krebsonsecurity.com/2021/07/microsoft-patch-tuesday-july-2021-edition/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:35", "description": "**Microsoft **on Tuesday issued an emergency software update to quash a security bug that&#x27;s been dubbed &quot;**PrintNightmare**,&quot; a critical vulnerability in all supported versions of** Windows** that is actively being exploited. The fix comes a week ahead of Microsoft&#x27;s normal monthly Patch Tuesday release, and follows the publishing of exploit code showing would-be attackers how to leverage the flaw to break into Windows computers.\n\n\n\nAt issue is [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), which involves a flaw in the Windows Print Spooler service that could be exploited by attackers to run code of their choice on a target&#x27;s system. Microsoft says it has already detected active exploitation of the vulnerability.\n\n**Satnam Narang**, staff research engineer at** Tenable**, said Microsoft&#x27;s patch warrants urgent attention because of the vulnerability&#x27;s ubiquity across organizations and the prospect that attackers could exploit this flaw in order to take over a Windows domain controller.\n\n&quot;We expect it will only be a matter of time before it is more broadly incorporated into attacker toolkits,&quot; Narang said. &quot;PrintNightmare will remain a valuable exploit for cybercriminals as long as there are unpatched systems out there, and as we know, unpatched vulnerabilities have a long shelf life for attackers.&quot;\n\nIn [a blog post](<https://msrc-blog.microsoft.com/2021/07/06/out-of-band-oob-security-update-available-for-cve-2021-34527/>), Microsoft&#x27;s Security Response Center said it was delayed in developing fixes for the vulnerability in **Windows Server 2016**, **Windows 10 version 1607**, and **Windows Server 2012**. The fix also apparently includes a new feature that allows Windows administrators to implement stronger restrictions on the installation of printer software.\n\n&quot;Prior to installing the July 6, 2021, and newer Windows Updates containing protections for CVE-2021-34527, the printer operators\u2019 security group could install both signed and unsigned printer drivers on a printer server,&quot; reads Microsoft&#x27;s [support advisory](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>). &quot;After installing such updates, delegated admin groups like printer operators can only install signed printer drivers. Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.\u201d\n\nWindows 10 users can check for the patch by opening Windows Update. Chances are, it will show what&#x27;s pictured in the screenshot below -- that **KB5004945** is available for download and install. A reboot will be required after installation.\n\n\n\nFriendly reminder: It&#x27;s always a good idea to backup your data before applying security updates. Windows 10 [has some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. \n\nMicrosoft&#x27;s out-of-band update may not completely fix the PrinterNightmare vulnerability. Security researcher [Benjamin Delpy](<https://blog.gentilkiwi.com/>) [posted on Twitter](<https://twitter.com/gentilkiwi/status/1412771368534528001>) that the exploit still works on a fully patched Windows server if the server also has Point &amp; Print enabled -- a Windows feature that automatically downloads and installs available printer drivers.\n\nDelpy said it&#x27;s common for organizations to enable Point &amp; Print using group policies because it allows users to install printer updates without getting approval first from IT. \n\nThis post will be updated if Windows users start reporting any issues in applying the patch.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-07T14:34:59", "type": "krebs", "title": "Microsoft Issues Emergency Patch for Windows Flaw", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-07T14:34:59", "id": "KREBS:3CC49021549439F95A2EDEB2029CF54E", "href": "https://krebsonsecurity.com/2021/07/microsoft-issues-emergency-patch-for-windows-flaw/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2021-07-20T19:52:15", "description": "Windows Kernel Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33771, CVE-2021-34514.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at July 14, 2021 5:35pm UTC reported:\n\n**Update**: Looks like this was used by the exploit brokerage company Candiru along with CVE-2021-33771 to deliver spyware to targeted users, which according to Microsoft\u2019s blog post, affected at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore. Victims include human rights defenders, dissidents, journalists, activists, and politicians.\n\nHmm, this is a particularly juicy bug as it seems to affect all Windows systems from Windows 7 up to the latest Windows 10. This is in contrast to CVE-2021-33771, which only affects Windows 8.1 and later. Both bugs affect the Windows Kernel and are being actively exploited in the wild for LPE.\n\nThere is little information on what actually is the issue here, although <https://twitter.com/mavillon1/status/1415149124064878593/> suggests that `MiFlashDataSecton`, `EtwpUpdatePeriodicCaptureState` and `AlpcpProcessSynchronousRequest` may be possible culprits and reviewing `AlpcpProcessSynchronousRequest` shows that a potential integer overflow was fixed.\n\nGiven that Microsoft also lists the attack complexity for both vulnerabilities as `Low` it seems likely that other researchers will find a way to replicate these vulnerabilities and create working PoCs for them, particularly given that they have been exploited in the wild. Based on this evidence, it is highly recommended to patch these issues as soon as possible.\n\nFurther updates will be made to this post if and when these CVEs are tied to specific vulnerable functions.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-14T00:00:00", "type": "attackerkb", "title": "CVE-2021-31979", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31979", "CVE-2021-33771", "CVE-2021-34514"], "modified": "2021-07-17T00:00:00", "id": "AKB:2034EF9D-C938-410E-8DB8-9CDEB9C41A7A", "href": "https://attackerkb.com/topics/LzgAMbow02/cve-2021-31979", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T19:50:26", "description": "Windows Kernel Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31979, CVE-2021-34514.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at July 14, 2021 5:35pm UTC reported:\n\n**Update**: Looks like this was used by the exploit brokerage company Candiru along with CVE-2021-31979 to deliver spyware to targeted users, which according to Microsoft\u2019s blog post, affected at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore. Victims include human rights defenders, dissidents, journalists, activists, and politicians.\n\nHmm interesting so this bug only affects Windows 8.1 and later according to <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33771>, despite also being disclosed in the same month as CVE-2021-31979, another bug that affected everything from Windows 7 and later onwards. Both bugs however affect the Windows Kernel and are being actively exploited in the wild for LPE.\n\nThere is little information on what actually is the issue here, although <https://twitter.com/mavillon1/status/1415149124064878593/> suggests that `MiFlashDataSecton`, `EtwpUpdatePeriodicCaptureState` and `AlpcpProcessSynchronousRequest` may be possible culprits and reviewing `AlpcpProcessSynchronousRequest` shows that a potential integer overflow was fixed.\n\nGiven that Microsoft also lists the attack complexity for both vulnerabilities as `Low` it seems likely that other researchers will find a way to replicate these vulnerabilities and create working PoCs for them, particularly given that they have been exploited in the wild. Based on this evidence, it is highly recommended to patch these issues as soon as possible.\n\nFurther updates will be made to this post if and when these CVEs are tied to specific vulnerable functions.\n\n**NinjaOperator** at July 13, 2021 7:53pm UTC reported:\n\n**Update**: Looks like this was used by the exploit brokerage company Candiru along with CVE-2021-31979 to deliver spyware to targeted users, which according to Microsoft\u2019s blog post, affected at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore. Victims include human rights defenders, dissidents, journalists, activists, and politicians.\n\nHmm interesting so this bug only affects Windows 8.1 and later according to <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33771>, despite also being disclosed in the same month as CVE-2021-31979, another bug that affected everything from Windows 7 and later onwards. Both bugs however affect the Windows Kernel and are being actively exploited in the wild for LPE.\n\nThere is little information on what actually is the issue here, although <https://twitter.com/mavillon1/status/1415149124064878593/> suggests that `MiFlashDataSecton`, `EtwpUpdatePeriodicCaptureState` and `AlpcpProcessSynchronousRequest` may be possible culprits and reviewing `AlpcpProcessSynchronousRequest` shows that a potential integer overflow was fixed.\n\nGiven that Microsoft also lists the attack complexity for both vulnerabilities as `Low` it seems likely that other researchers will find a way to replicate these vulnerabilities and create working PoCs for them, particularly given that they have been exploited in the wild. Based on this evidence, it is highly recommended to patch these issues as soon as possible.\n\nFurther updates will be made to this post if and when these CVEs are tied to specific vulnerable functions.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-14T00:00:00", "type": "attackerkb", "title": "CVE-2021-33771", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31979", "CVE-2021-33771", "CVE-2021-34514"], "modified": "2021-07-17T00:00:00", "id": "AKB:F285551F-85D9-4674-BAB6-921B4A20A97A", "href": "https://attackerkb.com/topics/GO6LySXvPZ/cve-2021-33771", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-23T13:54:59", "description": "Scripting Engine Memory Corruption Vulnerability\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at July 14, 2021 5:02pm UTC reported:\n\nLooking at Microsoft\u2019s advisory at <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448> shows very little information other than that this is a scripting engine vulnerability which is exploitable across a wide range of Windows OS versions and is exploitable remotely. Further investigation though shows that Cisco Talos at <https://blog.talosintelligence.com/2021/07/microsoft-patch-tuesday-for-july-2021.html> mentions that this vulnerability is a memory corruption vulnerability triggered when opening a maliciously crafted email or visiting a malicious website.\n\nFurther examination of <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448> using the `Download` column (which is not enabled by default but can be added) shows several references to `IE Cumulative Update` which suggests this is potentially an IE related vulnerability. Further examination of past advisories named in the same way like <https://msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-0224> shows that IE scripting engine vulnerabilities are also referenced using the same style of language, so it would seem this is a memory corruption vulnerability within IE\u2019s scripting engine.\n\nUsers should ideally apply patches to fix this issue given it has been exploited in the wild already, however if this is not possible then users should disable JavaScript in their browsers as most scripting engine vulnerabilities rely on taking advantage of flaws in the JavaScript engine of a given browser, which requires the browser to have JavaScript enabled in the first place. Note that this will break the operation of most sites so patching is preferred where possible.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-16T00:00:00", "type": "attackerkb", "title": "CVE-2021-34448", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0224", "CVE-2021-34448"], "modified": "2021-07-23T00:00:00", "id": "AKB:25996325-FA5B-4DD4-ACED-28622F416D0A", "href": "https://attackerkb.com/topics/yMFDP6I1UQ/cve-2021-34448", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T20:08:20", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at July 14, 2021 5:15pm UTC reported:\n\nFrom <https://blog.talosintelligence.com/2021/07/microsoft-patch-tuesday-for-july-2021.html> there was a note that this vulnerability seems to have been used in some Exchange Server APT attacks detailed at <https://blog.talosintelligence.com/2021/03/hafnium-update.html> however it wasn\u2019t disclosed that this vulnerability was patched despite being patched back in April 2021. Since this was under active exploitation it is recommended to patch this vulnerability if you haven\u2019t applied April 2021\u2019s patch updates already.\n\nSuccessful exploitation will result in RCE on affected Exchange Servers, and requires no prior user privileges, so patch this soon!\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 3\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-14T00:00:00", "type": "attackerkb", "title": "CVE-2021-34473", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31196", "CVE-2021-31206", "CVE-2021-34473"], "modified": "2021-07-20T00:00:00", "id": "AKB:BDCF4DDE-714E-40C0-B4D9-2B4ECBAD31FF", "href": "https://attackerkb.com/topics/pUK1MXLZkW/cve-2021-34473", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T20:08:56", "description": "Windows Print Spooler Remote Code Execution Vulnerability\n\n \n**Recent assessments:** \n \n**zeroSteiner** at July 08, 2021 5:09pm UTC reported:\n\nCVE-2021-34527 is related to the previous CVE-2021-1675. This fixes a vulnerability whereby an authenticated attacker can connect to the remote print service (via either MS-RPRN or MS-PAR) and add a driver using a custom DLL. Upon successful exploitation, the Print Spool service would load the attacker controlled DLL from either a remote UNC path or a local path. In both cases, the DLL is then executed with NT AUTHORITY\\SYSTEM privileges.\n\nThe patch for CVE-2021-34527 is effective at preventing this attack **only when Point and Print** is disabled, which is the default setting. This can be configured by ensuring the registry key `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall` is 0. The system does not need to be rebooted to enforce the changed registry key. If that registry key is defined as 1, the vulnerability can still be exploited. With Point and Print enabled, a standard UNC path used over the MS-RPRN vector (via `RpcAddPrinterDriverEx`) will fail with `ERROR_INVALID_PARAMETER`. This can be bypassed by converting the UNC path from the standard syntax (`\\\\1.2.3.4\\public\\payload.dll`) to the alternative syntax (`\\??\\UNC\\1.2.3.4\\public\\payload.dll`).\n\nWith the patches applied and Point and Print disabled, the affected calls to `RpcAddPrinterDriverEx` will return ERROR_ACCESS_DENIED.\n\n**ccondon-r7** at July 08, 2021 12:12am UTC reported:\n\nCVE-2021-34527 is related to the previous CVE-2021-1675. This fixes a vulnerability whereby an authenticated attacker can connect to the remote print service (via either MS-RPRN or MS-PAR) and add a driver using a custom DLL. Upon successful exploitation, the Print Spool service would load the attacker controlled DLL from either a remote UNC path or a local path. In both cases, the DLL is then executed with NT AUTHORITY\\SYSTEM privileges.\n\nThe patch for CVE-2021-34527 is effective at preventing this attack **only when Point and Print** is disabled, which is the default setting. This can be configured by ensuring the registry key `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall` is 0. The system does not need to be rebooted to enforce the changed registry key. If that registry key is defined as 1, the vulnerability can still be exploited. With Point and Print enabled, a standard UNC path used over the MS-RPRN vector (via `RpcAddPrinterDriverEx`) will fail with `ERROR_INVALID_PARAMETER`. This can be bypassed by converting the UNC path from the standard syntax (`\\\\1.2.3.4\\public\\payload.dll`) to the alternative syntax (`\\??\\UNC\\1.2.3.4\\public\\payload.dll`).\n\nWith the patches applied and Point and Print disabled, the affected calls to `RpcAddPrinterDriverEx` will return ERROR_ACCESS_DENIED.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-02T00:00:00", "type": "attackerkb", "title": "CVE-2021-34527 \"PrintNightmare\"", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-14T00:00:00", "id": "AKB:7575B82F-7B7A-4416-B1AA-B8A2DF4D0800", "href": "https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T20:08:57", "description": "Windows Print Spooler Elevation of Privilege Vulnerability\n\n \n**Recent assessments:** \n \n**kevthehermit** at June 30, 2021 1:53pm UTC reported:\n\n#### Vulnerability\n\nThis was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to `SYSTEM` on vulnerable services\n\n#### Exploit Code\n\nThere are several functional exploits available on Github after the initial repository was removed by the authors.\n\n * <https://github.com/afwu/PrintNightmare> \u2013 A windows binary exploit \n\n * <https://github.com/cube0x0/CVE-2021-1675> \u2013 Python3 using a modified version of impacket \n\n\n#### Mitigation\n\nInitial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.\n\nDisable the print spooler can prevent exploitation.\n\nEvent logs can be found for both successful and non-successful exploit attempts in some situations.\n\nSigma rules can be found: <https://github.com/SigmaHQ/sigma/pull/1592>\n\n**andretorresbr** at July 02, 2021 2:37am UTC reported:\n\n#### Vulnerability\n\nThis was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to `SYSTEM` on vulnerable services\n\n#### Exploit Code\n\nThere are several functional exploits available on Github after the initial repository was removed by the authors.\n\n * <https://github.com/afwu/PrintNightmare> \u2013 A windows binary exploit \n\n * <https://github.com/cube0x0/CVE-2021-1675> \u2013 Python3 using a modified version of impacket \n\n\n#### Mitigation\n\nInitial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.\n\nDisable the print spooler can prevent exploitation.\n\nEvent logs can be found for both successful and non-successful exploit attempts in some situations.\n\nSigma rules can be found: <https://github.com/SigmaHQ/sigma/pull/1592>\n\n**architect00** at July 01, 2021 1:46pm UTC reported:\n\n#### Vulnerability\n\nThis was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to `SYSTEM` on vulnerable services\n\n#### Exploit Code\n\nThere are several functional exploits available on Github after the initial repository was removed by the authors.\n\n * <https://github.com/afwu/PrintNightmare> \u2013 A windows binary exploit \n\n * <https://github.com/cube0x0/CVE-2021-1675> \u2013 Python3 using a modified version of impacket \n\n\n#### Mitigation\n\nInitial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.\n\nDisable the print spooler can prevent exploitation.\n\nEvent logs can be found for both successful and non-successful exploit attempts in some situations.\n\nSigma rules can be found: <https://github.com/SigmaHQ/sigma/pull/1592>\n\n**NinjaOperator** at June 29, 2021 5:55pm UTC reported:\n\n#### Vulnerability\n\nThis was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to `SYSTEM` on vulnerable services\n\n#### Exploit Code\n\nThere are several functional exploits available on Github after the initial repository was removed by the authors.\n\n * <https://github.com/afwu/PrintNightmare> \u2013 A windows binary exploit \n\n * <https://github.com/cube0x0/CVE-2021-1675> \u2013 Python3 using a modified version of impacket \n\n\n#### Mitigation\n\nInitial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.\n\nDisable the print spooler can prevent exploitation.\n\nEvent logs can be found for both successful and non-successful exploit attempts in some situations.\n\nSigma rules can be found: <https://github.com/SigmaHQ/sigma/pull/1592>\n\n**ccondon-r7** at July 01, 2021 1:43pm UTC reported:\n\n#### Vulnerability\n\nThis was originally classified as a Local Priv Escalation, however recent POC code has been released that enabled a domain authenticated user to remotely escalate to `SYSTEM` on vulnerable services\n\n#### Exploit Code\n\nThere are several functional exploits available on Github after the initial repository was removed by the authors.\n\n * <https://github.com/afwu/PrintNightmare> \u2013 A windows binary exploit \n\n * <https://github.com/cube0x0/CVE-2021-1675> \u2013 Python3 using a modified version of impacket \n\n\n#### Mitigation\n\nInitial testing shows that the patches released are not sufficient to stop this exploit. It has been tested in Server 2016 and Server 2019.\n\nDisable the print spooler can prevent exploitation.\n\nEvent logs can be found for both successful and non-successful exploit attempts in some situations.\n\nSigma rules can be found: <https://github.com/SigmaHQ/sigma/pull/1592>\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-08T00:00:00", "type": "attackerkb", "title": "CVE-2021-1675", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-08T00:00:00", "id": "AKB:CDA9C43E-015D-4B04-89D3-D6CABC5729B9", "href": "https://attackerkb.com/topics/dI1bxlM0ay/cve-2021-1675", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-27T11:16:43", "description": "Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. If exploited, a threat actor may be able to gain privileged access to the machine hosting Serv-U Only. SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 are affected by this vulnerability.\n\n \n**Recent assessments:** \n \n**NinjaOperator** at July 12, 2021 4:00pm UTC reported:\n\nSolarWinds was recently notified by Microsoft of a security vulnerability (RCE) related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and have developed a hotfix to resolve this vulnerability. While Microsoft\u2019s research indicates this vulnerability exploit involves a limited, targeted set of customers and a single threat actor, our joint teams have mobilized to address it quickly.\n\nThe vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. A threat actor who successfully exploits CVE-2021-34527 can run arbitrary code with SYSTEM privileges and install programs; view, change, or delete data, and run programs.\n\n**wvu-r7** at July 22, 2021 4:35pm UTC reported:\n\nSolarWinds was recently notified by Microsoft of a security vulnerability (RCE) related to Serv-U Managed File Transfer Server and Serv-U Secured FTP and have developed a hotfix to resolve this vulnerability. While Microsoft\u2019s research indicates this vulnerability exploit involves a limited, targeted set of customers and a single threat actor, our joint teams have mobilized to address it quickly.\n\nThe vulnerability exists in the latest Serv-U version 15.2.3 HF1 released May 5, 2021, and all prior versions. A threat actor who successfully exploits CVE-2021-34527 can run arbitrary code with SYSTEM privileges and install programs; view, change, or delete data, and run programs.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-13T00:00:00", "type": "attackerkb", "title": "CVE-2021-35211", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527", "CVE-2021-35211"], "modified": "2021-07-27T00:00:00", "id": "AKB:9ADF44D2-FA0D-4643-8B97-8B46983B6917", "href": "https://attackerkb.com/topics/Toj3cA6kd7/cve-2021-35211", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T19:56:51", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-34473.\n\n \n**Recent assessments:** \n \n**NinjaOperator** at July 14, 2021 7:15pm UTC reported:\n\nThis remote code execution (RCE) vulnerability affects Microsoft Exchange Server 2013/ CU23/2016 CU20/2016 CU21/2019 CU10. \nAnd according to FireEye exploit code is available. \nI will share more information once MSFT releases more details\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-14T00:00:00", "type": "attackerkb", "title": "CVE-2021-31206", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31196", "CVE-2021-31206", "CVE-2021-34473"], "modified": "2021-07-17T00:00:00", "id": "AKB:C4CD066B-E590-48F0-96A7-FFFAFC3D23CC", "href": "https://attackerkb.com/topics/oAhIZujU2O/cve-2021-31206", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2021-07-17T12:33:10", "bulletinFamily": "info", "cvelist": ["CVE-2021-31979", "CVE-2021-33771", "CVE-2021-33779", "CVE-2021-33781", "CVE-2021-34448", "CVE-2021-34458", "CVE-2021-34466", "CVE-2021-34473", "CVE-2021-34492", "CVE-2021-34494", "CVE-2021-34523", "CVE-2021-34527"], "description": "[](<https://thehackernews.com/images/-aVEUxlp9r9o/YO5q47NA_bI/AAAAAAAADL4/tkntZNY2smU5FPaAkTU1qBYUg8VPhp8NACLcBGAsYHQ/s0/windows-update-download.jpg>)\n\nMicrosoft rolled out [Patch Tuesday updates](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jul>) for the month of July with fixes for a total of 117 security vulnerabilities, including nine zero-day flaws, of which four are said to be under active attacks in the wild, potentially enabling an adversary to take control of affected systems. \n\nOf the 117 issues, 13 are rated Critical, 103 are rated Important, and one is rated as Moderate in severity, with six of these bugs publicly known at the time of release. \n\nThe updates span across several of Microsoft's products, including Windows, Bing, Dynamics, Exchange Server, Office, Scripting Engine, Windows DNS, and Visual Studio Code. July also marks a dramatic jump in the volume of vulnerabilities, surpassing the number Microsoft collectively addressed as part of its updates in [May](<https://thehackernews.com/2021/05/latest-microsoft-windows-updates-patch.html>) (55) and [June](<https://thehackernews.com/2021/06/update-your-windows-computers-to-patch.html>) (50).\n\n[](<https://go.thn.li/1-free-300-8> \"Stack Overflow Teams\" )\n\nChief among the security flaws actively exploited are as follows \u2014\n\n * **CVE-2021-34527** (CVSS score: 8.8) - Windows Print Spooler Remote Code Execution Vulnerability (publicly disclosed as \"[PrintNightmare](<https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html>)\")\n * **CVE-2021-31979** (CVSS score: 7.8) - Windows Kernel Elevation of Privilege Vulnerability\n * **CVE-2021-33771** (CVSS score: 7.8) - Windows Kernel Elevation of Privilege Vulnerability\n * **CVE-2021-34448** (CVSS score: 6.8) - Scripting Engine Memory Corruption Vulnerability\n\nMicrosoft also stressed the high attack complexity of CVE-2021-34448, specifically stating that the attacks hinge on the possibility of luring an unsuspecting user into clicking on a link that leads to a malicious website hosted by the adversary and contains a specially-crafted file that's engineered to trigger the vulnerability.\n\nThe other five publicly disclosed, but not exploited, zero-day vulnerabilities are listed below \u2014\n\n * **CVE-2021-34473** (CVSS score: 9.1) - Microsoft Exchange Server Remote Code Execution Vulnerability\n * **CVE-2021-34523** (CVSS score: 9.0) - Microsoft Exchange Server Elevation of Privilege Vulnerability\n * **CVE-2021-33781** (CVSS score: 8.1) - Active Directory Security Feature Bypass Vulnerability\n * **CVE-2021-33779** (CVSS score: 8.1) - Windows ADFS Security Feature Bypass Vulnerability\n * **CVE-2021-34492** (CVSS score: 8.1) - Windows Certificate Spoofing Vulnerability\n\n\"This Patch Tuesday comes just days after out-of-band updates were released to address PrintNightmare \u2014 the critical flaw in the Windows Print Spooler service that was found in all versions of Windows,\" Bharat Jogi, senior manager of vulnerability and threat research at Qualys, told The Hacker News.\n\n\"While MSFT has released updates to fix the vulnerability, users must still ensure that necessary configurations are set up correctly. Systems with misconfigurations will continue to be at risk of exploitation, even after the latest patch has been applied. PrintNightmare was a highly serious issue that further underscores the importance of marrying detection and remediation,\" Jogi added.\n\nThe PrintNightmare vulnerability has also prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to [release an emergency directive](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/13/cisa-issues-emergency-directive-microsoft-windows-print-spooler>), urging federal departments and agencies to apply the latest security updates immediately and disable the print spooler service on servers on Microsoft Active Directory Domain Controllers.\n\n[](<https://go.thn.li/ransomware_728> \"Prevent Ransomware Attacks\" )\n\nAdditionally, Microsoft also rectified a security bypass vulnerability in Windows Hello biometrics-based authentication solution ([CVE-2021-34466](<https://www.cyberark.com/resources/threat-research-blog/bypassing-windows-hello-without-masks-or-plastic-surgery>), CVSS score: 5.7) that could permit an adversary to spoof a target's face and get around the login screen.\n\nOther critical flaws remediated by Microsoft include remote code execution vulnerabilities affecting Windows DNS Server (CVE-2021-34494, CVSS score 8.8) and Windows Kernel (CVE-2021-34458), the latter of which is rated 9.9 on the CVSS severity scale.\n\n\"This issue allows a single root input/output virtualization (SR-IOV) device which is assigned to a guest to potentially interfere with its Peripheral Component Interface Express (PCIe) siblings which are attached to other guests or to the root,\" Microsoft noted in its advisory for CVE-2021-34458, adding Windows instances hosting virtual machines are vulnerable to this flaw.\n\nTo install the latest security updates, Windows users can head to Start &gt; Settings &gt; Update &amp; Security &gt; Windows Update or by selecting Check for Windows updates.\n\n### Software Patches From Other Vendors\n\nAlongside Microsoft, patches have also been released by a number of other vendors to address several vulnerabilities, including \u2014\n\n * [Adobe](<https://helpx.adobe.com/security.html/security/security-bulletin.ug.html>)\n * [Android](<https://source.android.com/security/bulletin/2021-07-01>)\n * [Apache Tomcat](<https://mail-archives.us.apache.org/mod_mbox/www-announce/202107.mbox/%3Cd050b202-b64e-bc6f-a630-2dd83202f23a%40apache.org%3E>)\n * [Cisco](<https://tools.cisco.com/security/center/publicationListing.x>)\n * [Citrix](<https://support.citrix.com/article/CTX319750>)\n * [Juniper Networks](<https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11180&cat=SIRT_1&actp=LIST>)\n * Linux distributions [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2021-July/thread.html>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), and [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories?q=&p=2&sort=portal_publication_date%20desc&rows=10&portal_advisory_type=Security%20Advisory&documentKind=Errata>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=580617506>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp>)\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>), and\n * [VMware](<https://www.vmware.com/security/advisories.html>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-07-17T11:52:45", "published": "2021-07-14T05:03:00", "id": "THN:9FD8A70F9C17C3AF089A104965E48C95", "href": "https://thehackernews.com/2021/07/update-your-windows-pcs-to-patch-117.html", "type": "thn", "title": "Update Your Windows PCs to Patch 117 New Flaws, Including 9 Zero-Days", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-19T16:39:21", "description": "[](<https://thehackernews.com/images/-lnmWNBrSE9k/YPWhrFsftuI/AAAAAAAA4Tc/mV6atejnTU8JKQ98Latgx1poZRDDLxvXgCLcBGAsYHQ/s0/cyber.jpg>)\n\nTwo of the zero-day Windows flaws rectified by Microsoft as part of its Patch Tuesday update earlier this week were weaponized by an Israel-based company called Candiru in a series of \"precision attacks\" to hack more than 100 journalists, academics, activists, and political dissidents globally.\n\nThe spyware vendor was also formally identified as the commercial surveillance company that Google's Threat Analysis Group (TAG) revealed as exploiting multiple zero-day vulnerabilities in Chrome browser to target victims located in Armenia, according to a report published by the University of Toronto's Citizen Lab.\n\n\"[Candiru](<https://www.forbes.com/sites/thomasbrewster/2019/10/03/meet-candiru-the-super-stealth-cyber-mercenaries-hacking-apple-and-microsoft-pcs-for-profit/>)'s apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse,\" Citizen Lab researchers [said](<https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/>). \"This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services.\"\n\n[](<https://go.thn.li/1-free-728-7> \"Stack Overflow Teams\" )\n\nFounded in 2014, the private-sector offensive actor (PSOA) \u2014 codenamed \"Sourgum\" by Microsoft \u2014 is said to be the developer of an espionage toolkit dubbed DevilsTongue that's exclusively sold to governments and is capable of infecting and monitoring a broad range of devices across different platforms, including iPhones, Androids, Macs, PCs, and cloud accounts.\n\nCitizen Lab said it was able to recover a copy of Candiru's Windows spyware after obtaining a hard drive from \"a politically active victim in Western Europe,\" which was then reverse engineered to identify two never-before-seen Windows zero-day exploits for vulnerabilities tracked as [CVE-2021-31979 and CVE-2021-33771](<https://thehackernews.com/2021/07/update-your-windows-pcs-to-patch-117.html>) that were leveraged to install malware on victim boxes.\n\nThe infection chain relied on a mix of browser and Windows exploits, with the former served via single-use URLs sent to targets on messaging applications such as WhatsApp. Microsoft addressed both the privilege escalation flaws, which enable an adversary to escape browser sandboxes and gain kernel code execution, on July 13.\n\nThe intrusions culminated in the deployment of DevilsTongue, a modular C/C++-based backdoor equipped with a number of capabilities, including exfiltrating files, exporting messages saved in the encrypted messaging app Signal, and stealing cookies and passwords from Chrome, Internet Explorer, Firefox, Safari, and Opera browsers.\n\nMicrosoft's analysis of the digital weapon also found that it could abuse the stolen cookies from logged-in email and social media accounts like Facebook, Twitter, Gmail, Yahoo, Mail.ru, Odnoklassniki, and Vkontakte to collect information, read the victim's messages, retrieve photos, and even send messages on their behalf, thus allowing the threat actor to send malicious links directly from a compromised user's computer.\n\nSeparately, the Citizen Lab report also tied the two Google Chrome vulnerabilities disclosed by the search giant on Wednesday \u2014 [CVE-2021-21166 and CVE-2021-30551](<https://thehackernews.com/2021/07/google-details-ios-chrome-ie-zero-day.html>) \u2014 to the Tel Aviv company, noting overlaps in the websites that were used to distribute the exploits.\n\n[](<https://go.thn.li/privileged_300> \"Prevent Data Breaches\" )\n\nFurthermore, 764 domains linked to Candiru's spyware infrastructure were uncovered, with many of the domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities. Some of the systems under their control were operated from Saudi Arabia, Israel, U.A.E., Hungary, and Indonesia.\n\nOver 100 victims of SOURGUM's malware have been identified to date, with targets located in Palestine, Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore. \"These attacks have largely targeted consumer accounts, indicating Sourgum's customers were pursuing particular individuals,\" Microsoft's General Manager of Digital Security Unit, Cristin Goodwin, [said](<https://blogs.microsoft.com/on-the-issues/2021/07/15/cyberweapons-cybersecurity-sourgum-malware/>).\n\nThe latest report arrives as TAG researchers Maddie Stone and Clement Lecigne noted a surge in attackers using more zero-day exploits in their cyber offensives, in part fueled by more commercial vendors selling access to zero-days than in the early 2010s.\n\n\"Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets' computers, phones, network infrastructure, and other devices,\" Microsoft Threat Intelligence Center (MSTIC) [said](<https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/>) in a technical rundown.\n\n\"With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves. The tools, tactics, and procedures used by these companies only adds to the complexity, scale, and sophistication of attacks,\" MSTIC added.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2021-07-16T11:13:00", "type": "thn", "title": "Israeli Firm Helped Governments Target Journalists, Activists with 0-Days and Spyware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21166", "CVE-2021-30551", "CVE-2021-31979", "CVE-2021-33771"], "modified": "2021-07-19T16:01:00", "id": "THN:CDCF433A7837180E1F294791C672C5BB", "href": "https://thehackernews.com/2021/07/israeli-firm-helped-governments-target.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-08T16:34:51", "description": "[](<https://thehackernews.com/images/-J4q0IawSomE/YOSMoHyRjgI/AAAAAAAABHE/cP0YFHHZFtA9uluA4FTtUF6qLpRtEeAEgCLcBGAsYHQ/s0/Microsoft-PrintSpooler-Vulnerability.jpg>)\n\nThis week, **PrintNightmare** \\- Microsoft's Print Spooler vulnerability (CVE-2021-34527) was upgraded from a 'Low' criticality to a 'Critical' criticality.\n\nThis is due to a Proof of Concept published on GitHub, which attackers could potentially leverage for gaining access to Domain Controllers.\n\nAs we [reported earlier](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>), Microsoft already released a patch in June 2021, but it wasn't enough to stop exploits. Attackers can still use Print Spooler when connecting remotely. You can find all you need to know about this vulnerability in this article and how you can mitigate it (and you can). \n\n**Print Spooler in a nutshell:** Print Spooler is Microsoft's service for managing and monitoring files printing. This service is among Microsoft's oldest and has had minimal maintenance updates since it was released. \n\nEvery Microsoft machine (servers and endpoints) has this feature enabled by default.\n\n**PrintNightmare vulnerability:** As soon as an attacker gains limited user access to a network, he will be able to connect (directly or remotely) to the Print Spooler. Since the Print Spooler has direct access to the kernel, the attacker can use it to gain access to the operating system, run remote code with system privileges, and ultimately attack the Domain Controller.\n\nYour best option when it comes to mitigating the PrintNightmare vulnerability is to disable the Print Spooler on every server and/or sensitive workstation (such as administrators' workstations, direct internet-facing workstations, and non-printing workstations).\n\nThis is what Dvir Goren's, hardening expert and CTO at [CalCom Software Solutions](<https://www.calcomsoftware.com/?utm_source=HN>), suggests as your first move towards mitigation.\n\nFollow these steps to disable the Print Spooler service on Windows 10:\n\n 1. Open Start.\n 2. Search for PowerShell, right-click on it and select the Run as administrator.\n 3. Type the command and press Enter: _Stop-Service -Name Spooler -Force_\n 4. Use this command to prevent the service from starting back up again during restart: Set-Service -Name Spooler -StartupType Disabled\n\nAccording to Dvir's experience, 90% of servers do not require Print Spooler. It is the default configuration for most of them, so it is usually enabled. As a result, disabling it can solve 90% of your problem and have little impact on production.\n\nIn large and complex infrastructures, it can be challenging to locate where Print Spooler is used.\n\nHere are a few examples where Print Spooler is required:\n\n 1. When using Citrix services,\n 2. Fax servers,\n 3. Any application requiring virtual or physical printing of PDFs, XPSs, etc. Billing services and wage applications, for example.\n\nHere are a few examples when Print Spooler is not needed but enabled by default:\n\n 1. Domain Controller and Active Directory \u2013 the main risk in this vulnerability can be neutralized by practicing basic cyber hygiene. It makes no sense to have Print Spooler enabled in DCs and AD servers. \n 2. Member servers such as SQL, File System, and Exchange servers. \n 3. Machines that do not require printing. \n\nA few other hardening steps suggested by Dvir for machines dependent on Print Spooler include:\n\n 1. Replace the vulnerable Print Spooler protocol with a non-Microsoft service. \n 2. By changing 'Allow Print Spooler to accept client connections', you can restrict users' and drivers' access to the Print Spooler to groups that must use it.\n 3. Disable Print Spooler caller in Pre-Windows 2000 compatibility group.\n 4. Make sure that Point and Print is not configured to No Warning \u2013 check registry key SOFTWARE/Policies/Microsoft/Windows NT/Printers/PointAndPrint/NoElevationOnInstall for DWORD value 1 and change it to 0.\n 5. Turn off EnableLUA \u2013 check registry key SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System/EnableLUA for DWORD value 0 and change it to 1.\n\nHere's what you need to do next to ensure your organization is secure:\n\n 1. Identify where Print Spooler is being used on your network. \n 2. Map your network to find the machines that must use Print Spooler.\n 3. Disable Print Spooler on machines that do not use it. \n 4. For machines that require Print Spooler \u2013 configure them in a way to minimize its attack surface. \n\nBeside this, to find potential evidence of exploitation, you should also monitor Microsoft-Windows-PrintService/Admin log entries. There might be entries with error messages that indicate Print Spooler can't load plug-in module DLLs, although this can also happen if an attacker packaged a legitimate DLL that Print Spooler demands.\n\nThe final recommendation from Dvir is to implement these recommendations through[ hardening automation tools](<https://www.calcomsoftware.com/best-hardening-tools/?utm_source=HN>). Without automation, you will spend countless hours attempting to harden manually and may end up vulnerable or causing systems to go down\n\nAfter choosing your course of action, a [Hardening automation tool](<https://www.calcomsoftware.com/server-hardening-suite/?utm_source=HN>) will discover where Print Spooler is enabled, where they are actually used, and disable or reconfigure them automatically.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2021-07-08T09:32:00", "type": "thn", "title": "How to Mitigate Microsoft Print Spooler Vulnerability \u2013 PrintNightmare", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-08T15:05:22", "id": "THN:10A732F6ED612DC7431BDC9A3CEC3A29", "href": "https://thehackernews.com/2021/07/how-to-mitigate-microsoft-print-spooler.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-03T08:35:53", "description": "[](<https://thehackernews.com/images/-RJ_0BYkTxHY/YN7HyUD-_KI/AAAAAAAA4SA/dbXcZli9DPwTnJvla5sgZ3hDzIqO8zLRgCLcBGAsYHQ/s0/windows-print-spooler-vulnerability.jpg>)\n\nMicrosoft on Thursday officially confirmed that the \"**PrintNightmare**\" remote code execution (RCE) vulnerability affecting Windows Print Spooler is different from the issue the company addressed as part of its Patch Tuesday update released earlier this month, while warning that it has detected exploitation attempts targeting the flaw.\n\nThe company is tracking the security weakness under the identifier [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), and has assigned it a severity rating of 8.8 on the CVSS scoring system. All versions of Windows contain the vulnerable code and are susceptible to exploitation.\n\n[](<https://go.thn.li/1-free-300-9> \"Stack Overflow Teams\" )\n\n\"A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\" Microsoft said in its advisory. \"An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\"\n\n\"An attack must involve an authenticated user calling RpcAddPrinterDriverEx(),\" the Redmond-based firm added. When reached by The Hacker News, the company said it had nothing to share beyond the advisory.\n\nThe acknowledgment comes after researchers from Hong Kong-based cybersecurity company Sangfor [published](<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>) a technical deep-dive of a Print Spooler RCE flaw to GitHub, along with a fully working PoC code, before it was taken down just hours after it went up.\n\n[](<https://thehackernews.com/images/-Zl5E2TyZRFQ/YN7Ej6s8x8I/AAAAAAAA4R4/FEYZ4JpYdakscU9e8eXMl9VEI0Hl1P_SwCLcBGAsYHQ/s0/ms.jpg>)\n\nThe disclosures also set off speculation and debate about whether the June patch does or does not protect against the RCE vulnerability, with the CERT Coordination Center [noting](<https://kb.cert.org/vuls/id/383432>) that \"while Microsoft has released an update for CVE-2021-1675, it is important to realize that this update does NOT protect Active Directory domain controllers, or systems that have Point and Print configured with the NoWarningNoElevationOnInstall option configured.\"\n\n[](<https://go.thn.li/auth_728> \"Enterprise Password Management\" )\n\nCVE-2021-1675, originally classified as an elevation of privilege vulnerability and later revised to RCE, was remediated by Microsoft on June 8, 2021.\n\nThe company, in its advisory, noted that PrintNightmare is distinct from CVE-2021-1675 for reasons that the latter resolves a separate vulnerability in RpcAddPrinterDriverEx() and that the attack vector is different.\n\nAs workarounds, Microsoft is recommending users to disable the Print Spooler service or turn off inbound remote printing through Group Policy. To reduce the attack surface and as an alternative to completely disabling printing, the company is also advising to check membership and nested group membership, and reduce membership as much as possible, or completely empty the groups where possible.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2021-07-02T05:36:00", "type": "thn", "title": "Microsoft Warns of Critical \"PrintNightmare\" Flaw Being Exploited in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-03T07:11:54", "id": "THN:9CE630030E0F3E3041E633E498244C8D", "href": "https://thehackernews.com/2021/07/microsoft-warns-of-critical.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-09T10:32:37", "description": "[](<https://thehackernews.com/images/-4tveTym6-fk/YOZ_5ZwEbHI/AAAAAAAADHs/xXSCpfsipXYpe6tJM2SGaTIDUE9dVGoGwCLcBGAsYHQ/s0/PrintNightmare-Vulnerability-Patch.jpg>)\n\nEven as Microsoft [expanded patches](<https://docs.microsoft.com/en-us/windows/release-health/windows-message-center>) for the so-called [PrintNightmare vulnerability](<https://thehackernews.com/2021/07/how-to-mitigate-microsoft-print-spooler.html>) for Windows 10 version 1607, Windows Server 2012, and Windows Server 2016, it has come to light that the fix for the remote code execution exploit in the Windows Print Spooler service can be bypassed in certain scenarios, effectively defeating the security protections and permitting attackers to run arbitrary code on infected systems.\n\nOn Tuesday, the Windows maker issued an [emergency out-of-band update](<https://thehackernews.com/2021/07/microsoft-issues-emergency-patch-for.html>) to address [CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>) (CVSS score: 8.8) after the flaw was accidentally disclosed by researchers from Hong Kong-based cybersecurity firm Sangfor late last month, at which point it emerged that the issue was different from another bug \u2014 tracked as [CVE-2021-1675](<https://thehackernews.com/2021/06/researchers-leak-poc-exploit-for.html>) \u2014 that was patched by Microsoft on June 8.\n\n[](<https://go.thn.li/1-free-300-8> \"Stack Overflow Teams\" )\n\n\"Several days ago, two security vulnerabilities were found in Microsoft Windows' existing printing mechanism,\" Yaniv Balmas, head of cyber research at Check Point, told The Hacker News. \"These vulnerabilities enable a malicious attacker to gain full control on all windows environments that enable printing.\"\n\n\"These are mostly working stations but, at times, this relates to entire servers that are an integral part of very popular organizational networks. Microsoft classified these vulnerabilities as critical, but when they were published they were able to fix only one of them, leaving the door open for explorations of the second vulnerability,\" Balmas added.\n\nPrintNightmare stems from bugs in the Windows [Print Spooler](<https://docs.microsoft.com/en-us/windows/win32/printdocs/print-spooler>) service, which manages the printing process inside local networks. The main concern with the threat is that non-administrator users had the ability to load their own printer drivers. This has now been rectified.\n\n\"After installing this [update] and later Windows updates, users who are not administrators can only install signed print drivers to a print server,\" Microsoft [said](<https://support.microsoft.com/en-us/topic/july-7-2021-kb5004948-os-build-14393-4470-out-of-band-fb676642-a3fe-4304-a79c-9d651d2f6550>), detailing the improvements made to mitigate the risks associated with the flaw. \"Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.\"\n\nPost the update's release, CERT/CC vulnerability analyst Will Dormann cautioned that the patch \"only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant,\" thereby allowing attackers to abuse the latter to gain SYSTEM privileges on vulnerable systems.\n\n[](<https://go.thn.li/ransomware_728> \"Prevent Ransomware Attacks\" )\n\nNow, further testing of the update has revealed that exploits targeting the flaw could [bypass](<https://twitter.com/gentilkiwi/status/1412771368534528001>) the [remediations](<https://twitter.com/wdormann/status/1412813044279910416>) entirely to gain both local privilege escalation and remote code execution. To achieve this, however, a [Windows policy](<https://docs.microsoft.com/en-us/troubleshoot/windows-server/printing/use-group-policy-to-control-ad-printer>) called '[Point and Print Restrictions](<https://docs.microsoft.com/en-us/troubleshoot/windows-client/group-policy/point-print-restrictions-policies-ignored>)' must be enabled (Computer Configuration\\Policies\\Administrative Templates\\Printers: Point and Print Restrictions), using which malicious printer drivers could be potentially installed.\n\n\"Note that the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the Point and Print NoWarningNoElevationOnInstall is set to 1,\" Dormann [said](<https://www.kb.cert.org/vuls/id/383432>) Wednesday. Microsoft, for its part, [explains in its advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) that \"Point and Print is not directly related to this vulnerability, but the technology weakens the local security posture in such a way that exploitation will be possible.\"\n\nWhile Microsoft has recommended the nuclear option of stopping and disabling the Print Spooler service, an [alternative workaround](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) is to enable security prompts for Point and Print, and limit printer driver installation privileges to administrators alone by configuring the \"RestrictDriverInstallationToAdministrators\" registry value to prevent regular users from installing printer drivers on a print server.\n\n**UPDATE:** In response to CERT/CC's report, Microsoft [said](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) on Thursday:\n\n\"Our investigation has shown that the OOB [out-of-band] security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2021-07-08T04:35:00", "type": "thn", "title": "Microsoft's Emergency Patch Fails to Fully Fix PrintNightmare RCE Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-09T09:52:49", "id": "THN:CAFA6C5C5A34365636215CFD7679FD50", "href": "https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-17T12:33:10", "description": "[](<https://thehackernews.com/images/-dWO_rqbdIfE/YPENEeXU5vI/AAAAAAAADNg/aAsoS9_8txQ842LEOAjpzJcvpkm6tro9wCLcBGAsYHQ/s0/Windows-Print-Spooler-Vulnerability.jpg>)\n\nMicrosoft on Thursday shared fresh guidance on yet another vulnerability affecting the Windows Print Spooler service, stating that it's working to address it in an upcoming security update.\n\nTracked as [CVE-2021-34481](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) (CVSS score: 7.8), the issue concerns a local privilege escalation flaw that could be abused to perform unauthorized actions on the system. The company credited security researcher Jacob Baines for discovering and reporting the bug.\n\n[](<https://go.thn.li/1-free-728-7> \"Stack Overflow Teams\" )\n\n\"An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges,\" the Windows maker said in its advisory. \"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\"\n\nHowever, it's worth pointing out that successful exploitation of the vulnerability requires the attacker to have the ability to execute code on a victim system. In other words, this vulnerability can only be exploited locally to gain elevated privileges on a device.\n\n[](<https://thehackernews.com/images/-KUjZieTgFsk/YPENj7mkDHI/AAAAAAAADNo/7YO-HAzw4LQN5_eg5egoI8gP2YeP34pjwCLcBGAsYHQ/s0/hacking.jpg>)\n\nAs workarounds, Microsoft is recommending users to stop and disable the Print Spooler service to prevent malicious actors from exploiting the vulnerability.\n\nThe development comes days after the Redmond-based firm rolled out patches to address a critical shortcoming in the same component that it disclosed as being actively exploited to stage in-the-wild attacks, making it the third printer-related flaw to come to light in recent weeks.\n\n[](<https://go.thn.li/privileged_300> \"Prevent Data Breaches\" )\n\nDubbed PrintNightmare ([CVE-2021-34527](<https://thehackernews.com/2021/07/microsofts-emergency-patch-fails-to.html>)), the vulnerability stems from a missing permission check in the Print Spooler that enables the installation of malicious print drivers to achieve remote code execution or local privilege escalation on vulnerable systems.\n\nHowever, it later emerged that the out-of-band security update could be entirely bypassed under specific conditions to gain both local privilege escalation and remote code execution. Microsoft has since said the fixes are \"working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2021-07-16T04:40:00", "type": "thn", "title": "Microsoft Warns of New Unpatched Windows Print Spooler Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-34481", "CVE-2021-34527"], "modified": "2021-07-17T11:53:08", "id": "THN:CF5E93184467C7B8F56A517CE724ABCF", "href": "https://thehackernews.com/2021/07/microsoft-warns-of-new-unpatched.html", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-07T04:45:36", "description": "[](<https://thehackernews.com/images/-wbLrBJlJCfE/YOUa-690-KI/AAAAAAAADG0/6tT84mGPz6gQ_5vYBxhkEE_spk0LW4WpwCLcBGAsYHQ/s0/windows-patch-update.jpg>)\n\nMicrosoft has shipped an [emergency out-of-band security update](<https://docs.microsoft.com/en-us/windows/release-health/windows-message-center#1646>) to address a critical zero-day vulnerability \u2014 known as \"PrintNightmare\" \u2014 that affects the Windows Print Spooler service and can permit remote threat actors to run arbitrary code and take over vulnerable systems.\n\nTracked as [CVE-2021-34527](<https://thehackernews.com/2021/07/microsoft-warns-of-critical.html>) (CVSS score: 8.8), the remote code execution flaw impacts all supported editions of Windows. Last week, the company warned it had detected active exploitation attempts targeting the vulnerability.\n\n[](<https://go.thn.li/1-free-728-8> \"Stack Overflow Teams\" )\n\n\"The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system,\" the CERT Coordination Center said of the issue.\n\nIt's worth noting that PrintNightmare includes both remote code execution and a [local privilege escalation](<https://github.com/calebstewart/CVE-2021-1675>) vector that can be abused in attacks to run commands with SYSTEM privileges on targeted Windows machines.\n\n[](<https://thehackernews.com/images/-NzUbsCmtpLU/YOUekekqtnI/AAAAAAAADG8/HwnD7Xq3_iYftG9BrRvS1tJxIBOomRzXgCLcBGAsYHQ/s0/lpe.jpg>)\n\n\"The Microsoft update for CVE-2021-34527 only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant,\" CERT/CC vulnerability analyst Will Dormann [said](<https://www.kb.cert.org/vuls/id/383432>).\n\nThis effectively means that the incomplete fix could still be used by a local adversary to gain SYSTEM privileges. As workarounds, Microsoft recommends stopping and disabling the Print Spooler service or turning off inbound remote printing through Group Policy to block remote attacks.\n\n[](<https://go.thn.li/ransomware_300> \"Prevent Ransomware Attacks\" )\n\nGiven the criticality of the flaw, the Windows maker has issued patches for:\n\n * Windows Server 2019\n * Windows Server 2012 R2\n * Windows Server 2008\n * Windows 8.1\n * Windows RT 8.1, and\n * Windows 10 (versions 21H1, 20H2, 2004, 1909, 1809, 1803, and 1507)\n\nMicrosoft has even taken the unusual step of issuing the fix for Windows 7, which officially reached the end of support as of January 2020.\n\nThe [update](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), however, does not include Windows 10 version 1607, Windows Server 2012, or Windows Server 2016, for which the Redmond-based company stated patches will be released in the forthcoming days.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2021-07-07T03:11:00", "type": "thn", "title": "Microsoft Issues Emergency Patch for Critical Windows PrintNightmare Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-07T03:38:13", "id": "THN:42B8A8C00254E7187FE0F1EF2AF6F5D7", "href": "https://thehackernews.com/2021/07/microsoft-issues-emergency-patch-for.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2021-07-23T07:50:08", "description": "Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33768, CVE-2021-34470.", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-14T18:15:00", "title": "CVE-2021-34523", "type": "cve", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34523"], "modified": "2021-07-22T14:41:00", "cpe": ["cpe:/a:microsoft:exchange_server:2016", "cpe:/a:microsoft:exchange_server:2013", "cpe:/a:microsoft:exchange_server:2019"], "id": "CVE-2021-34523", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34523", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_9:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_20:*:*:*:*:*:*"]}, {"lastseen": "2021-07-23T07:50:07", "description": "Windows Kernel Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34508.", "edition": 2, "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-16T21:15:00", "title": "CVE-2021-34458", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34458"], "modified": "2021-07-22T17:06:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2021-34458", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34458", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*"]}, {"lastseen": "2021-07-20T07:49:23", "description": "Windows MSHTML Platform Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34447.", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-14T18:15:00", "title": "CVE-2021-34497", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34497"], "modified": "2021-07-19T17:41:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2021-34497", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34497", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-07-20T07:49:23", "description": "Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-33746, CVE-2021-33754, CVE-2021-33780, CVE-2021-34525.", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-14T18:15:00", "title": "CVE-2021-34494", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34494"], "modified": "2021-07-19T18:04:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2021-34494", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34494", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*"]}, {"lastseen": "2021-07-20T07:49:23", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-14T18:15:00", "title": "CVE-2021-34473", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473"], "modified": "2021-07-19T15:35:00", "cpe": ["cpe:/a:microsoft:exchange_server:2016", "cpe:/a:microsoft:exchange_server:2013", "cpe:/a:microsoft:exchange_server:2019"], "id": "CVE-2021-34473", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34473", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_9:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_8:*:*:*:*:*:*", "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_20:*:*:*:*:*:*"]}, {"lastseen": "2021-07-17T07:48:41", "description": "Windows Kernel Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31979, CVE-2021-34514.", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-14T18:15:00", "title": "CVE-2021-33771", "type": "cve", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33771"], "modified": "2021-07-16T14:29:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2021-33771", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33771", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:r2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-07-23T07:50:07", "description": "Scripting Engine Memory Corruption Vulnerability", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-16T21:15:00", "title": "CVE-2021-34448", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34448"], "modified": "2021-07-22T17:06:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2021-34448", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34448", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-07-17T07:48:40", "description": "Windows Kernel Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33771, CVE-2021-34514.", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-14T18:15:00", "title": "CVE-2021-31979", "type": "cve", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31979"], "modified": "2021-07-17T03:59:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2021-31979", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-31979", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}, {"lastseen": "2021-07-15T07:48:28", "description": "Windows Print Spooler Remote Code Execution Vulnerability", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-02T22:15:00", "title": "CVE-2021-34527", "type": "cve", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-14T18:15:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_rt_8.1:-", "cpe:/o:microsoft:windows_server_2008:-", "cpe:/o:microsoft:windows_10:21h1", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_8.1:-", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2021-34527", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-34527", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*"]}], "threatpost": [{"lastseen": "2021-07-13T22:17:17", "description": "Three bugs under active exploit were squashed by Microsoft Tuesday, part of its [July security roundup](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jul>) of fixes for Windows, Microsoft Office, SharePoint Server and Exchange Server. In all, Microsoft patched 116 bugs. Twelve bugs are rated critical, 103 rated important and one classified as moderate in severity.\n\nBugs under active attack include a critical scripting engine memory corruption ([CVE-2021-34448](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448>)) flaw and two additional Windows kernel elevation-of-privilege vulnerabilities ([CVE-2021-31979](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31979>), [CVE-2021-33771](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33771>)), both with a severity rating of important. \n[](<https://threatpost.com/newsletter-sign/>)The hundred-plus bug fixes add to a rough July for Microsoft, which rolled out an out-of-band fix for a Windows print spooler remote-code-execution vulnerability ([CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>)), dubbed [PrintNightmare](<https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/>), earlier this month. The nightmare bug, first disclosed in April, was later discovered to be more serious than initially thought.\n\n## **Public, But Not Exploited **\n\nFive of the bugs patched by Microsoft ([CVE-2021-34473](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473>), [CVE-2021-33781](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33781>), [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523>), [CVE-2021-33779](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33779>), [CVE-2021-34492](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34492>)) were publicly known, albeit not exploited. Only one of those bugs (CVE-2021-34473), a Microsoft Exchange Server remote code execution (RCE) vulnerability, has a severity rating of critical, with a CVSS score of 9.1. The bug, one of the highest rated in terms of importance to fix this month, was part of Microsoft\u2019s April Patch Tuesday roundup of fixes, according to commentary by [Cisco Talos](<https://blog.talosintelligence.com/2021/07/microsoft-patch-tuesday-for-july-2021.html>).\n\n\u201cThis vulnerability was already patched in Microsoft\u2019s April security update but was mistakenly not disclosed. Users who already installed the April 2021 update are already protected from this vulnerability, though it is worth noting that this issue was part of a series of zero-days in Exchange Server used in a wide-ranging APT attack,\u201d wrote Talos authors Jon Munshaw and Jaeson Schultz.\n\n## **Patching Priorities **\n\nThe most pressing of bugs is a memory corruption vulnerability (CVE-2021-34448) in Windows Server\u2019s scripting engine that is triggered when the user opens a specially crafted file, either attached to an email or a compromised website.\n\n\u201c[This bug] is the most serious vulnerability for me. It is elegant in its simplicity, letting an attacker gain remote code execution just by getting the target to visit a domain,\u201d wrote Kevin Breen, director of cyber threat research with Immersive Labs, in his Patch Tuesday commentary. \u201cWith malicious, yet professional looking, domains carrying valid TLS certificates a regular feature nowadays, seamless compromise would be a trivial matter. Victims could even be attacked by sending .js or .hta files in targeted phishing emails.\u201d\n\nCisco Talos advises system admin to prioritize a patch for a critical bug ([CVE-2021-34464](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34464>)) in Microsoft\u2019s free Defender anti-virus software. \u201cThis issue could allow an attacker to execute remote code on the victim machine. However, users do not need to take any actions to resolve this issue, as the update will automatically install. The company has listed steps in its advisory users can take to ensure the update is properly installed,\u201d wrote Munshaw and Schultz.\n\nResearchers have also identified three SharePoint Server bugs ([CVE-2021-34520](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34520>), [CVE-2021-34467](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34467>), [CVE-2021-34468](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34468>)) as priority patches. Each allow an attacker to execute remote code on the victim machine. All are rated important. However, Microsoft reports that exploitation is \u201cmore likely\u201d with these vulnerabilities, Talos said.\n\nZero Day Initiative\u2019s Dustin Childs recommends tackling ([CVE-2021-34458](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34458>)), a Windows kernel vulnerability. \u201cIt\u2019s rare to see remote code execution in a kernel bug, but this is that rare exception. This bug impacts systems hosting virtual machines with single root input/output virtualization (SR-IOV) devices,\u201d [he wrote](<https://www.zerodayinitiative.com/blog/2021/7/13/the-july-2021-security-update-review>).\n\n\u201cIt\u2019s not clear how widespread this configuration is, but considering this bug rates as a CVSS 9.9, it\u2019s not one to ignore. If you have virtual machines in your environment, test and patch quickly,\u201d Childs added.\n\nIn related news, [Adobe\u2019s July patch roundup](<https://threatpost.com/adobe-patches-critical-acrobat/167743/>), also released Tuesday, includes fixes for its ubiquitous and free PDF reader Acrobat 2020 and other software such as Illustrator and Bridge. In all, Adobe patched 20 Acrobat bugs, with nine rated important.\n\n**_Check out our free _**[**_upcoming live and on-demand webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {}, "published": "2021-07-13T21:26:27", "type": "threatpost", "title": "Microsoft Crushes 116 Bugs, Three Actively Exploited", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-31979", "CVE-2021-33771", "CVE-2021-33779", "CVE-2021-33781", "CVE-2021-34448", "CVE-2021-34458", "CVE-2021-34464", "CVE-2021-34467", "CVE-2021-34468", "CVE-2021-34473", "CVE-2021-34492", "CVE-2021-34520", "CVE-2021-34523", "CVE-2021-34527"], "modified": "2021-07-13T21:26:27", "id": "THREATPOST:98D815423018872E6E596DAA8131BF3F", "href": "https://threatpost.com/microsoft-crushes-116-bugs/167764/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-17T07:54:28", "description": "A set of unique spyware strains created by an Israeli firm and allegedly used by governments around the world to surveil dissidents has been defanged by Microsoft, the software giant said.\n\nThe private company, called variously Candiru, Grindavik, Saito Tech and Taveta (and dubbed \u201cSourgum\u201d by Microsoft), [reportedly](<https://www.forbes.com/sites/thomasbrewster/2019/10/03/meet-candiru-the-super-stealth-cyber-mercenaries-hacking-apple-and-microsoft-pcs-for-profit/?sh=4f4be6805a39>) sells its wares exclusively to governments, according to Citizen Lab, which first analyzed the malware and flagged it for Microsoft. The code, collectively known as \u201cDevilsTongue,\u201d has been used in highly targeted cyberattacks against civil society, according to [an advisory](<https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/>) issued Thursday \u2013 making use of a pair of zero-day vulnerabilities in Windows (now patched).\n\nThe victims number more than 100, and include politicians, human-rights activists, journalists, academics, embassy workers and political dissidents, Citizen Lab and Microsoft said. The targets have been global, located in Armenia, Iran, Israel, Lebanon, Palestine, Singapore, Spain, Turkey, United Kingdom and Yemen.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cSourgum generally sells cyberweapons that enable its customers, often government agencies around the world, to hack into their targets\u2019 computers, phones, network infrastructure and internet-connected devices,\u201d according to Microsoft\u2019s [tandem advisory](<https://blogs.microsoft.com/on-the-issues/2021/07/15/cyberweapons-cybersecurity-sourgum-malware/?fbclid=IwAR3eN3x9ZzDt10dZh0aP5tEZ0AIvmu_dzah4F85dEYRlLliUhT3-gUET5Hc>). \u201cThese agencies then choose who to target and run the actual operations themselves.\u201d\n\nCitizen Lab researchers said that DevilsTongue can exfiltrate data and messages from various accounts, including Facebook, Gmail, Skype and Telegram. The spyware can also capture browsing history, cookies and passwords, turn on the target\u2019s webcam and microphone, and take pictures of the screen.\n\n\u201cCapturing data from additional apps, such as Signal Private Messenger, is sold as an add-on,\u201d according to the firm.\n\nMicrosoft noted that the stolen cookies can later be used by the attacker to sign in as the victim to websites to enable further information gathering.\n\nThe code can infect and monitor Android phones, cloud accounts, iPhones, Macs and PCs, Citizen Lab researchers said, noting that DevilsTongue\u2019s command-and-control (C2) infrastructure involves more than 750 websites, including \u201cdomains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement as well as media companies.\u201d\n\n## **Millions of Euros**\n\nDevilsTongue as a kit goes for millions of Euros, according to a leaked proposal [[PDF](<https://www.themarker.com/embeds/pdf_upload/2020/20200902-161742.pdf>)] obtained by Citizen Lab. It can be deployed in a number of attack vectors, including via malicious links, attached files in emails and man-in-the-middle attacks. The cost depends on the number of concurrent infections a user would like to maintain.\n\n\u201cThe \u20ac16 million project proposal allows for an unlimited number of spyware infection attempts, but the monitoring of only 10 devices simultaneously,\u201d according to Citizen Lab. \u201cFor an additional \u20ac1.5M, the customer can purchase the ability to monitor 15 additional devices simultaneously, and to infect devices in a single additional country. For an additional \u20ac5.5M, the customer can monitor 25 additional devices simultaneously, and conduct espionage in five more countries.\u201d\n\nIt added, \u201cFor a further additional \u20ac1.5M fee, customers can purchase a remote-shell capability, which allows them full access to run any command or program on the target\u2019s computer. This kind of capability is especially concerning, given that it could also be used to download files, such as planting incriminating materials, onto an infected device.\u201d\n\nUse of DevilsTongue is restricted in a handful of countries, including China, Iran, Israel, Russia and the U.S. However, there are, apparently, loopholes.\n\n\u201cMicrosoft observed Candiru victims in Iran, suggesting that in some situations, products from Candiru do operate in restricted territories,\u201d Citizen Lab researchers said. \u201cIn addition, targeting infrastructure disclosed in this report includes domains masquerading as the Russian postal service.\u201d\n\n## **Zero-Day Exploits**\n\nThe spyware exploits two elevation-of-privilege security vulnerabilities in Windows, CVE-2021-31979 and CVE-2021-33771, both of which [were addressed](<https://threatpost.com/microsoft-crushes-116-bugs/167764/>) in Microsoft\u2019s July Patch Tuesday update this week. The attacks are carried out via \u201ca chain of exploits that impacted popular browsers and our Windows operating system,\u201d Microsoft noted.\n\nBoth bugs give an attacker the ability to escape browser sandboxes and gain kernel code execution, Microsoft said:\n\n * **CVE-2021-31979:** An integer overflow within Windows NT-based operating system (NTOS). \u201cThis overflow results in an incorrect buffer size being calculated, which is then used to allocate a buffer in the kernel pool,\u201d according to Microsoft. \u201cA buffer overflow subsequently occurs while copying memory to the smaller-than-expected destination buffer. This vulnerability can be leveraged to corrupt an object in an adjacent memory allocation. Using APIs from user mode, the kernel pool memory layout can be groomed with controlled allocations, resulting in an object being placed in the adjacent memory location. Once corrupted by the buffer overflow, this object can be turned into a user mode to kernel mode read/write primitive. With these primitives in place, an attacker can then elevate their privileges.\u201d\n * **CVE-2021-33771:** A race condition within NTOS resulting in the use-after-free of a kernel object. \u201cBy using multiple racing threads, the kernel object can be freed, and the freed memory reclaimed by a controllable object,\u201d explained Microsoft. \u201cLike the previous vulnerability, the kernel pool memory can be sprayed with allocations using user mode APIs with the hopes of landing an object allocation within the recently freed memory. If successful, the controllable object can be used to form a user mode to kernel mode read/write primitive and elevate privileges.\u201d\n\nTo mitigate the attacks, Microsoft said that it \u201cbuilt protections into our products against the unique malware Sourgum created,\u201d in addition to the patching.\n\n\u201cThese attacks have largely targeted consumer accounts, indicating Sourgum\u2019s customers were pursuing particular individuals,\u201d according to Microsoft. \u201cThe protections we issued this week will prevent Sourgum\u2019s tools from working on computers that are already infected and prevent new infections on updated computers and those running Microsoft Defender Antivirus as well as those using Microsoft Defender for Endpoint.\u201d\n\nPrivate brokers of cyberattack kits for government surveillance have been publicized mainly thanks to another Israeli firm, NSO Group, which created the Pegasus spyware that enables customers to remotely exploit and monitor mobile devices. NSO Group has [long maintained](<https://threatpost.com/nso-group-president-defends-controversial-tactics/150694/>) that its kit is meant to be a tool for governments to use in fighting crime and terror, and that it\u2019s not complicit in any government\u2019s misuse of it. However, critics say that repressive governments use it for [more nefarious purposes](<https://threatpost.com/nso-group-impersonates-facebook-security/156021/>) to track dissidents, journalists and other members of civil society \u2014 and that NSO Group assists them. In December, Pegasus [added](<https://threatpost.com/zero-click-apple-zero-day-pegasus-spy-attack/162515/>) an exploit for a zero-day in Apple\u2019s iMessage feature for iPhone.\n\n**_Check out our free _**[**_upcoming live and on-demand webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {}, "published": "2021-07-16T15:55:57", "type": "threatpost", "title": "Windows 0-Days Used Against Dissidents in Israeli Broker\u2019s Spyware", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-31979", "CVE-2021-33771"], "modified": "2021-07-16T15:55:57", "id": "THREATPOST:D112254AD1BEFC1317E4CFFA015742B2", "href": "https://threatpost.com/windows-zero-days-israeli-spyware-dissidents/167865/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-08T07:53:10", "description": "Microsoft has released an emergency patch for the PrintNightmare, a set of two critical remote code-execution (RCE) vulnerabilities in the Windows Print Spooler service that hackers can use to take over an infected system. However, more fixes are necessary before all Windows systems affected by the bug are completely protected, according to the federal government.\n\nMicrosoft on Tuesday released an [out-of-band update](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) for several versions of Windows to address [CVE-2021-34527](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34527>), the second of two bugs that were initially thought to be one flaw and which have been dubbed PrintNightmare by security researchers.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nHowever, the latest fix only appears to address the RCE variants of PrintNightmare, and not the local privilege escalation (LPE) variant, according to an [advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/07/06/microsoft-releases-out-band-security-updates-printnightmare>) by the Cybersecurity Infrastructure and Security Administration (CISA), citing a [VulNote](<https://www.kb.cert.org/vuls/id/383432>) published by the CERT Coordination Center (CERT/CC).\n\nMoreover, the updates do not include Windows 10 version 1607, Windows Server 2012 or Windows Server 2016, which will be patched at a later date, according to CERT/CC.\n\n## **A Tale of Two Vulnerabilities**\n\nThe PrintNightmare saga [began last Tuesday](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) when a proof-of-concept (PoC) exploit for the vulnerability \u2014 at that time tracked as CVE-2021-1675 \u2014 was dropped on GitHub showing how an attacker can exploit the vulnerability to take control of an affected system. While it was taken back down within a few hours, the code was copied and remains in circulation on the platform.\n\nThe response to the situation soon turned into confusion. Though Microsoft released an [patch for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>) in it its usual raft of [monthly Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>), addressing what it thought was a minor EoP vulnerability, the listing was updated later in the week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.\n\nHowever, it soon became clear to many experts that Microsoft\u2019s initial patch didn\u2019t fix the entire problem. CERT/CC on Thursday offered its own workaround for PrintNightmare, advising system administrators to disable the Windows Print Spooler service in Domain Controllers and systems that do not print.\n\nTo further complicate matters, Microsoft also last Thursday dropped [a notice](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) for a bug called \u201cWindows Print Spooler Remote Code Execution Vulnerability\u201d that appeared to be the same vulnerability, but with a different CVE number\u2014in this case, CVE-2021-34527.\n\n\u201cThis vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),\u201d the company wrote in the advisory at the time. \u201cThe attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.\u201d\n\n## **Microsoft Issues Incomplete Patch**\n\nThe fix released this week addresses CVE-2021-34527, and includes protections for CVE-2021-1675, according to the CISA, which is encouraging users and administrators to review the [Microsoft Security Updates](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) as well as [CERT/CC Vulnerability Note VU #383432](<https://www.kb.cert.org/vuls/id/383432>) and apply the necessary updates or workarounds.\n\nBut as noted, it won\u2019t fix all systems.\n\nSo, in cases where a system is not protected by the patch, Microsoft is offering several workarounds for PrintNightmare. One is very similar to the federal government\u2019s solution from last week: To stop and disable the Print Spooler service \u2014 and thus the ability to print both locally and remotely \u2014 by using the following PowerShell commands: Stop-Service -Name Spooler -Force and Set-Service -Name Spooler -StartupType Disabled.\n\nThe second workaround is to disable inbound remote printing through Group Policy by disabling the \u201cAllow Print Spooler to accept client connections\u201d policy to block remote attacks, and then restarting the system. In this case, the system will no longer function as a print server, but local printing to a directly attached device will still be possible.\n\nAnother potential option to prevent remote exploitation of the bug that has worked in \u201climited testing\u201d is to block both the RPC Endpoint Mapper (135/tcp) and SMB (139/tcp and 445/tcp) at the firewall level, according to CERT/CC. However, \u201cblocking these ports on a Windows system may prevent expected capabilities from functioning properly, especially on a system that functions as a server,\u201d the center advised.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-07T10:55:02", "type": "threatpost", "title": "Microsoft Releases Emergency Patch for PrintNightmare Bugs", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-07T10:55:02", "id": "THREATPOST:6F7C157D4D3EB409080D90F02185E728", "href": "https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-06T21:23:56", "description": "The U.S. government has stepped in to offer a mitigation for a critical remote code execution (RCE) vulnerability in the Windows Print Spooler service that may not have been fully patched by Microsoft\u2019s initial effort to fix it.\n\nTo mitigate the bug, [dubbed PrintNightmare](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>), the CERT Coordination Center (CERT/CC) has released a [VulNote](<https://www.kb.cert.org/vuls/id/383432>) for CVE-2021-1675 urging system administrations to disable the Windows Print Spooler service in Domain Controllers and systems that do not print, the Cybersecurity Infratructure and Security Administration (CISA) said [in a release](<https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability>) Thursday. CERT/CC is part of the Software Engineering Institute, a federally funded research center operated by Carnegie Mellon University.\n\n\u201cWhile Microsoft has released an [update for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>), it is important to realize that this update does NOT protect Active Directory domain controllers, or systems that have [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>) configured with the NoWarningNoElevationOnInstall option configured,\u201d CERT/CC researchers wrote in the note.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe mitigation is in response to a scenario that unfolded earlier this week when a proof-of-concept (POC) for PrintNightmare was dropped on GitHub on Tuesday. While it was taken back down within a few hours, the code was copied and remains in circulation on the platform. An attacker can use the POC to exploit the vulnerability to take control of an affected system.\n\nIn the meantime, Microsoft Thursday put out a new advisory of its own on PrintNightmare that assigns a new CVE and seems to suggest a new attack vector while attempting to clarify confusion that has arisen over it.\n\nWhile the company originally addressed CVE-2021-1675 in [June\u2019s Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>) as a minor elevation-of-privilege vulnerability, the listing was updated last week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.\n\nHowever, soon after it became clear to many experts that the patch appears to fail against the RCE aspect of the bug\u2014hence CISA\u2019s offer of another mitigation and Microsoft\u2019s update.\n\n## **Assignment of New CVE?**\n\nRegarding the latter, the company dropped [a notice](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) Thursday for a bug called \u201cWindows Print Spooler Remote Code Execution Vulnerability\u201d that appears to be the same vulnerability, but with a different CVE number\u2014in this case, CVE-2021-34527.\n\nThe description of the bug sounds like PrintNightmare; indeed, Microsoft acknowledges that it is \u201can evolving situation.\n\n\u201cA remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,\u201d according to the notice. \u201cAn attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\u201d\n\nIn a \u201cFAQ\u201d section in the security update, Microsoft attempts to explain CVE-2021-34527\u2019s connection to CVE-2021-1675.\n\n\u201cIs this the vulnerability that has been referred to publicly as PrintNightmare? Yes, Microsoft has assigned CVE-2021-34527 to this vulnerability,\u201d the company wrote.\n\nHowever, the answer to the question \u201cIs this vulnerability related to CVE-2021-1675?\u201d suggests that CVE-2021-34527 is a different issue.\n\n\u201cThis vulnerability is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(),\u201d the company wrote. \u201cThe attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update.\u201d\n\nMicrosoft goes on to explain that CVE-2021-34527 existed before the June Patch Tuesday updates and that it affects domain controllers in \u201call versions of Windows.\u201d\n\n**\u201c**We are still investigating whether all versions are exploitable,\u201d the company wrote. \u201cWe will update this CVE when that information is evident.\u201d\n\nMicrosoft did not assign a score to CVE-2021-34527, citing its ongoing investigation.\n\n## **Two Vulnerabilities?**\n\nIn retrospect, one security researcher noted to Threatpost when news of PrintNightmare surfaced Tuesday that it was \u201ccurious\u201d that the CVE for the original vulnerability was \u201c-1675,\u201d observing that \u201cmost of the CVEs Microsoft patched in June are -31000 and higher.\u201d\n\n\u201cThis could be an indicator that they have known about this bug for some time, and fully addressing it is not trivial,\u201d Dustin Childs of Trend Micro\u2019s Zero Day Initiative told Threatpost at the time.\n\nNow it appears that perhaps Microsoft was patching only part of a more complex vulnerability. The likely scenario appears to be that there are two bugs in Windows Print Spooler that could offer attackers some kind of exploit chain or be used separately to take over systems.\n\nWhile one flaw may indeed have been addressed in June\u2019s Patch Tuesday update, the other could be mitigated by CERT/CC\u2019s workaround\u2014or could remain to be patched by a future Microsoft update that comes after the company completes its investigation.\n\nThe company\u2019s release Thursday of a new CVE related to PrintNightmare seems to be an initial attempt to clarify the situation, though given its developing nature, it remains a bit hazy for now.\n\n_**Check out our free **_[_**upcoming live and on-demand webinar events**_](<https://threatpost.com/category/webinars/>)_** \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community.**_\n", "cvss3": {}, "published": "2021-07-02T12:21:02", "type": "threatpost", "title": "CISA Offers New Mitigation for PrintNightmare Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-30116", "CVE-2021-34527"], "modified": "2021-07-02T12:21:02", "id": "THREATPOST:933913B1D9B9CF84D33FECFC77C2FDC8", "href": "https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-19T16:25:33", "description": "Microsoft has warned of yet another vulnerability that\u2019s been discovered in its Windows Print Spooler that can allow attackers to elevate privilege to gain full user rights to a system. The advisory comes on the heels of patching two other remote code-execution (RCE) bugs found in the print service that collectively became known as PrintNightmare.\n\nThe company released [the advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481>) late Thursday for the latest bug, a Windows Print Spooler elevation-of-privilege vulnerability tracked as [CVE-2021-34481](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34481>). Microsoft credited Dragos vulnerability researcher Jacob Baines for identifying the issue.\n\nThe vulnerability \u201cexists when the Windows Print Spooler service improperly performs privileged file operations,\u201d according to Microsoft.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nAttackers who successfully exploit the bug can run arbitrary code with SYSTEM privileges, allowing them to install programs, view, change or delete data, or create new accounts with full user rights, the company said.\n\nTo work around the bug, administrators and users should stop and disable the Print Spooler service, Microsoft said.\n\n## **Slightly Less of a \u2018PrintNightmare\u2019**\n\nThe vulnerability is the latest in a flurry of problems discovered in Windows Print Spooler, but seems slightly less dangerous, as it can only be exploited locally. It rates 7.8 out of 10 on the CVSS vulnerability-severity scale.\n\nIndeed, [Baines told BleepingComputer](<https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-guidance-on-new-windows-print-spooler-vulnerability/>) that while the bug is print driver-related, \u201cthe attack is not really related to PrintNightmare.\u201d Baines plans to disclose more about the little-known vulnerability in [an upcoming presentation](<https://defcon.org/html/defcon-29/dc-29-speakers.html#baines>) at DEF CON in August.\n\nThe entire saga surrounding Windows Print Spooler [began Tuesday, June 30](<https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/>), when a proof-of-concept (PoC) for an initial vulnerability in the print service was dropped on GitHub showing how an attacker can exploit the flaw to take control of an affected system.\n\nThe response to the situation soon turned into confusion. Though Microsoft released an [update for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>) in it its usual raft of [monthly Patch Tuesday updates](<https://threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/>), fixing what it thought was a minor elevation-of-privilege vulnerability, the listing was updated later in the week after researchers from Tencent and NSFOCUS TIANJI Lab figured out it could be used for RCE.\n\nHowever, soon after it became clear to many experts that Microsoft\u2019s initial patch didn\u2019t fix the entire problem. The federal government even stepped in last Thursday, when CERT/CC [offered its own mitigation](<https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/>) for PrintNightmare that Microsoft has since adopted \u2014 advising system administrators to disable the Windows Print Spooler service in Domain Controllers and systems that do not print.\n\nTo further complicate matters, Microsoft also last Thursday dropped [a notice](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) for a bug called \u201cWindows Print Spooler Remote Code Execution Vulnerability\u201d that appeared to be the same vulnerability, but with a different CVE number\u2014in this case, CVE-2021-34527. The company explained that the second bug was similar to the earlier PrintNightmare vulnerability but also its own distinct entity.\n\nEventually, Microsoft last Wednesday [released an emergency cumulative patch](<https://threatpost.com/microsoft-emergency-patch-printnightmare/167578/>) for both PrintNightmare bugs that included all previous patches as well as protections for CVE-2021-1675 as well as a new fix for CVE-2021-34527.\n\nHowever, that fix also [was incomplete](<https://www.kb.cert.org/vuls/id/383432>), and Microsoft continues to work on further remediations as it also works to patch this latest bug, CVE-2021-34481. In the meantime, affected customers should install the most recent Microsoft updates as well as use the workaround to avoid exploitation, the company said.\n\n**_Check out our free _**[**_upcoming live and on-demand webinar events_**](<https://threatpost.com/category/webinars/>)**_ \u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {}, "published": "2021-07-16T11:57:53", "type": "threatpost", "title": "Microsoft: Unpatched Bug in Windows Print Spooler", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34481", "CVE-2021-34527"], "modified": "2021-07-16T11:57:53", "id": "THREATPOST:A8242348917526090B7A1B23735D5C6C", "href": "https://threatpost.com/microsoft-unpatched-bug-windows-print-spooler/167855/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "avleonov": [{"lastseen": "2021-07-28T14:34:07", "description": "Hello everyone! For the past 9 months, I&#x27;ve been doing Microsoft Patch Tuesday reviews quarterly. Now I think it would be better to review the July Patch Tuesday while the topic is still fresh. And that will save us some time in the next Last Week\u2019s Security news episode. So, July Patch Tuesday, 116 vulnerabilities.\n\nThe 2 most critical are the Windows Kernel Elevation of Privilege Vulnerabilities (CVE-2021-31979, CVE-2021-33771). These vulnerabilities are critical because they are used in real attacks according to Microsoft\u2019s Threat Intelligence Center and Security Response Center. Tenable: &quot;A local, authenticated attacker could exploit these vulnerabilities to run processes with elevated permissions. Similar zero-day vulnerabilities were patched in April 2020, which were observed under active exploitation by Google Project Zero.&quot;\n\nAnother vulnerability with a sign of exploitation in the wild is Scripting Engine Memory Corruption Vulnerability (CVE-2021-34448). ZDI: &quot;The vulnerability allows an attacker to execute their code on an affected system if a user browses to a specially crafted website. The code execution would occur at the logged-on user level. This is also a case where CVSS doesn\u2019t quite offer a true glimpse of the threat. Microsoft lists the attack complexity as high, which knocks this from a high severity (&gt;8) to a medium severity (6.8). However, if there are already active attacks, does complexity matter? Regardless, treat this as critical since it could allow code execution on every supported version of Windows.&quot;\n\nA rare Windows Kernel Remote Code Execution Vulnerability (CVE-2021-34458). ZDI &quot;This bug impacts systems hosting virtual machines with single root input/output virtualization (SR-IOV) devices. It\u2019s not clear how widespread this configuration is, but considering this bug rates as a CVSS 9.9, it\u2019s not one to ignore. If you have virtual machines in your environment, test and patch quickly.&quot;\n\nNext most critical 3 Remote Code Executions in Windows DNS Server (CVE-2021-33780, CVE-2021-34494, CVE-2021-34525). User interaction is not required for the exploitation. Tenable: &quot;Based on the scores provided, exploitation of these flaws would require a low privileged account, presumably with the ability to send crafted DNS requests across the network, to target an affected DNS Server.&quot;\n\nRCE in Microsoft Exchange Server (CVE-2021-31206). It was disclosed during the last Pwn2Own contest. Nothing else is known about it. It is not yet clear whether this will be the second ProxyLogon. And there&#x27;s a funny thing about Exchange as well. ZDI: &quot;The real surprise in this month\u2019s Exchange patches are the three bugs patched in April but not documented until today.&quot; So, you understand, right? You are trying to figure out, based on the analysis of the CVE list, whether it is worth installing a particular patch. But it turns out that the information about what exactly fixes this patch is incomplete. Therefore, if possible, just install all patches regularly, rather than trying to choose what to install and what not.\n\nAnd finally \u201cExploitation Less Likely\u201d RCE vulnerability in Windows Hyper-V (CVE-2021-34450). Tenable: &quot;It would allow an attacker who is authenticated to a guest virtual machine (VM) to send crafted requests to execute arbitrary code on the host machine (\u2026) it is important to consider that malware variants commonly look to escape VMs and infect the host machine&quot;.\n\nFull Vulristics report [ms_patch_tuesday_july2021_report_avleonov_comments](<https://avleonov.com/vulristics_reports/ms_patch_tuesday_july2021_report_avleonov_comments.html>)\n\n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-14T21:00:27", "type": "avleonov", "title": "Vulristics Microsoft Patch Tuesday July 2021: Zero-days EoP in Kernel and RCE in Scripting Engine, RCEs in Kernel, DNS Server, Exchange and Hyper-V", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34494", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34458", "CVE-2021-31206", "CVE-2021-34450", "CVE-2021-34525", "CVE-2021-33780", "CVE-2021-31979"], "modified": "2021-07-14T21:00:27", "id": "AVLEONOV:BAA1E4E49B508F98138C7EBA9B9C07E6", "href": "http://feedproxy.google.com/~r/avleonov/~3/fnpS1VKtsh0/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:34:07", "description": "Hello guys! The second episode of Last Week\u2019s Security news from June 28 to July 4.\n\nThe most interesting vulnerability of the last week is of course [Microsoft Print Spooler &quot;PrintNightmare&quot;](<https://www.tenable.com/blog/cve-2021-1675-proof-of-concept-leaked-for-critical-windows-print-spooler-vulnerability>). By [sending an RpcAddPrinterDriverEx() RPC request](<https://www.kb.cert.org/vuls/id/383432>), for example over SMB, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable Windows system. And there is a public PoC exploit for this vulnerability published by the Chinese security firm Sangfor. And there is some strange story. It turns out that Sangfor published an exploit for the 0day vulnerability. But they thought this vulnerability (CVE-2021-1675) had already been patched as part of the June Micorosft Patch Tuesday. And then it turns out that this is a bug in the Microsoft patch. But Microsoft wrote that this is a different, new vulnerability CVE-2021-34527 and so there were no problems with the previous patch. In any case, a patch for this vulnerability has not yet been released and [Microsoft is suggesting two Workarounds](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). Option 1 - Disable the Print Spooler service, Option 2 - Disable inbound remote printing through Group Policy. Do this first for Domain Controllers and other critical Windows servers. All versions of Windows contain the vulnerable code and are susceptible to exploitation. Also note that the new vulnerability has a flag Exploitation Detected on the MS site. \n\nThe most interesting attack of the week is [Kaseya VSA Supply-Chain Attack](<https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689>). Kaseya Limited is an American software company that develops software for managing networks, systems, and information technology infrastructure. [Kaseya VSA](<https://www.kaseya.com/products/vsa/>) (Virtual System Administrator) is a cloud-based MSP (Managed Service Provider) platform that allows providers to perform patch management and client monitoring for their customers. So, REvil gang used around [30 MSPs across the US, AUS, EU, and LATAM where Kaseya VSA was to encrypt over 1,000 businesses](<https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/>). It is now believed that this was an attack on on-premises VSA servers using SQL injection and authentication bypass vulnerabilities. Well, by agreeing to use the MSP, be prepared for such surprises.\n\nContinuing the topic of vulnerabilities in services that simplify system administration, Finnish cybersecurity company Nixu [has published a writeup for Remote Code Execution](<https://www.nixu.com/blog/remote-code-execution-vulnerability-microsoft-intune-managed-windows-devices>) vulnerability in Microsoft Intune managed Windows devices ([CVE-2021-31980](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31980>)) from June Patch Tuesday. &quot;This proof-of-concept shows that remote attackers can run code with system privileges on a Windows machine by intercepting the TLS connections. This vulnerability could be exploited to install malware to the victim\u2019s machine to take persistent full control over it&quot;. Intune Management Extension updates itself without any user action when the computer is connected to internet. But computers not connected to internet might still run the vulnerable version on startup.\n\nI liked the [new Metasploit module](<https://vulners.com/metasploit/MSF:EXPLOIT/LINUX/LOCAL/DOCKER_RUNC_ESCAPE/>) that leverages a flaw in `runc` to escape a Docker container and get command execution on the host as root. It overwrites the `runc` binary with the payload and wait for someone to use `docker exec` to get into the container.\n\nAnd I want to mention these vulnerabilities: \n\n * [Microsoft Translation Bugs Open Edge Browser to Trivial UXSS Attacks.](<https://threatpost.com/microsoft-edge-browser-uxss-attacks/167389/>) &quot;Remotely inject and execute arbitrary code on any website just by sending a message&quot;.\n * [Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464)](<https://blog.rapid7.com/2021/06/30/forgerock-openam-pre-auth-remote-code-execution-vulnerability-what-you-need-to-know/>) in ForgeRock Access Manager.\n * The vulnerability in Windows 10 allows a low-privileged user to [wipe out arbitrary files needed for UEFI boot](<https://www.thezdi.com/blog/2021/6/30/cve-2021-26892-an-authorization-bypass-on-the-microsoft-windows-efi-system-partition>).\n * [Western Digital&#x27;s older network-attached storage systems](<https://www.darkreading.com/attacks-breaches/mybook-investigation-reveals-attackers-exploited-legacy-0-day-vulnerabilities/d/d-id/1341440>) allowed unauthenticated commands to trigger a factory reset, formatting the hard drives.\n * Microsoft Discloses [Critical Bugs Allowing Takeover](<https://thehackernews.com/2021/06/microsoft-discloses-critical-bugs.html>) of [NETGEAR Routers](<https://www.netgear.com/support/product/DGN2200v1.aspx>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-05T15:19:07", "type": "avleonov", "title": "Last Week\u2019s Security news: PrintNightmare, Kaseya, Intune, Metasploit Docker escape", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-35464", "CVE-2021-1675", "CVE-2021-34527", "CVE-2021-26892", "CVE-2021-31980"], "modified": "2021-07-05T15:19:07", "id": "AVLEONOV:30285D85FDB40C8D55F6A24D9D446ECF", "href": "http://feedproxy.google.com/~r/avleonov/~3/iv5hnOt7XD8/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "msrc": [{"lastseen": "2021-07-28T14:38:15", "description": "On Tuesday July 6, 2021, Microsoft issued CVE-2021-34527 regarding a Windows Print Spooler vulnerability. Updates were released on July 6 and 7 which addressed the vulnerability for all supported Windows versions. We encourage customers to update as soon as possible. CVE-2021-34527 - Windows Print Spooler Remote Code Execution Vulnerability. Following the out of band release \u2026\n\n[ Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability Read More \u00bb](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-09T01:00:42", "type": "msrc", "title": "Clarified Guidance for CVE-2021-34527 Windows Print Spooler Vulnerability", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-09T01:00:42", "id": "MSRC:239E65C8BEB88185329D9990C80B10DF", "href": "https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:38:15", "description": "Today Microsoft released an Out-of-Band (OOB) security update for CVE-2021-34527, which is being discussed externally as PrintNightmare. This is a cumulative update release, so it contains all previous security fixes and should be applied immediately to fully protect your systems. The fix that we released today fully addresses the public vulnerability, and it also includes a new feature that allows customers to implement stronger protections. See: KB5005010: \u2026\n\n[ Out-of-Band (OOB) Security Update available for CVE-2021-34527 Read More \u00bb](<https://msrc-blog.microsoft.com/2021/07/06/out-of-band-oob-security-update-available-for-cve-2021-34527/>)", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-06T23:36:00", "type": "msrc", "title": "Out-of-Band (OOB) Security Update available for CVE-2021-34527", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-06T23:36:00", "id": "MSRC:CB3C49E52425E7C1B0CFB151C6D488A4", "href": "https://msrc-blog.microsoft.com/2021/07/06/out-of-band-oob-security-update-available-for-cve-2021-34527/", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "mssecure": [{"lastseen": "2021-07-28T14:38:14", "description": "The Microsoft Threat Intelligence Center (MSTIC) alongside the Microsoft Security Response Center (MSRC) has uncovered a private-sector offensive actor, or PSOA, that we are calling SOURGUM in possession of now-patched, Windows 0-day exploits ([CVE-2021-31979](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31979>) and [CVE-2021-33771](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33771>)).\n\nPrivate-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets\u2019 computers, phones, network infrastructure, and other devices. With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves. The tools, tactics, and procedures used by these companies only adds to the complexity, scale, and sophistication of attacks. We take these threats seriously and have moved swiftly alongside our partners to build in the latest protections for our customers.\n\nMSTIC believes SOURGUM is an Israel-based private-sector offensive actor. We would like to thank the Citizen Lab, at the University of Toronto&#x27;s Munk School, for sharing the sample of malware that initiated this work and their collaboration during the investigation. In their [blog](<https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/>), Citizen Lab asserts with high confidence that SOURGUM is an Israeli company commonly known as Candiru. [Third-party reports](<https://www.haaretz.com/middle-east-news/.premium-top-secret-israeli-cyberattack-firm-revealed-1.6805950>) indicate Candiru produces \u201chacking tools [that] are used to break into computers and servers\u201d_. _\n\nAs we shared in the [Microsoft on the Issues blog](<https://blogs.microsoft.com/on-the-issues/2021/07/15/cyberweapons-cybersecurity-sourgum-malware/>), Microsoft and Citizen Lab have worked together to disable the malware being used by SOURGUM that targeted more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers, and political dissidents. To limit these attacks, Microsoft has created and built protections into our products against this unique malware, which we are calling _DevilsTongue_. We have shared these protections with the security community so that we can collectively address and mitigate this threat. We have also issued a software update that will protect Windows customers from the associated exploits that the actor used to help deliver its highly sophisticated malware.\n\n## SOURGUM victimology\n\nMedia reports ([1](<https://www.theguardian.com/technology/2015/jul/06/hacking-team-hacked-firm-sold-spying-tools-to-repressive-regimes-documents-claim>), [2](<https://www.theguardian.com/media/2020/dec/20/citizen-lab-nso-dozens-of-aljazeera-journalists-allegedly-hacked-using-israeli-firm-spyware>), [3](<https://www.wired.co.uk/article/phone-hacking-mollitiam-industries>)) indicate that PSOAs often sell Windows exploits and malware in hacking-as-a-service packages to government agencies. Agencies in Uzbekistan, United Arab Emirates, and Saudi Arabia are among the list of Candiru\u2019s [alleged previous customers](<https://urldefense.com/v3/__https:/www.forbes.com/sites/thomasbrewster/2019/10/03/meet-candiru-the-super-stealth-cyber-mercenaries-hacking-apple-and-microsoft-pcs-for-profit/__;!!OPvj_Mo!qxCbqIivPDfDqHshaSJGunR3h_DoOYV2RVnwMJgvScAoj3M1t_G2HZOUIdiCpg$>). These agencies, then, likely choose whom to target and run the cyberoperations themselves.\n\nMicrosoft has identified over 100 victims of SOURGUM\u2019s malware, and these victims are as geographically diverse as would be expected when varied government agencies are believed to be selecting the targets. Approximately half of the victims were found in Palestinian Authority, with most of the remaining victims located in Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore. To be clear, the identification of victims of the malware in a country doesn\u2019t necessarily mean that an agency in that country is a SOURGUM customer, as international targeting is common.\n\nAny [Microsoft 365 Defender](<https://www.microsoft.com/en-us/security/business/threat-protection/microsoft-365-defender>) and [Microsoft Defender for Endpoint](<https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender>) alerts containing detection names for the DevilsTongue malware name are signs of compromise by SOURGUM\u2019s malware. We have included a comprehensive list of detection names below for customers to perform additional hunting in their environments.\n\n## Exploits\n\nSOURGUM appears to use a chain of browser and Windows exploits, including 0-days, to install malware on victim boxes. Browser exploits appear to be served via single-use URLs sent to targets on messaging applications such as WhatsApp.\n\nDuring the investigation, Microsoft discovered two Windows 0-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771, both of which have been fixed in the July 2021 security updates. These vulnerabilities allow privilege escalation, giving an attacker the ability to escape browser sandboxes and gain kernel code execution. If customers have taken the July 2021 security update, they are protected from these exploits.\n\n[CVE-2021-31979](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31979>) fixes an integer overflow within Windows NT-based operating system (NTOS). This overflow results in an incorrect buffer size being calculated, which is then used to allocate a buffer in the kernel pool. A buffer overflow subsequently occurs while copying memory to the smaller-than-expected destination buffer. This vulnerability can be leveraged to corrupt an object in an adjacent memory allocation. Using APIs from user mode, the kernel pool memory layout can be groomed with controlled allocations, resulting in an object being placed in the adjacent memory location. Once corrupted by the buffer overflow, this object can be turned into a user mode to kernel mode read/write primitive. With these primitives in place, an attacker can then elevate their privileges.\n\n[CVE-2021-33771](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33771>) addresses a race condition within NTOS resulting in the use-after-free of a kernel object. By using multiple racing threads, the kernel object can be freed, and the freed memory reclaimed by a controllable object. Like the previous vulnerability, the kernel pool memory can be sprayed with allocations using user mode APIs with the hopes of landing an object allocation within the recently freed memory. If successful, the controllable object can be used to form a user mode to kernel mode read/write primitive and elevate privileges.\n\n## DevilsTongue malware overview\n\nDevilsTongue is a complex modular multi-threaded piece of malware written in C and C++ with several novel capabilities. Analysis is still on-going for some components and capabilities, but we\u2019re sharing our present understanding of the malware so defenders can use this intelligence to protect networks and so other researchers can build on our analysis.\n\nFor files on disk, PDB paths and PE timestamps are scrubbed, strings and configs are encrypted, and each file has a unique hash. The main functionality resides in DLLs that are encrypted on disk and only decrypted in memory, making detection more difficult. Configuration and tasking data is separate from the malware, which makes analysis harder. DevilsTongue has both user mode and kernel mode capabilities. There are several novel detection evasion mechanisms built in. All these features are evidence that SOURGUM developers are very professional, have extensive experience writing Windows malware, and have a good understanding of operational security.\n\nWhen the malware is installed, a first-stage \u2018hijack\u2019 malware DLL is dropped in a subfolder of _C:\\Windows\\system32\\IME\\_; the folders and names of the hijack DLLs blend with legitimate names in the _\\IME\\_ directories. Encrypted second-stage malware and config files are dropped into subfolders of _C:\\Windows\\system32\\config\\ _with a _.dat _file extension. A third-party legitimate, signed driver _physmem.sys_ is dropped to the _system32\\drivers _folder. A file called _WimBootConfigurations.ini_ is also dropped; this file has the command for following the COM hijack. Finally, the malware adds the hijack DLL to a COM class registry key, overwriting the legitimate COM DLL path that was there, achieving persistence via [COM hijacking](<https://attack.mitre.org/techniques/T1546/015/>).\n\nFrom the COM hijacking, the DevilsTongue first-stage hijack DLL gets loaded into a _svchost.exe_ process to run with SYSTEM permissions. The COM hijacking technique means that the original DLL that was in the COM registry key isn\u2019t loaded. This can break system functionality and trigger an investigation that could lead to the discovery of the malware, but DevilsTongue uses an interesting technique to avoid this. In its _DllMain_ function it calls _LoadLibrary_ on the original COM DLL so it is correctly loaded into the process. DevilsTongue then searches the call stack to find the return address of _LoadLibraryExW_ (i.e., the function currently loading the DevilsTongue DLL), which would usually return the base address of the DevilsTongue DLL.\n\nOnce the _LoadLibraryExW_ return address has been found, DevilsTongue allocates a small buffer with shellcode that puts the COM DLL\u2019s base address (_imecfmup.7FFE49060000_ in Figure 1) into the _rax_ register and then jumps to the original return address of _LoadLibraryExW_ (_svchost.7FF78E903BFB_ in Figures 1 and 2). In Figure 1 the COM DLL is named _imecfmup_ rather than a legitimate COM DLL name because some DevilsTongue samples copied the COM DLL to another location and renamed it.\n\n\n\n_Figure 1. _DevilsTongue _return address modification shellcode_\n\nDevilsTongue then swaps the original _LoadLibraryExW_ return address on the stack with the address of the shellcode so that when _LoadLibraryExW_ returns it does so into the shellcode (Figures 2 and 3). The shellcode replaces the DevilsTongue base address in _rax_ with the COM DLL\u2019s base address, making it look like _LoadLibraryExW_ has returned the COM DLL\u2019s address. The _svchost.exe_ host process now uses the returned COM DLL base address as it usually would.\n\n\n\n_Figure 2. Call stack before stack swap, LoadLibraryExW in kernelbase returning to svchost.exe (0x7FF78E903BFB)_\n\n\n\n_Figure 3. Call stack after stack swap, LoadLibraryExW in kernelbase returning to the shellcode address (0x156C51E0000 from Figure 1)_\n\nThis technique ensures that the DevilsTongue DLL is loaded by the _svchost.exe_ process, giving the malware persistence, but that the legitimate COM DLL is also loaded correctly so there\u2019s no noticeable change in functionality on the victim\u2019s systems.\n\nAfter this, the hijack DLL then decrypts and loads a second-stage malware DLL from one of the encrypted _.dat_ files. The second-stage malware decrypts another _.dat_ file that contains multiple helper DLLs that it relies on for functionality.\n\nDevilsTongue has standard malware capabilities, including file collection, registry querying, running WMI commands, and querying SQLite databases. It\u2019s capable of stealing victim credentials from both LSASS and from browsers, such as Chrome and Firefox. It also has dedicated functionality to decrypt and exfiltrate conversations from the [Signal](<https://signal.org/>) messaging app.\n\nIt can retrieve cookies from a variety of web browsers. These stolen cookies can later be used by the attacker to sign in as the victim to websites to enable further information gathering. Cookies can be collected from these paths (_* is a wildcard to match any folders_):\n\n * _%LOCALAPPDATA%\\Chromium\\User Data\\\\*\\Cookies_\n * _%LOCALAPPDATA%\\Google\\Chrome\\User Data\\\\*\\Cookies_\n * _%LOCALAPPDATA%\\Microsoft\\Windows\\INetCookies_\n * _%LOCALAPPDATA%\\Packages\\\\*\\AC\\\\*\\MicrosoftEdge\\Cookies_\n * _%LOCALAPPDATA%\\UCBrowser\\User Data_i18n\\\\*\\Cookies.9_\n * _%LOCALAPPDATA%\\Yandex\\YandexBrowser\\User Data\\\\*\\Cookies_\n * _%APPDATA%\\Apple Computer\\Safari\\Cookies\\Cookies.binarycookies_\n * _%APPDATA%\\Microsoft\\Windows\\Cookies_\n * _%APPDATA%\\Mozilla\\Firefox\\Profiles\\\\*\\cookies.sqlite_\n * _%APPDATA%\\Opera Software\\Opera Stable\\Cookies_\n\nInterestingly, DevilsTongue seems able to use cookies directly from the victim\u2019s computer on websites such as Facebook, Twitter, Gmail, Yahoo, Mail.ru, Odnoklassniki, and Vkontakte to collect information, read the victim\u2019s messages, and retrieve photos. DevilsTongue can also send messages as the victim on some of these websites, appearing to any recipient that the victim had sent these messages. The capability to send messages could be weaponized to send malicious links to more victims.\n\nAlongside DevilsTongue a third-party signed driver is dropped to _C:\\Windows\\system32\\drivers\\physmem.sys_. The driver\u2019s description is \u201cPhysical Memory Access Driver,\u201d and it appears to offer a \u201cby-design&quot; kernel read/write capability. This appears to be abused by DevilsTongue to proxy certain API calls via the kernel to hinder detection, including the capability to have some of the calls appear from other processes. Functions capable of being proxied include _CreateProcessW, VirtualAllocEx, VirtualProtectEx, WriteProcessMemory, ReadProcessMemory, CreateFileW _and_ RegSetKeyValueW_.\n\n## Prevention and detection\n\nTo prevent compromise from browser exploits, it\u2019s recommended to use an isolated environment, such as a virtual machine, when opening links from untrusted parties. Using a modern version of Windows 10 with virtualization-based protections, such as Credential Guard, prevents DevilsTongue\u2019s LSASS credential-stealing capabilities. Enabling the attack surface reduction rule \u201c[Block abuse of exploited vulnerable signed drivers](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide#block-abuse-of-exploited-vulnerable-signed-drivers>)\u201d in Microsoft Defender for Endpoint blocks the driver that DevilsTongue uses. [Network protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide>) blocks known SOURGUM domains.\n\n### Detection opportunities\n\nThis section is intended to serve as a non-exhaustive guide to help customers and peers in the cybersecurity industry to detect the DevilsTongue malware. We\u2019re providing this guidance with the expectation that SOURGUM will likely change the characteristics we identify for detection in their next iteration of the malware. Given the actor\u2019s level of sophistication, however, we believe that outcome would likely occur irrespective of our public guidance.\n\n#### File locations\n\nThe hijack DLLs are in subfolders of _\\system32\\ime\\ _with names starting with \u2018_im\u2019. _However, they are blended with legitimate DLLs in those folders. To distinguish between the malicious and benign, the legitimate DLLs are signed (on Windows 10) whereas the DevilsTongue files aren\u2019t_. _Example paths:\n\n * _C:\\Windows\\System32\\IME\\IMEJP\\imjpueact.dll _\n * _C:\\Windows\\system32\\ime\\IMETC\\IMTCPROT.DLL_\n * _C:\\Windows\\system32\\ime\\SHARED\\imecpmeid.dll_\n\n_ _The DevilsTongue configuration files, which are AES-encrypted, are in subfolders of _C:\\Windows\\system32\\config\\ _and have a _.dat_ extension. The exact paths are victim-specific, although some folder names are common across victims. As the files are AES-encrypted, any files whose size mod 16 is 0 can be considered as a possible malware config file. The config files are always in new folders, not the legitimate existing folders (e.g., on Windows 10, never in \\Journal, \\systemprofile, \\TxR etc.). Example paths:\n\n * _C:\\Windows\\system32\\config\\spp\\ServiceState\\Recovery\\pac.dat_\n * _C:\\Windows\\system32\\config\\cy-GB\\Setup\\SKB\\InputMethod\\TupTask.dat_\n * _C:\\Windows\\system32\\config\\config\\startwus.dat_\n\nCommonly reused folder names in the config file paths:\n\n * _spp_\n * _SKB_\n * _curv_\n * _networklist_\n * _Licenses_\n * _InputMethod_\n * _Recovery_\n\nThe .ini reg file has the unique name _WimBootConfigurations.ini _and is in a subfolder of _system32\\ime\\_. Example paths:\n\n * _C:\\Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini_\n * _C:\\Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini_\n * _C:\\Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini_\n\nThe Physmem driver is dropped into system32:\n\n * _C:\\Windows\\system32\\drivers\\physmem.sys \n_\n\n#### Behaviors\n\nThe two COM keys that have been observed being hijacked for persistence are listed below with their default clean values. If their default value DLL is in the _\\system32\\ime\\ _folder, the DLL is likely DevilsTongue.\n\n * _HKLM\\SOFTWARE\\Classes\\CLSID\\\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\InprocServer32 _= _%systemroot%\\system32\\wbem\\wmiutils.dll (clean default value_)\n * _HKLM\\SOFTWARE\\Classes\\CLSID\\\\{7C857801-7381-11CF-884D-00AA004B2E24}\\InProcServer32 = __%systemroot%\\system32\\wbem\\wbemsvc.dll (clean default value_)\n\n#### File content and characteristics\n\nThis Yara rule can be used to find the DevilsTongue hijack DLL:\n\n`import \"pe\" \nrule DevilsTongue_HijackDll \n{ \nmeta: \ndescription = \"Detects SOURGUM's DevilsTongue hijack DLL\" \nauthor = \"Microsoft Threat Intelligence Center (MSTIC)\" \ndate = \"2021-07-15\" \nstrings: \n$str1 = \"windows.old\\\\windows\" wide \n$str2 = \"NtQueryInformationThread\" \n$str3 = \"dbgHelp.dll\" wide \n$str4 = \"StackWalk64\" \n$str5 = \"ConvertSidToStringSidW\" \n$str6 = \"S-1-5-18\" wide \n$str7 = \"SMNew.dll\" // DLL original name \n// Call check in stack manipulation \n// B8 FF 15 00 00 mov eax, 15FFh \n// 66 39 41 FA cmp [rcx-6], ax \n// 74 06 jz short loc_1800042B9 \n// 80 79 FB E8 cmp byte ptr [rcx-5], 0E8h ; '\u00e8' \n$code1 = {B8 FF 15 00 00 66 39 41 FA 74 06 80 79 FB E8} \n// PRNG to generate number of times to sleep 1s before exiting \n// 44 8B C0 mov r8d, eax \n// B8 B5 81 4E 1B mov eax, 1B4E81B5h \n// 41 F7 E8 imul r8d \n// C1 FA 05 sar edx, 5 \n// 8B CA mov ecx, edx \n// C1 E9 1F shr ecx, 1Fh \n// 03 D1 add edx, ecx \n// 69 CA 2C 01 00 00 imul ecx, edx, 12Ch \n// 44 2B C1 sub r8d, ecx \n// 45 85 C0 test r8d, r8d \n// 7E 19 jle short loc_1800014D0 \n$code2 = {44 8B C0 B8 B5 81 4E 1B 41 F7 E8 C1 FA 05 8B CA C1 E9 1F 03 D1 69 CA 2C 01 00 00 44 2B C1 45 85 C0 7E 19} \ncondition: \nfilesize < 800KB and \nuint16(0) == 0x5A4D and \n(pe.characteristics & pe.DLL) and \n( \n4 of them or \n($code1 and $code2) or \n(pe.imphash() == \"9a964e810949704ff7b4a393d9adda60\") \n) \n}`\n\n### Microsoft Defender Antivirus detections\n\nMicrosoft Defender Antivirus detects DevilsTongue malware with the following detections:\n\n * _Trojan:Win32/DevilsTongue.A!dha_\n * _Trojan:Win32/DevilsTongue.B!dha_\n * _Trojan:Script/DevilsTongueIni.A!dha_\n * _VirTool:Win32/DevilsTongueConfig.A!dha_\n * _HackTool__:Win32/DevilsTongueDriver.A!dha_\n\n### Microsoft Defender for Endpoint alerts\n\nAlerts with the following titles in the security center can indicate DevilsTongue malware activity on your network:\n\n * _COM Hijacking_\n * _Possible theft of sensitive web browser information_\n * _Stolen SSO cookies__ _\n\n### Azure Sentinel query\n\nTo locate possible SOURGUM activity using Azure Sentinel, customers can find a Sentinel query containing these indicators in this [GitHub repository](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml>).\n\n### Indicators of compromise (IOCs)\n\nNo malware hashes are being shared because DevilsTongue files, except for the third part driver below, all have unique hashes, and therefore, are not a useful indicator of compromise.\n\n#### Physmem driver\n\nNote that this driver may be used legitimately, but if it\u2019s seen on path _C:\\Windows\\system32\\drivers\\physmem.sys_ then it is a high-confidence indicator of DevilsTongue activity. The hashes below are provided for the one driver observed in use.\n\n * _MD5: a0e2223868b6133c5712ba5ed20c3e8a_\n * _SHA-1: 17614fdee3b89272e99758983b99111cbb1b312c_\n * _SHA-256: c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d_\n\n#### Domains\n\n * noc-service-streamer[.]com\n * fbcdnads[.]live\n * hilocake[.]info\n * backxercise[.]com\n * winmslaf[.]xyz\n * service-deamon[.]com\n * online-affiliate-mon[.]com\n * codeingasmylife[.]com\n * kenoratravels[.]com\n * weathercheck[.]digital\n * colorpallatess[.]com\n * library-update[.]com\n * online-source-validate[.]com\n * grayhornet[.]com\n * johnshopkin[.]net\n * eulenformacion[.]com\n * pochtarossiy[.]info\n\nThe post [Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware](<https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-15T15:21:02", "type": "mssecure", "title": "Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31979", "CVE-2021-33771"], "modified": "2021-07-15T15:21:02", "id": "MSSECURE:FA096F112DC9423A9C4E3850DD8721F3", "href": "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "schneier": [{"lastseen": "2021-07-28T14:37:00", "description": "Citizen Lab has identified yet another Israeli company that sells spyware to governments around the world: Candiru.\n\nFrom [the report](<https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/>):\n\n> Summary:\n> \n> * Candiru is a secretive Israel-based company that sells spyware exclusively to governments. Reportedly, their spyware can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts. \n> * Using Internet scanning we identified more than 750 websites linked to Candiru&#x27;s spyware infrastructure. We found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities. \n> * We identified a politically active victim in Western Europe and recovered a copy of Candiru&#x27;s Windows spyware. \n> * Working with Microsoft Threat Intelligence Center (MSTIC) we analyzed the spyware, resulting in the discovery of [CVE-2021-31979](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31979>) and [CVE-2021-33771](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33771>) by Microsoft, two privilege escalation vulnerabilities exploited by Candiru. Microsoft patched both vulnerabilities on July 13th, 2021. \n> * As part of their investigation, Microsoft [observed](<https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/>) at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore. Victims include human rights defenders, dissidents, journalists, activists, and politicians. \n> * We provide a brief technical overview of the Candiru spyware&#x27;s persistence mechanism and some details about the spyware&#x27;s functionality. \n> * Candiru has made efforts to obscure its ownership structure, staffing, and investment partners. Nevertheless, we have been able to shed some light on those areas in this report.\n\nWe&#x27;re not going to be able to secure the Internet until we deal with the companies that engage in the international cyber-arms trade.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-19T15:54:58", "type": "schneier", "title": "Candiru: Another Cyberweapons Arms Manufacturer", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31979", "CVE-2021-33771"], "modified": "2021-07-19T15:54:58", "id": "SCHNEIER:34FA6921AD55EB5CAC146C5F516AF062", "href": "https://www.schneier.com/blog/archives/2021/07/candiru-another-cyberweapons-arms-manufacturer.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mmpc": [{"lastseen": "2021-07-28T14:39:39", "description": "The Microsoft Threat Intelligence Center (MSTIC) alongside the Microsoft Security Response Center (MSRC) has uncovered a private-sector offensive actor, or PSOA, that we are calling SOURGUM in possession of now-patched, Windows 0-day exploits ([CVE-2021-31979](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31979>) and [CVE-2021-33771](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33771>)).\n\nPrivate-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets\u2019 computers, phones, network infrastructure, and other devices. With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves. The tools, tactics, and procedures used by these companies only adds to the complexity, scale, and sophistication of attacks. We take these threats seriously and have moved swiftly alongside our partners to build in the latest protections for our customers.\n\nMSTIC believes SOURGUM is an Israel-based private-sector offensive actor. We would like to thank the Citizen Lab, at the University of Toronto&#x27;s Munk School, for sharing the sample of malware that initiated this work and their collaboration during the investigation. In their [blog](<https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/>), Citizen Lab asserts with high confidence that SOURGUM is an Israeli company commonly known as Candiru. [Third-party reports](<https://www.haaretz.com/middle-east-news/.premium-top-secret-israeli-cyberattack-firm-revealed-1.6805950>) indicate Candiru produces \u201chacking tools [that] are used to break into computers and servers\u201d_. _\n\nAs we shared in the [Microsoft on the Issues blog](<https://blogs.microsoft.com/on-the-issues/2021/07/15/cyberweapons-cybersecurity-sourgum-malware/>), Microsoft and Citizen Lab have worked together to disable the malware being used by SOURGUM that targeted more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers, and political dissidents. To limit these attacks, Microsoft has created and built protections into our products against this unique malware, which we are calling _DevilsTongue_. We have shared these protections with the security community so that we can collectively address and mitigate this threat. We have also issued a software update that will protect Windows customers from the associated exploits that the actor used to help deliver its highly sophisticated malware.\n\n## SOURGUM victimology\n\nMedia reports ([1](<https://www.theguardian.com/technology/2015/jul/06/hacking-team-hacked-firm-sold-spying-tools-to-repressive-regimes-documents-claim>), [2](<https://www.theguardian.com/media/2020/dec/20/citizen-lab-nso-dozens-of-aljazeera-journalists-allegedly-hacked-using-israeli-firm-spyware>), [3](<https://www.wired.co.uk/article/phone-hacking-mollitiam-industries>)) indicate that PSOAs often sell Windows exploits and malware in hacking-as-a-service packages to government agencies. Agencies in Uzbekistan, United Arab Emirates, and Saudi Arabia are among the list of Candiru\u2019s [alleged previous customers](<https://urldefense.com/v3/__https:/www.forbes.com/sites/thomasbrewster/2019/10/03/meet-candiru-the-super-stealth-cyber-mercenaries-hacking-apple-and-microsoft-pcs-for-profit/__;!!OPvj_Mo!qxCbqIivPDfDqHshaSJGunR3h_DoOYV2RVnwMJgvScAoj3M1t_G2HZOUIdiCpg$>). These agencies, then, likely choose whom to target and run the cyberoperations themselves.\n\nMicrosoft has identified over 100 victims of SOURGUM\u2019s malware, and these victims are as geographically diverse as would be expected when varied government agencies are believed to be selecting the targets. Approximately half of the victims were found in Palestinian Authority, with most of the remaining victims located in Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore. To be clear, the identification of victims of the malware in a country doesn\u2019t necessarily mean that an agency in that country is a SOURGUM customer, as international targeting is common.\n\nAny [Microsoft 365 Defender](<https://www.microsoft.com/en-us/security/business/threat-protection/microsoft-365-defender>) and [Microsoft Defender for Endpoint](<https://www.microsoft.com/en-us/microsoft-365/security/endpoint-defender>) alerts containing detection names for the DevilsTongue malware name are signs of compromise by SOURGUM\u2019s malware. We have included a comprehensive list of detection names below for customers to perform additional hunting in their environments.\n\n## Exploits\n\nSOURGUM appears to use a chain of browser and Windows exploits, including 0-days, to install malware on victim boxes. Browser exploits appear to be served via single-use URLs sent to targets on messaging applications such as WhatsApp.\n\nDuring the investigation, Microsoft discovered two Windows 0-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771, both of which have been fixed in the July 2021 security updates. These vulnerabilities allow privilege escalation, giving an attacker the ability to escape browser sandboxes and gain kernel code execution. If customers have taken the July 2021 security update, they are protected from these exploits.\n\n[CVE-2021-31979](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31979>) fixes an integer overflow within Windows NT-based operating system (NTOS). This overflow results in an incorrect buffer size being calculated, which is then used to allocate a buffer in the kernel pool. A buffer overflow subsequently occurs while copying memory to the smaller-than-expected destination buffer. This vulnerability can be leveraged to corrupt an object in an adjacent memory allocation. Using APIs from user mode, the kernel pool memory layout can be groomed with controlled allocations, resulting in an object being placed in the adjacent memory location. Once corrupted by the buffer overflow, this object can be turned into a user mode to kernel mode read/write primitive. With these primitives in place, an attacker can then elevate their privileges.\n\n[CVE-2021-33771](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33771>) addresses a race condition within NTOS resulting in the use-after-free of a kernel object. By using multiple racing threads, the kernel object can be freed, and the freed memory reclaimed by a controllable object. Like the previous vulnerability, the kernel pool memory can be sprayed with allocations using user mode APIs with the hopes of landing an object allocation within the recently freed memory. If successful, the controllable object can be used to form a user mode to kernel mode read/write primitive and elevate privileges.\n\n## DevilsTongue malware overview\n\nDevilsTongue is a complex modular multi-threaded piece of malware written in C and C++ with several novel capabilities. Analysis is still on-going for some components and capabilities, but we\u2019re sharing our present understanding of the malware so defenders can use this intelligence to protect networks and so other researchers can build on our analysis.\n\nFor files on disk, PDB paths and PE timestamps are scrubbed, strings and configs are encrypted, and each file has a unique hash. The main functionality resides in DLLs that are encrypted on disk and only decrypted in memory, making detection more difficult. Configuration and tasking data is separate from the malware, which makes analysis harder. DevilsTongue has both user mode and kernel mode capabilities. There are several novel detection evasion mechanisms built in. All these features are evidence that SOURGUM developers are very professional, have extensive experience writing Windows malware, and have a good understanding of operational security.\n\nWhen the malware is installed, a first-stage \u2018hijack\u2019 malware DLL is dropped in a subfolder of _C:\\Windows\\system32\\IME\\_; the folders and names of the hijack DLLs blend with legitimate names in the _\\IME\\_ directories. Encrypted second-stage malware and config files are dropped into subfolders of _C:\\Windows\\system32\\config\\ _with a _.dat _file extension. A third-party legitimate, signed driver _physmem.sys_ is dropped to the _system32\\drivers _folder. A file called _WimBootConfigurations.ini_ is also dropped; this file has the command for following the COM hijack. Finally, the malware adds the hijack DLL to a COM class registry key, overwriting the legitimate COM DLL path that was there, achieving persistence via [COM hijacking](<https://attack.mitre.org/techniques/T1546/015/>).\n\nFrom the COM hijacking, the DevilsTongue first-stage hijack DLL gets loaded into a _svchost.exe_ process to run with SYSTEM permissions. The COM hijacking technique means that the original DLL that was in the COM registry key isn\u2019t loaded. This can break system functionality and trigger an investigation that could lead to the discovery of the malware, but DevilsTongue uses an interesting technique to avoid this. In its _DllMain_ function it calls _LoadLibrary_ on the original COM DLL so it is correctly loaded into the process. DevilsTongue then searches the call stack to find the return address of _LoadLibraryExW_ (i.e., the function currently loading the DevilsTongue DLL), which would usually return the base address of the DevilsTongue DLL.\n\nOnce the _LoadLibraryExW_ return address has been found, DevilsTongue allocates a small buffer with shellcode that puts the COM DLL\u2019s base address (_imecfmup.7FFE49060000_ in Figure 1) into the _rax_ register and then jumps to the original return address of _LoadLibraryExW_ (_svchost.7FF78E903BFB_ in Figures 1 and 2). In Figure 1 the COM DLL is named _imecfmup_ rather than a legitimate COM DLL name because some DevilsTongue samples copied the COM DLL to another location and renamed it.\n\n\n\n_Figure 1. _DevilsTongue _return address modification shellcode_\n\nDevilsTongue then swaps the original _LoadLibraryExW_ return address on the stack with the address of the shellcode so that when _LoadLibraryExW_ returns it does so into the shellcode (Figures 2 and 3). The shellcode replaces the DevilsTongue base address in _rax_ with the COM DLL\u2019s base address, making it look like _LoadLibraryExW_ has returned the COM DLL\u2019s address. The _svchost.exe_ host process now uses the returned COM DLL base address as it usually would.\n\n\n\n_Figure 2. Call stack before stack swap, LoadLibraryExW in kernelbase returning to svchost.exe (0x7FF78E903BFB)_\n\n\n\n_Figure 3. Call stack after stack swap, LoadLibraryExW in kernelbase returning to the shellcode address (0x156C51E0000 from Figure 1)_\n\nThis technique ensures that the DevilsTongue DLL is loaded by the _svchost.exe_ process, giving the malware persistence, but that the legitimate COM DLL is also loaded correctly so there\u2019s no noticeable change in functionality on the victim\u2019s systems.\n\nAfter this, the hijack DLL then decrypts and loads a second-stage malware DLL from one of the encrypted _.dat_ files. The second-stage malware decrypts another _.dat_ file that contains multiple helper DLLs that it relies on for functionality.\n\nDevilsTongue has standard malware capabilities, including file collection, registry querying, running WMI commands, and querying SQLite databases. It\u2019s capable of stealing victim credentials from both LSASS and from browsers, such as Chrome and Firefox. It also has dedicated functionality to decrypt and exfiltrate conversations from the [Signal](<https://signal.org/>) messaging app.\n\nIt can retrieve cookies from a variety of web browsers. These stolen cookies can later be used by the attacker to sign in as the victim to websites to enable further information gathering. Cookies can be collected from these paths (_* is a wildcard to match any folders_):\n\n * _%LOCALAPPDATA%\\Chromium\\User Data\\\\*\\Cookies_\n * _%LOCALAPPDATA%\\Google\\Chrome\\User Data\\\\*\\Cookies_\n * _%LOCALAPPDATA%\\Microsoft\\Windows\\INetCookies_\n * _%LOCALAPPDATA%\\Packages\\\\*\\AC\\\\*\\MicrosoftEdge\\Cookies_\n * _%LOCALAPPDATA%\\UCBrowser\\User Data_i18n\\\\*\\Cookies.9_\n * _%LOCALAPPDATA%\\Yandex\\YandexBrowser\\User Data\\\\*\\Cookies_\n * _%APPDATA%\\Apple Computer\\Safari\\Cookies\\Cookies.binarycookies_\n * _%APPDATA%\\Microsoft\\Windows\\Cookies_\n * _%APPDATA%\\Mozilla\\Firefox\\Profiles\\\\*\\cookies.sqlite_\n * _%APPDATA%\\Opera Software\\Opera Stable\\Cookies_\n\nInterestingly, DevilsTongue seems able to use cookies directly from the victim\u2019s computer on websites such as Facebook, Twitter, Gmail, Yahoo, Mail.ru, Odnoklassniki, and Vkontakte to collect information, read the victim\u2019s messages, and retrieve photos. DevilsTongue can also send messages as the victim on some of these websites, appearing to any recipient that the victim had sent these messages. The capability to send messages could be weaponized to send malicious links to more victims.\n\nAlongside DevilsTongue a third-party signed driver is dropped to _C:\\Windows\\system32\\drivers\\physmem.sys_. The driver\u2019s description is \u201cPhysical Memory Access Driver,\u201d and it appears to offer a \u201cby-design&quot; kernel read/write capability. This appears to be abused by DevilsTongue to proxy certain API calls via the kernel to hinder detection, including the capability to have some of the calls appear from other processes. Functions capable of being proxied include _CreateProcessW, VirtualAllocEx, VirtualProtectEx, WriteProcessMemory, ReadProcessMemory, CreateFileW _and_ RegSetKeyValueW_.\n\n## Prevention and detection\n\nTo prevent compromise from browser exploits, it\u2019s recommended to use an isolated environment, such as a virtual machine, when opening links from untrusted parties. Using a modern version of Windows 10 with virtualization-based protections, such as Credential Guard, prevents DevilsTongue\u2019s LSASS credential-stealing capabilities. Enabling the attack surface reduction rule \u201c[Block abuse of exploited vulnerable signed drivers](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide#block-abuse-of-exploited-vulnerable-signed-drivers>)\u201d in Microsoft Defender for Endpoint blocks the driver that DevilsTongue uses. [Network protection](<https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide>) blocks known SOURGUM domains.\n\n### Detection opportunities\n\nThis section is intended to serve as a non-exhaustive guide to help customers and peers in the cybersecurity industry to detect the DevilsTongue malware. We\u2019re providing this guidance with the expectation that SOURGUM will likely change the characteristics we identify for detection in their next iteration of the malware. Given the actor\u2019s level of sophistication, however, we believe that outcome would likely occur irrespective of our public guidance.\n\n#### File locations\n\nThe hijack DLLs are in subfolders of _\\system32\\ime\\ _with names starting with \u2018_im\u2019. _However, they are blended with legitimate DLLs in those folders. To distinguish between the malicious and benign, the legitimate DLLs are signed (on Windows 10) whereas the DevilsTongue files aren\u2019t_. _Example paths:\n\n * _C:\\Windows\\System32\\IME\\IMEJP\\imjpueact.dll _\n * _C:\\Windows\\system32\\ime\\IMETC\\IMTCPROT.DLL_\n * _C:\\Windows\\system32\\ime\\SHARED\\imecpmeid.dll_\n\n_ _The DevilsTongue configuration files, which are AES-encrypted, are in subfolders of _C:\\Windows\\system32\\config\\ _and have a _.dat_ extension. The exact paths are victim-specific, although some folder names are common across victims. As the files are AES-encrypted, any files whose size mod 16 is 0 can be considered as a possible malware config file. The config files are always in new folders, not the legitimate existing folders (e.g., on Windows 10, never in \\Journal, \\systemprofile, \\TxR etc.). Example paths:\n\n * _C:\\Windows\\system32\\config\\spp\\ServiceState\\Recovery\\pac.dat_\n * _C:\\Windows\\system32\\config\\cy-GB\\Setup\\SKB\\InputMethod\\TupTask.dat_\n * _C:\\Windows\\system32\\config\\config\\startwus.dat_\n\nCommonly reused folder names in the config file paths:\n\n * _spp_\n * _SKB_\n * _curv_\n * _networklist_\n * _Licenses_\n * _InputMethod_\n * _Recovery_\n\nThe .ini reg file has the unique name _WimBootConfigurations.ini _and is in a subfolder of _system32\\ime\\_. Example paths:\n\n * _C:\\Windows\\system32\\ime\\SHARED\\WimBootConfigurations.ini_\n * _C:\\Windows\\system32\\ime\\IMEJP\\WimBootConfigurations.ini_\n * _C:\\Windows\\system32\\ime\\IMETC\\WimBootConfigurations.ini_\n\nThe Physmem driver is dropped into system32:\n\n * _C:\\Windows\\system32\\drivers\\physmem.sys \n_\n\n#### Behaviors\n\nThe two COM keys that have been observed being hijacked for persistence are listed below with their default clean values. If their default value DLL is in the _\\system32\\ime\\ _folder, the DLL is likely DevilsTongue.\n\n * _HKLM\\SOFTWARE\\Classes\\CLSID\\\\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\\InprocServer32 _= _%systemroot%\\system32\\wbem\\wmiutils.dll (clean default value_)\n * _HKLM\\SOFTWARE\\Classes\\CLSID\\\\{7C857801-7381-11CF-884D-00AA004B2E24}\\InProcServer32 = __%systemroot%\\system32\\wbem\\wbemsvc.dll (clean default value_)\n\n#### File content and characteristics\n\nThis Yara rule can be used to find the DevilsTongue hijack DLL:\n\n`import \"pe\" \nrule DevilsTongue_HijackDll \n{ \nmeta: \ndescription = \"Detects SOURGUM's DevilsTongue hijack DLL\" \nauthor = \"Microsoft Threat Intelligence Center (MSTIC)\" \ndate = \"2021-07-15\" \nstrings: \n$str1 = \"windows.old\\\\windows\" wide \n$str2 = \"NtQueryInformationThread\" \n$str3 = \"dbgHelp.dll\" wide \n$str4 = \"StackWalk64\" \n$str5 = \"ConvertSidToStringSidW\" \n$str6 = \"S-1-5-18\" wide \n$str7 = \"SMNew.dll\" // DLL original name \n// Call check in stack manipulation \n// B8 FF 15 00 00 mov eax, 15FFh \n// 66 39 41 FA cmp [rcx-6], ax \n// 74 06 jz short loc_1800042B9 \n// 80 79 FB E8 cmp byte ptr [rcx-5], 0E8h ; '\u00e8' \n$code1 = {B8 FF 15 00 00 66 39 41 FA 74 06 80 79 FB E8} \n// PRNG to generate number of times to sleep 1s before exiting \n// 44 8B C0 mov r8d, eax \n// B8 B5 81 4E 1B mov eax, 1B4E81B5h \n// 41 F7 E8 imul r8d \n// C1 FA 05 sar edx, 5 \n// 8B CA mov ecx, edx \n// C1 E9 1F shr ecx, 1Fh \n// 03 D1 add edx, ecx \n// 69 CA 2C 01 00 00 imul ecx, edx, 12Ch \n// 44 2B C1 sub r8d, ecx \n// 45 85 C0 test r8d, r8d \n// 7E 19 jle short loc_1800014D0 \n$code2 = {44 8B C0 B8 B5 81 4E 1B 41 F7 E8 C1 FA 05 8B CA C1 E9 1F 03 D1 69 CA 2C 01 00 00 44 2B C1 45 85 C0 7E 19} \ncondition: \nfilesize < 800KB and \nuint16(0) == 0x5A4D and \n(pe.characteristics & pe.DLL) and \n( \n4 of them or \n($code1 and $code2) or \n(pe.imphash() == \"9a964e810949704ff7b4a393d9adda60\") \n) \n}`\n\n### Microsoft Defender Antivirus detections\n\nMicrosoft Defender Antivirus detects DevilsTongue malware with the following detections:\n\n * _Trojan:Win32/DevilsTongue.A!dha_\n * _Trojan:Win32/DevilsTongue.B!dha_\n * _Trojan:Script/DevilsTongueIni.A!dha_\n * _VirTool:Win32/DevilsTongueConfig.A!dha_\n * _HackTool__:Win32/DevilsTongueDriver.A!dha_\n\n### Microsoft Defender for Endpoint alerts\n\nAlerts with the following titles in the security center can indicate DevilsTongue malware activity on your network:\n\n * _COM Hijacking_\n * _Possible theft of sensitive web browser information_\n * _Stolen SSO cookies__ _\n\n### Azure Sentinel query\n\nTo locate possible SOURGUM activity using Azure Sentinel, customers can find a Sentinel query containing these indicators in this [GitHub repository](<https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml>).\n\n### Indicators of compromise (IOCs)\n\nNo malware hashes are being shared because DevilsTongue files, except for the third part driver below, all have unique hashes, and therefore, are not a useful indicator of compromise.\n\n#### Physmem driver\n\nNote that this driver may be used legitimately, but if it\u2019s seen on path _C:\\Windows\\system32\\drivers\\physmem.sys_ then it is a high-confidence indicator of DevilsTongue activity. The hashes below are provided for the one driver observed in use.\n\n * _MD5: a0e2223868b6133c5712ba5ed20c3e8a_\n * _SHA-1: 17614fdee3b89272e99758983b99111cbb1b312c_\n * _SHA-256: c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d_\n\n#### Domains\n\n * noc-service-streamer[.]com\n * fbcdnads[.]live\n * hilocake[.]info\n * backxercise[.]com\n * winmslaf[.]xyz\n * service-deamon[.]com\n * online-affiliate-mon[.]com\n * codeingasmylife[.]com\n * kenoratravels[.]com\n * weathercheck[.]digital\n * colorpallatess[.]com\n * library-update[.]com\n * online-source-validate[.]com\n * grayhornet[.]com\n * johnshopkin[.]net\n * eulenformacion[.]com\n * pochtarossiy[.]info\n\nThe post [Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware](<https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/>) appeared first on [Microsoft Security Blog](<https://www.microsoft.com/security/blog>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-15T15:21:02", "type": "mmpc", "title": "Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31979", "CVE-2021-33771"], "modified": "2021-07-15T15:21:02", "id": "MMPC:FA096F112DC9423A9C4E3850DD8721F3", "href": "https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-07-29T03:55:26", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \n operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges. \n \n The remote system is not fully secure as the point and print registry settings contain an insecure configuration in \n one of the following locations/keys:\n\n - HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\n - HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\NoWarningNoElevationOnInstall\n - HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\UpdatePromptSettings", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-09T00:00:00", "title": "Windows PrintNightmare Registry Exposure CVE-2021-34527 OOB Security Update RCE (July 2021)", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_CVE-2021-34527_REG_CHECK.NASL", "href": "https://www.tenable.com/plugins/nessus/151488", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151488);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/07/12\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004945\");\n script_xref(name:\"MSKB\", value:\"5004946\");\n script_xref(name:\"MSKB\", value:\"5004947\");\n script_xref(name:\"MSKB\", value:\"5004948\");\n script_xref(name:\"MSKB\", value:\"5004950\");\n script_xref(name:\"MSKB\", value:\"5004951\");\n script_xref(name:\"MSKB\", value:\"5004953\");\n script_xref(name:\"MSKB\", value:\"5004954\");\n script_xref(name:\"MSKB\", value:\"5004955\");\n script_xref(name:\"MSKB\", value:\"5004956\");\n script_xref(name:\"MSKB\", value:\"5004958\");\n script_xref(name:\"MSKB\", value:\"5004959\");\n script_xref(name:\"MSKB\", value:\"5004960\");\n script_xref(name:\"MSFT\", value:\"MS21-5004945\");\n script_xref(name:\"MSFT\", value:\"MS21-5004946\");\n script_xref(name:\"MSFT\", value:\"MS21-5004947\");\n script_xref(name:\"MSFT\", value:\"MS21-5004948\");\n script_xref(name:\"MSFT\", value:\"MS21-5004950\");\n script_xref(name:\"MSFT\", value:\"MS21-5004951\");\n script_xref(name:\"MSFT\", value:\"MS21-5004953\");\n script_xref(name:\"MSFT\", value:\"MS21-5004954\");\n script_xref(name:\"MSFT\", value:\"MS21-5004955\");\n script_xref(name:\"MSFT\", value:\"MS21-5004956\");\n script_xref(name:\"MSFT\", value:\"MS21-5004958\");\n script_xref(name:\"MSFT\", value:\"MS21-5004959\");\n script_xref(name:\"MSFT\", value:\"MS21-5004960\");\n\n script_name(english:\"Windows PrintNightmare Registry Exposure CVE-2021-34527 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \n operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges. \n \n The remote system is not fully secure as the point and print registry settings contain an insecure configuration in \n one of the following locations/keys:\n\n - HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\n - HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\NoWarningNoElevationOnInstall\n - HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\UpdatePromptSettings\");\n # https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c80300b5\");\n # https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Printing::PointAndPrint_Restrictions_Win7\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2cdd3bd3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004945\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004946\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004947\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004948\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004950\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004951\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004953\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004954\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004955\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004956\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004958\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004959\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004960\");\n script_set_attribute(attribute:\"solution\", value:\n\"See Vendor Advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nvar bulletin = 'MS21-07';\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nvar my_os = get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\nvar my_os_build = get_kb_item('SMB/WindowsVersionBuild');\nvar mitigated = TRUE; # by default: These registry keys do not exist by default, and therefore are already at the secure setting\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nif(my_os == '10')\n{\n if( \n (my_os_build != '10240') && \n (my_os_build != '14393') && \n (my_os_build != '17763') && \n (my_os_build != '18363') && \n (my_os_build != '19041') && \n (my_os_build != '19042') && \n (my_os_build != '19043') \n ) exit(0, 'Windows version ' + my_os + ', build ' + my_os_build + ' is not affected.');\n}\n\nvar share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\n## Check mitigation\nvar keys = make_list(\n 'SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers\\\\PointAndPrint\\\\NoWarningNoElevationOnInstall',\n 'SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows NT\\\\Printers\\\\PointAndPrint\\\\UpdatePromptSettings');\n\nhotfix_check_fversion_init();\nregistry_init();\nvar hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\nvar values = get_registry_values(handle:hklm, items:keys);\nRegCloseKey(handle:hklm);\n\nvar report = '\\n Nessus detected the following insecure registry key configuration:\\n';\n# MS: must confirm that the following registry settings are set to 0 (zero) or are not defined\n# if defined and empty we are exposed; so isNull over empty_or_null()\n# setup reporting\nforeach var key (keys)\n{\n if(!isnull(values[key]) && (values[key] != 0) )\n {\n report += ' - ' + key + ' is set to ' + values[key] + '\\n';\n mitigated = FALSE;\n }\n}\nhotfix_add_report(report);\n\n# if we don't have any patches or the registry is insecurely configured, alert.\nif(!mitigated)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T03:55:26", "description": "The Internet Explorer installation on the remote host is\nmissing a security update. It is, therefore, affected by the following vulnerabilities:\n\n - A security bypass vulnerability exists in the HTML platforms component. An unauthenticated, remote attacker\n can exploit this to bypass security in order to gain full access to the system. (CVE-2021-34446)\n\n - A remote code execution vulnerability exists in the MSHTML platform. An unauthenticated, remote attacker\n can exploit this to bypass authentication and execute arbitrary commands. (CVE-2021-34447, CVE-2021-34497)\n\n - A memory corruption error exists in the scripting engine. An unauthenticated, remote attacker can exploit\n this to execute arbitrary commands. (CVE-2021-34448)", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T00:00:00", "title": "Security Updates for Internet Explorer (July 2021)", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34446", "CVE-2021-34448", "CVE-2021-34447", "CVE-2021-34497"], "modified": "2021-07-13T00:00:00", "cpe": ["cpe:/a:microsoft:ie"], "id": "SMB_NT_MS21_JUL_INTERNET_EXPLORER.NASL", "href": "https://www.tenable.com/plugins/nessus/151597", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('deprecated_nasl_level.inc');\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151597);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/07/26\");\n\n script_cve_id(\n \"CVE-2021-34446\",\n \"CVE-2021-34447\",\n \"CVE-2021-34448\",\n \"CVE-2021-34497\"\n );\n script_xref(name:\"MSKB\", value:\"5004233\");\n script_xref(name:\"MSKB\", value:\"5004289\");\n script_xref(name:\"MSKB\", value:\"5004294\");\n script_xref(name:\"MSKB\", value:\"5004298\");\n script_xref(name:\"MSKB\", value:\"5004305\");\n script_xref(name:\"MSFT\", value:\"MS21-5004233\");\n script_xref(name:\"MSFT\", value:\"MS21-5004289\");\n script_xref(name:\"MSFT\", value:\"MS21-5004294\");\n script_xref(name:\"MSFT\", value:\"MS21-5004298\");\n script_xref(name:\"MSFT\", value:\"MS21-5004305\");\n\n script_name(english:\"Security Updates for Internet Explorer (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Internet Explorer installation on the remote host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Internet Explorer installation on the remote host is\nmissing a security update. It is, therefore, affected by the following vulnerabilities:\n\n - A security bypass vulnerability exists in the HTML platforms component. An unauthenticated, remote attacker\n can exploit this to bypass security in order to gain full access to the system. (CVE-2021-34446)\n\n - A remote code execution vulnerability exists in the MSHTML platform. An unauthenticated, remote attacker\n can exploit this to bypass authentication and execute arbitrary commands. (CVE-2021-34447, CVE-2021-34497)\n\n - A memory corruption error exists in the scripting engine. An unauthenticated, remote attacker can exploit\n this to execute arbitrary commands. (CVE-2021-34448)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/topic/5004233\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/topic/5004289\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/topic/5004294\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/topic/5004298\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/topic/5004305\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue: \n -KB5004233\n -KB5004289\n -KB5004294\n -KB5004298\n -KB5004305\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34448\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:ie\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nvar bulletin = 'MS21-07';\nvar kbs = make_list(\n '5004233',\n '5004289',\n '5004294',\n '5004298',\n '5004305'\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nvar os = get_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nvar productname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\nif (\"Vista\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nif (hotfix_check_server_core() == 1) audit(AUDIT_WIN_SERVER_CORE);\n\nvar share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows 8.1 / Windows Server 2012 R2\n # Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.3\", sp:0, file:\"mshtml.dll\", version:\"11.0.9600.20064\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"5004233\") ||\n\n # Windows Server 2012\n # Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.2\", sp:0, file:\"mshtml.dll\", version:\"11.0.9600.20064\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"5004233\") ||\n\n # Windows 7 / Server 2008 R2\n # Internet Explorer 11\n hotfix_is_vulnerable(os:\"6.1\", sp:1, file:\"mshtml.dll\", version:\"11.0.9600.20064\", min_version:\"11.0.9600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"5004233\") ||\n\n # Windows Server 2008\n # Internet Explorer 9\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"mshtml.dll\", version:\"9.0.8112.21575\", min_version:\"9.0.8112.16000\", dir:\"\\system32\", bulletin:bulletin, kb:\"5004233\")\n)\n{\n var report = '\\nNote: The fix for this issue is available in either of the following updates:\\n';\n report += ' - KB5004233 : Cumulative Security Update for Internet Explorer\\n';\n\n if(os == \"6.3\")\n {\n report += ' - KB5004298 : Windows 8.1 / Server 2012 R2 Monthly Rollup\\n';\n hotfix_add_report(bulletin:bulletin, kb:'5004298', report);\n }\n else if(os == \"6.2\")\n {\n report += ' - KB5004294 : Windows Server 2012 Monthly Rollup\\n';\n hotfix_add_report(bulletin:bulletin, kb:'5004294', report);\n }\n else if(os == \"6.1\")\n {\n report += ' - KB5004289 : Windows 7 / Server 2008 R2 Monthly Rollup\\n';\n hotfix_add_report(bulletin:bulletin, kb:'5004289', report);\n }\n else if(os == \"6.0\")\n {\n report += ' - KB5004305 : Windows Server 2008 Monthly Rollup\\n';\n hotfix_add_report(bulletin:bulletin, kb:'5004305', report);\n }\n\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n\n var port = kb_smb_transport();\n\n hotfix_security_hole();\n hotfix_check_fversion_end();\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T03:55:08", "description": "The Microsoft Exchange Server installed on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker could exploit this to\n execute unauthorized arbitrary code. (CVE-2021-28483, CVE-2021-28482,\n CVE-2021-28481, CVE-2021-28480, CVE-2021-34473)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to\n gain elevated privileges. (CVE-2021-34523)\n\n - An information disclosure vulnerability. An attacker can exploit this to\n disclose potentially sensitive information. (CVE-2021-33766)", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-13T00:00:00", "title": "Security Updates for Microsoft Exchange Server (April 2021)", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-28482", "CVE-2021-34473", "CVE-2021-28483", "CVE-2021-28480", "CVE-2021-34523", "CVE-2021-28481", "CVE-2021-33766"], "modified": "2021-04-13T00:00:00", "cpe": ["cpe:/a:microsoft:exchange_server"], "id": "SMB_NT_MS21_APR_EXCHANGE.NASL", "href": "https://www.tenable.com/plugins/nessus/148476", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148476);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/07/15\");\n\n script_cve_id(\n \"CVE-2021-28480\",\n \"CVE-2021-28481\",\n \"CVE-2021-28482\",\n \"CVE-2021-28483\",\n \"CVE-2021-33766\",\n \"CVE-2021-34473\",\n \"CVE-2021-34523\"\n );\n script_xref(name:\"MSKB\", value:\"5001779\");\n script_xref(name:\"MSFT\", value:\"MS21-5001779\");\n script_xref(name:\"IAVA\", value:\"2021-A-0160-S\");\n\n script_name(english:\"Security Updates for Microsoft Exchange Server (April 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Microsoft Exchange Server installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Microsoft Exchange Server installed on the remote host\nis missing security updates. It is, therefore, affected by\nmultiple vulnerabilities:\n\n - A remote code execution vulnerability. An attacker could exploit this to\n execute unauthorized arbitrary code. (CVE-2021-28483, CVE-2021-28482,\n CVE-2021-28481, CVE-2021-28480, CVE-2021-34473)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to\n gain elevated privileges. (CVE-2021-34523)\n\n - An information disclosure vulnerability. An attacker can exploit this to\n disclose potentially sensitive information. (CVE-2021-33766)\");\n # https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-april-13-2021-kb5001779-8e08f3b3-fc7b-466c-bbb7-5d5aa16ef064\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3bdeeea7\");\n # https://msrc-blog.microsoft.com/2021/04/13/april-2021-update-tuesday-packages-now-available/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b66291c9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released the following security updates to address this issue:\n -KB5001779\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-28480\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/04/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:exchange_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ms_bulletin_checks_possible.nasl\", \"microsoft_exchange_installed.nbin\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('install_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nexit_if_productname_not_server();\n\nvar bulletin = 'MS21-04';\nvar kbs = make_list(\n '5001779' # 2013 CU 23 / 2016 CU19-20 / 2019 CU8-9\n);\n\nif (get_kb_item('Host/patch_management_checks'))\n hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nvar install = get_single_install(app_name:'Microsoft Exchange');\n\nvar path = install['path'];\nvar version = install['version'];\nvar release = install['RELEASE'];\nvar port = kb_smb_transport();\n\nif (\n release != 150 && # 2013\n release != 151 && # 2016\n release != 152 # 2019\n) audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version);\n\nvar cu = 0;\nvar sp = 0;\nif (!empty_or_null(install['CU']))\n cu = install['CU'];\nif (!empty_or_null(install['SP']))\n sp = install['SP'];\n\nif (release == 150) # Exchange Server 2013\n{\n if (cu == 23)\n {\n fixedver = '15.0.1497.15';\n }\n else if (cu < 23)\n {\n unsupported_cu = TRUE;\n }\n\n kb = '5001779';\n}\nelse if (release == 151) # Exchange Server 2016\n{\n if (cu == 19)\n {\n fixedver = '15.1.2176.12';\n }\n else if (cu == 20)\n {\n fixedver = '15.1.2242.8';\n }\n else if (cu < 20)\n {\n unsupported_cu = TRUE;\n }\n\n kb = '5001779';\n}\nelse if (release == 152) # Exchange Server 2019\n{\n if (cu == 8)\n {\n fixedver = '15.2.792.13';\n }\n else if (cu == 9)\n {\n fixedver = '15.2.858.10';\n }\n else if (cu < 9)\n {\n unsupported_cu = TRUE;\n }\n\n kb = '5001779';\n}\n\nif ((fixedver && hotfix_is_vulnerable(path:hotfix_append_path(path:path, value:\"Bin\"), file:'ExSetup.exe', version:fixedver, bulletin:bulletin, kb:kb))\n || (unsupported_cu && report_paranoia == 2))\n{\n if (unsupported_cu)\n hotfix_add_report('The Microsoft Exchange Server installed at ' + path +\n ' has an unsupported Cumulative Update (CU) installed and may be ' +\n 'vulnerable to the CVEs contained within the advisory. Unsupported ' +\n 'Exchange CU versions are not typically included in Microsoft ' +\n 'advisories and are not indicated as affected.\\n',\n bulletin:bulletin, kb:kb);;\n\n set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T03:55:25", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T00:00:00", "title": "KB5004947: Windows 10 1809 and Windows Server 2019 OOB Security Update RCE (July 2021)", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-08T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004947.NASL", "href": "https://www.tenable.com/plugins/nessus/151473", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151473);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/07/09\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004947\");\n script_xref(name:\"MSFT\", value:\"MS21-5004947\");\n\n script_name(english:\"KB5004947: Windows 10 1809 and Windows Server 2019 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerabilty.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004947\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004947\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004947'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'17763',\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004947])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T03:55:26", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T00:00:00", "title": "KB5004951: Windows Server 2008 R2 OOB Security Update RCE (July 2021)", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-08T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004951.NASL", "href": "https://www.tenable.com/plugins/nessus/151476", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151476);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/07/09\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004951\");\n script_xref(name:\"MSKB\", value:\"5004953\");\n script_xref(name:\"MSFT\", value:\"MS21-5004951\");\n script_xref(name:\"MSFT\", value:\"MS21-5004953\");\n\n script_name(english:\"KB5004951: Windows Server 2008 R2 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerabilty.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004951\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004951\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004951'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1', \n sp:1,\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004951])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T03:55:25", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \n operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T00:00:00", "title": "KB5004945: Windows 10 2004 / 20H2 / 21H1 OOB Security Update RCE (July 2021)", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-08T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004945.NASL", "href": "https://www.tenable.com/plugins/nessus/151471", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151471);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/07/09\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004945\");\n script_xref(name:\"MSFT\", value:\"MS21-5004945\");\n\n script_name(english:\"KB5004945: Windows 10 2004 / 20H2 / 21H1 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerabilty.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \n operations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004945\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004945\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004945'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'19041',\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004945])\n|| \nsmb_check_rollup(os:'10', \n sp:0,\n os_build:'19042',\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004945]\n)\n|| \nsmb_check_rollup(os:'10', \n sp:0,\n os_build:'19043',\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004945]\n)\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T03:55:26", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T00:00:00", "title": "KB5004958: Windows Server 2012 R2 OOB Security Update RCE (July 2021)", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-08T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004958.NASL", "href": "https://www.tenable.com/plugins/nessus/151477", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151477);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/07/09\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004954\");\n script_xref(name:\"MSKB\", value:\"5004958\");\n script_xref(name:\"MSFT\", value:\"MS21-5004954\");\n script_xref(name:\"MSFT\", value:\"MS21-5004958\");\n\n script_name(english:\"KB5004958: Windows Server 2012 R2 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerabilty.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004954\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004958\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004958\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004958'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3', \n sp:0,\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004958])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T03:55:25", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T00:00:00", "title": "KB5004946: Windows 10 1909 OOB Security Update RCE (July 2021)", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-08T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004946.NASL", "href": "https://www.tenable.com/plugins/nessus/151472", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151472);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/07/09\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004946\");\n script_xref(name:\"MSFT\", value:\"MS21-5004946\");\n\n script_name(english:\"KB5004946: Windows 10 1909 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerabilty.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004946\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004946\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004946'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'18363',\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004946])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T03:55:26", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T00:00:00", "title": "KB5004959: Windows Server 2008 OOB Security Update RCE (July 2021)", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-08T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004959.NASL", "href": "https://www.tenable.com/plugins/nessus/151478", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151478);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/07/09\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004959\");\n script_xref(name:\"MSFT\", value:\"MS21-5004959\");\n\n script_name(english:\"KB5004959: Windows Server 2008 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerabilty.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004955\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004959\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004959\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004959'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0', \n sp:2,\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004959])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T03:55:25", "description": "A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T00:00:00", "title": "KB5004948: Windows 10 1607 and Windows Server 2016 OOB Security Update RCE (July 2021)", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-08T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_JUL_5004948.NASL", "href": "https://www.tenable.com/plugins/nessus/151474", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('deprecated_nasl_level.inc');\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151474);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/07/09\");\n\n script_cve_id(\"CVE-2021-34527\");\n script_xref(name:\"IAVA\", value:\"2021-A-0299\");\n script_xref(name:\"MSKB\", value:\"5004948\");\n script_xref(name:\"MSFT\", value:\"MS21-5004948\");\n\n script_name(english:\"KB5004948: Windows 10 1607 and Windows Server 2016 OOB Security Update RCE (July 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote code execution vulnerabilty.\");\n script_set_attribute(attribute:\"description\", value:\n\"A remote command execution vulnerability exists in Windows Print Spooler service improperly performs privileged file \noperations. An authenticated, remote attacker can exploit this to bypass and run arbitrary code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/5004948\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update 5004948\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-34527\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-07';\nkbs = make_list(\n '5004948'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10', \n sp:0,\n os_build:'14393',\n rollup_date:'06_2021_07_01',\n bulletin:bulletin,\n rollup_kb_list:[5004948])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2021-07-28T14:34:25", "description": "### Microsoft Patch Tuesday \u2013 July 2021\n\nMicrosoft patched 117 vulnerabilities in their July 2021 Patch Tuesday release, and 13 of them are rated as critical severity.\n\n### Critical Microsoft Vulnerabilities Patched\n\n[CVE-2021-34448](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448>) \u2013 Scripting Engine Memory Corruption Vulnerability\n\nThis is being actively exploited. The vulnerability allows an attacker to execute malicious code on a compromised website if a user browses to a specially crafted file on the website. The vendor has assigned a CVSSv3 base score of 6.8 and should be prioritized for patching.\n\n[CVE-2021-34494](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34494>) - Windows DNS Server Remote Code Execution Vulnerability\n\nMicrosoft released patches addressing a critical RCE vulnerability in Windows DNS Server (CVE-2021-34494). This CVE has a high likelihood of exploitability and is assigned a CVSSv3 base score of 8.8 by the vendor. This is only exploitable to DNS servers only; however, it could allow remote code execution without user interaction.\n\n[CVE-2021-33780](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33780>) - Windows DNS Server Remote Code Execution Vulnerability\n\nMicrosoft released patches addressing a critical RCE vulnerability in DNS Server (CVE-2021-33780). This CVE has a high likelihood of exploitability and is assigned a CVSSv3 base score of 8.8 by the vendor.\n\n[CVE-2021-31979](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31979>) - Windows Kernel Elevation of Privilege Vulnerability\n\nThis has been actively exploited and is assigned a CVSSv3 base score of 7.2 by the vendor. This should be prioritized for patching.\n\n[CVE-2021-34489](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34489>) \u2013 DirectWrite Remote Code Execution Vulnerability\n\nThe vulnerability allows an attacker to host a website that contains a specially crafted file designed to exploit the vulnerability. The vendor has assigned a CVSSv3 base score of 7.8 and should be prioritized for patching.\n\n**CVE-2021-34467, CVE-2021-34468** \u2013 Microsoft SharePoint Server Remote Code Execution Vulnerability\n\nMicrosoft released patches addressing critical RCE vulnerabilities in SharePoint Server (CVE-2021-34467, CVE-2021-34468). These CVEs have a high likelihood of exploitability and are assigned a CVSSv3 base score of 7.1 by the vendor. Along with these patches, CVE-2021-34520 should be prioritized for patching.\n\n[CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) \u2013 Windows Print Spooler Remote Code Execution Vulnerability\n\nThis Patch Tuesday follows out-of-band updates released to fix remote code execution affecting Windows Print Spooler vulnerability, popularly known as PrintNightmare. While Microsoft had released updates to fix PrintNightmare vulnerability, it is important to ensure necessary configurations are set correctly. We also published a blog post on [how to remediate PrintNightmare using Qualys VMDR](<https://blog.qualys.com/vulnerabilities-threat-research/2021/07/07/microsoft-windows-print-spooler-rce-vulnerability-printnightmare-cve-2021-34527-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>).\n\n### Adobe Patch Tuesday \u2013 July 2021\n\nAdobe addressed 26 CVEs this Patch Tuesday, and 22 of them are rated as critical severity impacting Acrobat and Reader, Adobe Framemaker, Illustrator, Dimension, and Adobe Bridge products.\n\n### Discover Patch Tuesday Vulnerabilities in VMDR\n\n[Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledge Base (KB).\n\nYou can see all your impacted hosts by these vulnerabilities using the following QQL query:\n\n`vulnerabilities.vulnerability:(qid:`50112` OR qid:`50113` OR qid:`91787` OR qid:`91788` OR qid:`91789` OR qid:`91790` OR qid:`91791` OR qid:`91792` OR qid:`91793` OR qid:`91794` OR qid:`91795` OR qid:`110386` OR qid:`110387` OR qid:`375700` OR qid:`375706` OR qid:`375707` OR qid:`375708` OR qid:`375713` OR qid:`375714` OR qid:`375715`)` \n\n\n\n### Respond by Patching\n\nVMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go.\n\nThe following QQL will return the missing patches pertaining to this Patch Tuesday:\n\n`(qid:`50112` OR qid:`50113` OR qid:`91787` OR qid:`91788` OR qid:`91789` OR qid:`91790` OR qid:`91791` OR qid:`91792` OR qid:`91793` OR qid:`91794` OR qid:`91795` OR qid:`110386` OR qid:`110387` OR qid:`375700` OR qid:`375706` OR qid:`375707` OR qid:`375708` OR qid:`375713` OR qid:`375714` OR qid:`375715`)` \n\n\n\n### Patch Tuesday Dashboard\n\nThe current updated Patch Tuesday dashboards are available in [Dashboard Toolbox: 2021 Patch Tuesday Dashboard](<https://success.qualys.com/discussions/s/article/000006505>).\n\n### Webinar Series: This Month in Vulnerabilities and Patches\n\nTo help customers leverage the seamless integration between Qualys VMDR and Patch Management and reduce the median time to remediate critical vulnerabilities, the Qualys Research team is hosting a monthly webinar series [_This Month in Vulnerabilities and Patches_](<https://www.brighttalk.com/webcast/11673/494962>).\n\nWe discuss some of the key vulnerabilities disclosed in the past month and how to patch them:\n\n * Windows Print Spooler RCE Vulnerability\n * Kaseya Multiple Zero-Day Vulnerabilities\n * Sonicwall Buffer Overflow Vulnerability\n * Microsoft Patch Tuesday, July 2021\n * Adobe Patch Tuesday, July 2021\n\n[Join us live or watch on demand!](<https://www.brighttalk.com/webcast/11673/494962>)\n\n[](<https://www.brighttalk.com/webcast/11673/494962>)Webinar July 15, 2021 or on demand.\n\n### About Patch Tuesday\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed shortly after by [PT dashboards](<https://success.qualys.com/discussions/s/article/000006505>).", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T19:49:37", "type": "qualysblog", "title": "Microsoft and Adobe Patch Tuesday (July 2021) \u2013 Microsoft 117 Vulnerabilities with 13 Critical, Adobe 26 Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34494", "CVE-2021-34448", "CVE-2021-34489", "CVE-2021-34467", "CVE-2021-34468", "CVE-2021-34520", "CVE-2021-34527", "CVE-2021-33780", "CVE-2021-31979"], "modified": "2021-07-13T19:49:37", "id": "QUALYSBLOG:12BC089A56EB28CFD168EC09B070733D", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:34:25", "description": "**Update July 9, 2021**: Added &quot;Registry Settings Check After Installing the Updates&quot; section below.\n\n**Original Post**: On June 29, 2021, a zero-day exploit was observed on Microsoft Windows systems which allows authenticated users with a regular Domain User account to gain full SYSTEM-level privileges. On July 1, 2021, Microsoft released a separate [advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) linking this zero-day to CVE-2021-34527 as a confirmed Remote Code Execution (RCE) vulnerability. According to the new advisory, the PoC is publicly disclosed and actively exploited in the wild.\n\nOn July 6, 2021, [Microsoft released patches](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) to address the PrintNightmare zero-day vulnerabilities.\n\nOn July 7, 2021, after Microsoft patches were released, some security researchers found that these were incomplete patches and threat actors could still leverage local privilege escalation vulnerability to gain access to the system.\n\nPer [BleepingComputer news](<https://www.bleepingcomputer.com/news/microsoft/microsofts-incomplete-printnightmare-patch-fails-to-fix-vulnerability/>), \u201cAfter update was released, security researchers [Matthew Hickey](<https://twitter.com/hackerfantastic/status/1410100394492112898>), co-founder of Hacker House, and [Will Dormann](<https://twitter.com/wdormann>), a vulnerability analyst for CERT/CC, determined that Microsoft only fixed the remote code execution component of the vulnerability. However, malware and threat actors could still use the local privilege escalation component to gain SYSTEM privileges on vulnerable systems for older Windows versions, and for newer versions if the Point and Print policy was enabled.\u201d\n\n#### About PrintNightmare\n\nPrintNightmare (CVE-2021-34527) is a vulnerability that allows an attacker with a regular user account to take over a server running the Windows Print Spooler service. This service runs on all Windows servers and clients by default, including domain controllers, in an Active Directory environment. Print Spooler, which is enabled by default on Microsoft Windows, is an executable file that manages print jobs sent to the computer printer or print server.\n\nA team of security researchers from Sangfor discovered this zero-day vulnerability. In a tweet they wrote, \n\n> \u201cWe deleted the POC of PrintNightmare. To mitigate this vulnerability, please update Windows to the latest version, or disable the Spooler service. For more RCE and LPE in Spooler, stay tuned and wait our Blackhat talk.\u201d \n\nThe GitHub repository was taken offline after a few hours, but not before it was [cloned](<https://github.com/cube0x0/CVE-2021-1675>) by several other users.\n\n_PrintNightmare_ execution looks for _kernelbase.dll, unidrv.dll_ files along with any other DLLs written into subfolders of &quot;_C:WindowsSystem32spooldrivers&quot;_ in the same timeframe by _spoolsv.exe_. A hard-coded printer driver path is not required as one can use _EnumPrinterDrivers()_ to find the path for _unidrv.dll._\n\n#### Affected Products\n\nAll Windows servers and clients, including domain controllers.\n\n### Identify Assets, Discover, Prioritize and Remediate Using Qualys VMDR\u00ae\n\nUse [Qualys Vulnerability Management, Detection, and Response (VMDR)](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) for:\n\n * Identification of known and unknown hosts running vulnerable Windows servers with Print Spooler service\n * Automatic detection of vulnerabilities and misconfigurations for Windows systems\n * Prioritization of threats based on risk\n * Integrated patch deployment\n\n#### Identification of Windows Assets with Print Spooler Running__\n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. VMDR enables easy identification of windows server hosts with Print Spooler service running\n\n`operatingSystem.category1:`Windows` and services.name:`Spooler``\n\n\n\nOnce the hosts are identified, they can be grouped together with a dynamic tag, e.g. &quot;PrintNightmare\u201d. This helps in automatically grouping existing Windows hosts with the PrintNightmare vulnerability as well as any new host that spins up with this vulnerability. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>).\n\n#### Discover PrintNightmare CVE-2021-34527 Vulnerability __\n\nNow that the Windows hosts with PrintNightmare are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like PrintNightmare based on the always updated Knowledgebase.\n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018PrintNightmare\u2019 asset tag in the vulnerabilities view by using QQL query:\n\n`vulnerabilities.vulnerability.qid: `91785``\n\nThis will return a list of all impacted hosts.\n\n\n\nQID 91785 is available in signature version VULNSIGS-2.5.226-3 and above and can be detected using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) manifest version 2.5.226.3-2 and above.\n\nAlong with the QID 91785, Qualys released the following IG QID 45498 to help customers identify if Print Spooler service is running on Windows systems. This QID can be detected using authenticated scanning using VULNSIGS- 2.5.223-3 and above or the Qualys Cloud Agent manifest version 2.5.223.3-2 and above.\n\n`QID 45498: Microsoft Windows Print Spooler Service is Running`\n\n**Update July 8, 2021**: Qualys released QID 91786 to address the Zero Day. In addition, IG QID is released to identify if Point and Print restrictions are enabled. These QIDs can be detected using authenticated scanning using VULNSIGS- 2.5.228-3 and above or the Qualys Cloud Agent manifest version 2.5.228.3-2 and above. \n\n`QID 91786 Microsoft Windows Print Spooler Point and Print Insecure Configuration Detected (PrintNightmare) `\n\n`QID 45499 Point and Print Restrictions NoWarningNoElevationOnInstall Is Enabled`\n\nUsing VMDR, the PrintNightmare vulnerability can be prioritized for the following real-time threat indicators (RTIs):\n\n * Remote Code Execution\n * Privilege Escalation\n * Public Exploit\n * Active Attack\n * Denial of Service\n * High Data Loss\n * High Lateral Movement\n * Predicted High Risk\n * Unauthenticated_Exploitation\n\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats. \n\n\n\nSimply click on the impacted assets for the PrintNightmare threat feed to see the vulnerability and impacted host details.\n\n#### Dashboard\n\nWith VMDR Dashboard, you can track PrintNightmare, impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of PrintNightmare vulnerability trends in your environment with the [PrintSpooler RCE (PrintNightmare) dashboard](<https://qualys-secure.force.com/customer/s/article/000006719>).\n\n\n\n#### Response by Patching and Remediation\n\nVMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply search based on `qid:91785` in the Patch Tab and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag \u2013 PrintNightmare.\n\nFor proactive, continuous patching, you can create a daily job with a 24-hour patch window to ensure all hosts will continue to receive the required patches as new patches become available for emerging vulnerabilities.\n\nUsers are encouraged to apply patches as soon as possible.\n\n\n\n#### Identify and Address System Misconfigurations\n\nTo reduce the overall security risk, it is important to take care of Windows system misconfigurations as well. Qualys VMDR shows your Windows system misconfiguration posture in context with your vulnerability posture, allowing you to see which hosts have the PrintNightmare vulnerability. \n\nWith the [Qualys Policy Compliance](<https://community.qualys.com/policy-compliance/>) module of VMDR, you can automatically discover the status of the \u2018Print Spooler\u2019 service and if they have misconfigurations in context to the PrintNightmare vulnerability.\n\n\n\nQualys configuration ID \u2013 1368 \u201cStatus of the \u2018Print Spooler\u2019 service\u201d \n\u201d would be evaluated against all Windows systems as shown below\n\n\n\n21711 Status of the \u2018Allow Print Spooler to accept client connections\u2019 group policy setting would be evaluated as shown below\n\n\n\n#### Registry Settings Check After Installing the Updates\n\nAs reported in the [Microsoft advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) on July 7, 2021: In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct.\n\n * HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\n * NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)\n * UpdatePromptSettings = 0 (DWORD) or not defined (default setting)\n\nQualys Policy Compliance customers can evaluate the settings by the following two controls:\n\n19070 Status of the \u2018Point and Print Restrictions: When installing drivers for a new connection\u2019 setting\n\n\n\n19071 Status of the \u2018Point and Print Restrictions: When updating drivers for an existing connection\u2019 setting\n\n\n\n### Workaround\n\nUsers are urged to disable the \u201cPrint Spooler\u201d service on servers that do not require it. Microsoft has provided a series of [workarounds](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) to be applied.\n\nDetermine if the Print Spooler service is running (run as a Domain Admin)\n\nRun the following as a Domain Admin: \n`Get-Service -Name Spooler`\n\nIf the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:\n\n##### **Option 1** \u2013 Disable the Print Spooler service\n\nIf disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands: \n`Stop-Service -Name Spooler -Force \nSet-Service -Name Spooler -StartupType Disabled` \n \n**Impact of workaround**: Disabling the Print Spooler service disables the ability to print both locally and remotely.\n\n##### **Option 2** \u2013 Disable inbound remote printing through Group Policy\n\nYou can also configure the settings via Group Policy as follows: \n_Computer Configuration / Administrative Templates / Printers_ \nDisable the \u201cAllow Print Spooler to accept client connections:\u201d policy to block remote attacks. \n \n**Impact of workaround:** This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.\n\nPer the above two options, Qualys Policy Compliance customers can do evaluation by the following two controls:\n\n * 1368 Status of the \u2018Print Spooler\u2019 service\u201d\n * 21711 Status of the \u2018Allow Print Spooler to accept client connections\u2019 group policy setting\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching critical PrintNightmare vulnerability CVE-2021-34752.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-07T23:30:23", "type": "qualysblog", "title": "Microsoft Windows Print Spooler RCE Vulnerability (PrintNightmare-CVE-2021-34527) \u2013 Automatically Discover, Prioritize and Remediate Using Qualys VMDR\u00ae", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527", "CVE-2021-34752"], "modified": "2021-07-07T23:30:23", "id": "QUALYSBLOG:485C0D608A0A8288FF38D618D185D2A2", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2021-07-28T14:33:23", "description": "\n\n## Summary\n\nLast week Microsoft warned Windows users about vulnerabilities in the Windows Print Spooler service \u2013 CVE-2021-1675 and CVE-2021-34527 (also known as PrintNightmare). Both vulnerabilities can be used by an attacker with a regular user account to take control of a vulnerable server or client machine that runs the Windows Print Spooler service. This service is enabled by default on all Windows clients and servers, including domain controllers.\n\nKaspersky products protect against attacks leveraging these vulnerabilities. The following detection names are used:\n\n * HEUR:Exploit.Win32.CVE-2021-1675.*\n * HEUR:Exploit.Win32.CVE-2021-34527.*\n * HEUR:Exploit.MSIL.CVE-2021-34527.*\n * HEUR:Exploit.Script.CVE-2021-34527.*\n * HEUR:Trojan-Dropper.Win32.Pegazus.gen\n * PDM:Exploit.Win32.Generic\n * PDM:Trojan.Win32.Generic\n * Exploit.Win32.CVE-2021-1675.*\n * Exploit.Win64.CVE-2021-1675.*\n\nOur detection logic is also successfully blocks attack technique from the latest Mimikatz framework v. 2.2.0-20210707.\n\nWe are closely monitoring the situation and improving generic detection of these vulnerabilities using our [Behavior Detection](<https://www.kaspersky.com/enterprise-security/wiki-section/products/behavior-based-protection>) and Exploit Prevention components. As part of our [Managed Detection and Response service](<https://www.kaspersky.com/enterprise-security/managed-detection-and-response>) Kaspersky SOC experts are able to detect exploitation of these vulnerabilities, investigate such attacks and report to customers.\n\n## Technical details\n\n### CVE-2021-34527\n\nWhen using RPC protocols to add a new printer (_RpcAsyncAddPrinterDriver [MS-PAR] or RpcAddPrinterDriverEx [MS-RPRN]_) a client has to provide multiple parameters to the Print Spooler service:\n\n * _pDataFile_ - a path to a data file for this printer;\n * _pConfigFile_ - a path to a configuration file for this printer;\n * _pDriverPath_ - a path to a driver file that&#x27;s used by this printer while it&#x27;s working.\n\nThe service makes several checks to ensure _pDataFile_ and _pDriverPath_ are not UNC paths, but there is no corresponding check for pConfigFile, meaning the service will copy the configuration DLL to the folder _%SYSTEMROOT%\\system32\\spool\\drivers\\x64\\3\\_ (on x64 versions of the OS).\n\nNow, if the Windows Print Spooler service tries to add a printer again, but this time sets pDataFile to the copied DLL path (from the previous step), the print service will load this DLL because its path is not a UNC path, and the check will be successfully passed. These methods can be used by a low-privileged account, and the DLL is loaded by the _NT AUTHORITY\\SYSTEM group_ process.\n\n### CVE-2021-1675\n\nThe local version of PrintNightmare uses the same method for exploitation as CVE-2021-34527, but there&#x27;s a difference in the entrypoint function (_AddPrinterDriverEx_). This means an attacker can place a malicious DLL in any locally accessible directory to run the exploit.\n\n## Mitigations\n\nKaspersky experts anticipate a growing number of exploitation attempts to gain access to resources inside corporate perimeters accompanied by a high risk of ransomware infection and data theft.\n\nTherefore, it is strongly recommended to follow Microsoft [guidelines](<https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-print-spooler>) and apply the latest security updates for Windows.\n\nQuoting Microsoft (as of July 7th, 2021): \n_&quot;Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object (GPO). \nWhile this security assessment focuses on domain controllers, any server is potentially at risk to this type of attack.&quot;_", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-08T05:00:06", "type": "securelist", "title": "Quick look at CVE-2021-1675 & CVE-2021-34527 (aka PrintNightmare)", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-08T05:00:06", "id": "SECURELIST:0C07A61E6D92865F5B58728A60866991", "href": "https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-07-12T14:55:46", "description": "\n\n**Vulnerability note:** This blog originally referenced CVE-2020-1675, but members of the community noted the week of June 29 that the publicly available exploits that purported to exploit CVE-2021-1675 may in fact have been targeting a new vulnerability in the same function as CVE-2021-1675. This was later confirmed, and Microsoft issued a new CVE for what the research community originally thought was CVE-2021-1675. Defenders should now follow guidance and remediation information on the new vulnerability identifier,[CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>), instead.\n\nOn June 8, 2021, Microsoft released an advisory and patch for [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>) (\u201cPrintNightmare\u201d), a critical vulnerability in the Windows Print Spooler. Although [originally classified](<https://www.rapid7.com/blog/post/2021/06/08/patch-tuesday-june-2021/>) as a privilege escalation vulnerability, security researchers have demonstrated that the vulnerability allows authenticated users to gain remote code execution with SYSTEM-level privileges. On June 29, 2021, as proof-of-concept exploits for the vulnerability began circulating, security researchers discovered that a vulnerability they thought to be CVE-2021-1675 was still exploitable on some systems that had been patched. As of July 1, at least three different proof-of-concept exploits [had been made public](<https://github.com/afwu/PrintNightmare>).\n\nRapid7 researchers confirmed that public exploits worked against fully patched Windows Server 2019 installations as of July 1, 2021. The vulnerable service is enabled by default on Windows Server, with the exception of Windows Server Core. Therefore, it is expected that in the vast majority of enterprise environments, Windows systems are vulnerable to remote code execution by authenticated attackers.\n\nThe vulnerability is in the `RpcAddPrinterDriver` call of the Windows Print Spooler. A client uses the RPC call to add a driver to the server, storing the desired driver in a local directory or on the server via SMB. The client then allocates a `DRIVER_INFO_2` object and initializes a `DRIVER_CONTAINER` object that contains the allocated `DRIVER_INFO_2` object. The `DRIVER_CONTAINER` object is then used within the call to `RpcAddPrinterDriver` to load the driver. This driver may contain arbitrary code that will be executed with SYSTEM privileges on the victim server. This command can be executed by any user who can authenticate to the Spooler service.\n\n## Updates\n\n**9 July 2021**: Microsoft [released revised guidance on CVE-2021-34527](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) the evening of July 8. According to the Microsoft Security Response Center, the out-of-band security update &quot;is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.&quot; This is consistent with Microsoft's emphasis earlier in the week that the out-of-band update effectively remediates CVE-2021-34527 **as long as Point and Print is not enabled.**\n\nThe [updated guidance from July 8, 2021](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) also contains revisions to the registry keys that must be set to `0` (or must not be present) in order to ensure that Point and Print is disabled in customer environments. Previously, Microsoft's guidance had been that Point and Print could be disabled by setting the following registry keys to `0` (or ensuring they are not present):\n\n * `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall = 0` and\n * `NoWarningNoElevationOnUpdate = 0`\n\n**However, as of July 8, 2021, one of the registry keys that must be set to a 0 (zero) value has changed.** Current guidance is that Point and Print can be disabled by setting the following registry keys to `0` (or ensuring they are not present):\n\n * `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall = 0` (DWORD) or not defined (default setting) **and**\n * `UpdatePromptSettings = 0` (DWORD) or not defined (default setting)\n\nWe have updated the `Mitigation Guidance` section in this post to reflect the latest remediation guidance from Microsoft. Further details can still be found in [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>).\n\n**7 July 2021**: Microsoft released out-of-band updates for some (but not all) versions of Windows the evening of July 6, 2021. According to Microsoft's updated advisory, &quot;the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as \u201cPrintNightmare\u201d, documented in CVE-2021-34527.&quot; Exploitation in the wild has been detected, and ALL Windows systems are affected\u2014not just domain controllers.\n\n**As of July 7, 2021, multiple community researchers have disputed the efficacy of Microsoft's out-of-band fixes for CVE-2021-34527, noting that the local privilege escalation (LPE) vector may not have been addressed, and while the July 6 updates may have remediated the original MS-RPRN vector for remote code execution, RCE is [still possible using MS-PAR](<https://twitter.com/gentilkiwi/status/1411792763478233091>) with Point and Print enabled.** Several prominent researchers have tested ongoing exploitability, including [Will Dormann of CERT/CC](<https://twitter.com/wdormann/status/1412813044279910416>) and Mimikatz developer [Benjamin Delpy](<https://twitter.com/gentilkiwi/status/1412771368534528001>). Dormann [tweeted](<https://twitter.com/wdormann/status/1412813044279910416>) on July 7, 2021 just after noon EDT that &quot;If you have a system where PointAndPrint NoWarningNoElevationOnInstall = 1, then Microsoft's patch for #PrintNightmare CVE-2021-34527 does nothing to prevent either LPE or RCE.&quot;\n\nRapid7 researchers have confirmed that Metasploit and other public proof-of-concept code is still able to achieve remote code execution using both MS-RPRN and the UNC path bypass _as long as Point and Print is enabled._ When Point and Print is disabled using the guidance below, public exploit code fails to achieve remote code execution.\n\nTo fully remediate PrintNightmare CVE-2021-34527, Windows administrators should review Microsoft's guidance in in [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>), install the out-of-band updates released July 6, 2021, and disable Point and Print. Microsoft also recommends restricting non-administrators from installing any signed or unsigned printer drivers on printer servers. See the **Mitigation Guidance** section below for detailed guidance.\n\n**6 July 2021**: Since this blog was initially posted, additional information has become available. Microsoft has issued a new advisory and assigned a new CVE ID to the PrintNightmare vulnerability: [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). \nThe new guidance recommends disabling the print spooler, as we initially recommended, and also contains instructions to disable inbound remote printing through Group Policy.\n\nThese are only workarounds and a patch remains unavilable at this time. \nSince this vulnerability has no patch and multiple proofs-of-concept are freely available, we recommend implementing a workaround mitigation as soon as possible. We advise folowing one of the two workarounds on all Domain Controllers and any other Windows machines\u2014servers or clients\u2014which meet either of the following criteria:\n\n 1. Point and Print is enabled\n 2. The Authenticated Users group is nested within any of the groups that are listed in the [mitigation section of Microsoft's advisory](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\nFrom a technical standpoint, additional information from Cube0x0 and Benjamin Delpy suggests that the `RpcAddPrinterDriver` is not the only vulnerable function, and the Win32 `AddPrinterDriverEx` function will also work correctly.Some proofs of concept used only the RPRN `RpcAddPrinterDriver` function and did not work on certain machines; others have been demonstrated to work on servers and clients other than domain controllers using `AddPrinterDriverEx`. This has also been referred to as &quot;SharpPrintNightmare&quot;.\n\n## Mitigation Guidance\n\nUp until July 6, 2021, the most effective mitigation strategy was to disable the print spooler service itself. Since July 6, Microsoft's guidance on remediating CVE-2021-34527 has undergone several revisions. Updated mitigation guidance is below, and we have also preserved our original guidance on disabling the print spooler service. The Microsoft Security Response Center [published a blog](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>) with the details below on July 8, 2021.\n\n**As of July 9, 2021:** \nTo fully remediate CVE-2021-34527, Windows administrators should review Microsoft's guidance in in [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) and do the following:\n\n 1. Install the cumulative update released July 6, 2021.\n 2. Disable Point and Print by setting the following registry keys to `0` (or ensuring they are not present):\n * `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall = 0` (DWORD) or not defined (default setting) **and**\n * `UpdatePromptSettings = 0` (DWORD) or not defined (default setting)\n 3. Configure the `RestrictDriverInstallationToAdministrators` registry value to prevent non-administrators from installing printer drivers on a print server. Setting this value to 1 or any non-zero value prevents a non-administrator from installing any signed or unsigned printer driver on a printer server. Administrators can install both a signed or unsigned printer driver on a print server.\n\n**Note:** This guidance has been revised and reflects new information published by Microsoft on July 8, 2021. Previously, Microsoft's guidance had been that Point and Print could be disabled by setting the `HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint NoWarningNoElevationOnInstall` and `NoWarningNoElevationOnUpdate` registry keys to `0`. As of July 9, 2021, this information is outdated and Windows customers should use the [revised guidance](<https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>).\n\nAfter installing the July 2021 out-of-band update, all users will be either administrators or non-administrators. Delegates will no longer be honored. See [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) for further information.\n\nIf your organization does not require printing to conduct business operations, you may also disable the print spooler service. This should be done on all endpoints, servers, and especially domain controllers. Dedicated print servers may still be vulnerable if the spooler is not stopped. Microsoft [security guidelines](<https://docs.microsoft.com/en-us/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#print-spooler>) do not recommend disabling the service across all domain controllers, since the active directory has no way to remove old queues that no longer exist unless the spooler service is running on at least one domain controller in each site. However, until this vulnerability is effectively patched, this should have limited impact compared to the risk.\n\nOn Windows cmd:\n \n \n net stop spooler\n \n\nOn PowerShell:\n \n \n Stop-Service -Name Spooler -Force\n Set-Service -Name Spooler -StartupType Disabled\n \n\nThe following PowerShell commands can be used to help find exploitation attempts:\n \n \n Get-WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' | Select-String -InputObject {$_.message} -Pattern 'The print spooler failed to load a plug-in module'\n \n \n \n Get-WinEvent -FilterHashtable @{Logname='Microsoft-Windows-PrintService/Operational';ID=316} | Select-Object *\n \n\n## Rapid7 Customers\n\nWe strongly recommend that all customers either install the July 6, 2021 out-of-band updates **and** disable Point and Print via the two registry keys detailed in the `Mitigation Guidance` section above, **OR** disable the Windows Print Spooler service altogether on an emergency basis to mitigate the immediate risk of exploitation. InsightVM and Nexpose customers can assess their exposure to CVE-2021-34527 with authenticated checks in the July 8, 2021 content release. Checks look for the out-of-band patches Microsoft issued on July 6, 2021 and additionally ensure that Point and Print has been disabled in customer environments. InsightVM and Nexpose checks for CVE-2021-1675 were [released earlier in June](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2021-1675/>).\n\nVelociraptor users can use [this artifact](<https://docs.velociraptor.app/exchange/artifacts/pages/printnightmare/>) and [this artifact](<https://docs.velociraptor.app/exchange/artifacts/pages/printnightmaremonitor/>) to hunt for .dll files dropped during PrintNightmare exploitation. An exploit module is also available to Metasploit Pro customers.\n\nWe will continue to update this blog as further information comes to light.", "cvss3": {}, "published": "2021-06-30T18:15:59", "type": "rapid7blog", "title": "CVE-2021-34527 (PrintNightmare): What You Need to Know", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-1675", "CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-06-30T18:15:59", "id": "RAPID7BLOG:45A121567763FF457DE6E50439C2605A", "href": "https://blog.rapid7.com/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-09T18:55:38", "description": "## PrintNightmare\n\n\n\nRapid7 security researchers [Christophe De La Fuente](<https://github.com/cdelafuente-r7>), and [Spencer McIntyre](<https://github.com/zeroSteiner>), have added a new module for [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>), dubbed PrintNightmare. This module builds upon the research of Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0. The module triggers a remote DLL load by abusing a vulnerability in the Print Spooler service. The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request using the MS-RPRN vector, resulting in remote code execution as `NT AUTHORITY\\SYSTEM`.\n\nBecause Metasploit's SMB server doesn't support SMB3 (yet), it's highly recommended to use an external SMB server like Samba that supports SMB3. The [Metasploit module documentation](<https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/auxiliary/admin/dcerpc/cve_2021_1675_printnightmare.md>) details the process of generating a payload DLL and using this module to load it.\n\n[CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>) is being actively exploited in the wild. For more information and a full timeline, see [Rapid7\u2019s blog on PrintNightmare](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>)!\n\n## NSClient++\n\nGreat work by community contributor [Yann Castel](<https://github.com/Hakyac>) on their new NSClient++ module. This module allows an attacker with an unprivileged windows account to gain admin access on a windows system and start a shell.\n\nFor this module to work, both the web interface of NSClient++ and the `ExternalScripts` feature should be enabled. You must also know where the NSClient config file is as it is used to read the admin password which is stored in clear text.\n\n## New module content (2)\n\n * [Print Spooler Remote DLL Injection](<https://github.com/rapid7/metasploit-framework/pull/15385>) by Christophe De La Fuente, Piotr Madej, Spencer McIntyre, Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0, which exploits [CVE-2021-34527](<https://attackerkb.com/topics/MIHLz4sY3s/cve-2021-34527-printnightmare?referrer=blog>) \\- A new module has been added to Metasploit to exploit PrintNightmare, aka CVE-2021-1675/CVE-2021-34527, a Remote Code Execution vulnerability in the Print Spooler service of Windows. Successful exploitation results in the ability to load and execute an attacker controlled DLL as the `SYSTEM` user.\n\n * [NSClient++ 0.5.2.35 - Privilege escalation](<https://github.com/rapid7/metasploit-framework/pull/15318>) by BZYO, Yann Castel and kindredsec - This post module allows an attacker to perform a privilege escalation on a machine running a vulnerable version of NSClient++. The module retrieves the admin password from a config file at a customizable path, and so long as NSClient++ has both the web interface and ExternalScriptsfeature enabled, gains a SYSTEM shell.\n\n## Enhancements and features\n\n * [#15366](<https://github.com/rapid7/metasploit-framework/pull/15366>) from [pingport80](<https://github.com/pingport80>) \\- This updates how the msfconsole's history file is handled. It adds a size limitation so the number of commands does not grow indefinitely and fixes a locking condition that would occur when the history file had grown exceptionally large (~400,000 lines or more).\n\n## Bugs fixed\n\n * [#15320](<https://github.com/rapid7/metasploit-framework/pull/15320>) from [agalway-r7](<https://github.com/agalway-r7>) \\- A bug has been fixed in the `read_file` method of `lib/msf/core/post/file.rb` that prevented PowerShell sessions from being able to use the `read_file()` method. PowerShell sessions should now be able to use this method to read files from the target system.\n * [#15371](<https://github.com/rapid7/metasploit-framework/pull/15371>) from [bcoles](<https://github.com/bcoles>) \\- This fixes an issue in the `apport_abrt_chroot_priv_esc` module where if the `apport-cli` binary was not in the PATH the check method would fail.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from\n\nGitHub:\n\n * [Pull Requests 6.0.51...6.0.52](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-06-30T14%3A00%3A49-05%3A00..2021-07-08T16%3A19%3A37%2B01%3A00%22>)\n * [Full diff 6.0.51...6.0.52](<https://github.com/rapid7/metasploit-framework/compare/6.0.51...6.0.52>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest.\n\nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the\n\n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-07-09T17:53:41", "type": "rapid7blog", "title": "Metasploit Wrap-up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-09T17:53:41", "id": "RAPID7BLOG:8DADA7B6B3B1BA6ED3D6EDBA37A79204", "href": "https://blog.rapid7.com/2021/07/09/metasploit-wrap-up-120/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:56:11", "description": "\n\n[Microsoft has patched another 117 CVEs](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Jul>), returning to volumes seen in early 2021 and most of 2020. It would appear that the recent trend of approximately 50 vulnerability fixes per month was not indicative of a slowing pace. This month there were 13 vulnerabilities rated Critical with nearly the rest being rated Important. Thankfully, none of the updates published today require additional steps to remediate, so administrators should be able to rely on their normal patching process. Once[ CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) has been remediated, priority should be to patch public facing DNS and Exchange servers, followed by Workstations, SharePoint servers, and finally Office applications.\n\nIt seems like the PrintNightmare is nearly over. While the past two weeks have been a frenzy for the security community there has been no new information since the end of last week when Microsoft made a final revision to their guidance on[ CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). If you haven\u2019t patched this yet, this is your daily reminder. For further details [please see our blog](<https://www.rapid7.com/blog/post/2021/06/30/cve-2021-1675-printnightmare-patch-does-not-remediate-vulnerability/>) on the topic.\n\n## Multiple Critical DNS Vulnerabilities Patched\n\nAdministrators should focus their efforts on the 11 vulnerabilities in Windows DNS server to reduce the most risk. The two most important of these vulnerabilities are [CVE-2021-34494](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34494>) and [CVE-2021-33780](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33780>). Exploitation of either of these vulnerabilities would result in Remote Code Execution with SYSTEM privileges without any user interaction via the network. Given the network exposure of DNS servers these vulnerabilities could prove to be troublesome if an exploit were to be developed. Microsoft lists [CVE-2021-33780](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33780>) as \u201cExploitation More Likely\u201d so it may only be a matter of time before attackers attempt to make use of these flaws.\n\n## New Exchange Updates Available\n\nOnly 4 of the 7 Exchange CVEs being disclosed this month are new. The two most severe vulnerabilities were patched in back in April and were mistakenly not disclosed. This means that if you applied the April 2021 updates you will not need to take any action for [CVE-2021-34473](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473>), [CVE-2021-34523](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523>), or [CVE-2021-33766](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33766>). Of the 4 newly patched vulnerabilities the most notable is [CVE-2021-31206](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31206>), a remote code execution flaw discovered in the recent Pwn2Own competition. \n\n## Scripting Engine Exploited in the Wild\n\nExploitation of [CVE-2021-34448](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448>) has been observed in the wild by researchers. There are no details on the frequency or spread of this exploit. This vulnerability requires the user to visit a link to download a malicious file. As with other vulnerabilities that require user interaction, strong security hygiene is the first line of defense.\n\n## Summary Tables\n\nHere are this month's patched vulnerabilities split by the product family.\n\n## Apps Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-33753](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33753>) | Microsoft Bing Search Spoofing Vulnerability | No | No | 4.7 | Yes \n \n## Developer Tools Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34528](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34528>) | Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-34529](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34529>) | Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-34477](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34477>) | Visual Studio Code .NET Runtime Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-33767](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33767>) | Open Enclave SDK Elevation of Privilege Vulnerability | No | No | 8.2 | Yes \n[CVE-2021-34479](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34479>) | Microsoft Visual Studio Spoofing Vulnerability | No | No | 7.8 | No \n \n## Exchange Server Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34473](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34473>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | Yes | 9.1 | No \n[CVE-2021-31206](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31206>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 7.6 | Yes \n[CVE-2021-31196](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31196>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 7.2 | No \n[CVE-2021-34523](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34523>) | Microsoft Exchange Server Elevation of Privilege Vulnerability | No | Yes | 9 | No \n[CVE-2021-33768](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33768>) | Microsoft Exchange Server Elevation of Privilege Vulnerability | No | No | 8 | Yes \n[CVE-2021-34470](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34470>) | Microsoft Exchange Server Elevation of Privilege Vulnerability | No | No | 8 | Yes \n[CVE-2021-33766](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33766>) | Microsoft Exchange Information Disclosure Vulnerability | No | No | 7.3 | Yes \n \n## Microsoft Dynamics Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34474](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34474>) | Dynamics Business Central Remote Code Execution Vulnerability | No | No | 8 | Yes \n \n## Microsoft Office Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34452](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34452>) | Microsoft Word Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-34517](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34517>) | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 5.3 | No \n[CVE-2021-34520](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34520>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.1 | No \n[CVE-2021-34467](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34467>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 7.1 | No \n[CVE-2021-34468](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34468>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 7.1 | Yes \n[CVE-2021-34519](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34519>) | Microsoft SharePoint Server Information Disclosure Vulnerability | No | No | 5.3 | Yes \n[CVE-2021-34469](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34469>) | Microsoft Office Security Feature Bypass Vulnerability | No | No | 8.2 | Yes \n[CVE-2021-34451](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34451>) | Microsoft Office Online Server Spoofing Vulnerability | No | No | 5.3 | Yes \n[CVE-2021-34501](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34501>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-34518](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34518>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## SQL Server Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-31984](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31984>) | Power BI Remote Code Execution Vulnerability | No | No | 7.6 | Yes \n \n## System Center Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-34464](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34464>) | Microsoft Defender Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-34522](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34522>) | Microsoft Defender Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## Windows Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-33772](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33772>) | Windows TCP/IP Driver Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-34490](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34490>) | Windows TCP/IP Driver Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-33744](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33744>) | Windows Secure Kernel Mode Security Feature Bypass Vulnerability | No | No | 5.3 | No \n[CVE-2021-33763](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33763>) | Windows Remote Access Connection Manager Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-34454](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34454>) | Windows Remote Access Connection Manager Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-33761](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33761>) | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-33773](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33773>) | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34445](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34445>) | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-33743](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33743>) | Windows Projected File System Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34493](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34493>) | Windows Partition Management Driver Elevation of Privilege Vulnerability | No | No | 6.7 | No \n[CVE-2021-33740](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33740>) | Windows Media Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-34458](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34458>) | Windows Kernel Remote Code Execution Vulnerability | No | No | 9.9 | Yes \n[CVE-2021-34508](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34508>) | Windows Kernel Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-33771](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33771>) | Windows Kernel Elevation of Privilege Vulnerability | Yes | No | 7.8 | No \n[CVE-2021-31961](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31961>) | Windows InstallService Elevation of Privilege Vulnerability | No | No | 6.1 | Yes \n[CVE-2021-34450](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34450>) | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 8.5 | Yes \n[CVE-2021-33758](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33758>) | Windows Hyper-V Denial of Service Vulnerability | No | No | 7.7 | No \n[CVE-2021-33755](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33755>) | Windows Hyper-V Denial of Service Vulnerability | No | No | 6.3 | No \n[CVE-2021-34466](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34466>) | Windows Hello Security Feature Bypass Vulnerability | No | No | 5.7 | Yes \n[CVE-2021-34438](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34438>) | Windows Font Driver Host Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-34455](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34455>) | Windows File History Service Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-33774](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33774>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-33759](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33759>) | Windows Desktop Bridge Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34525](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34525>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-34461](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34461>) | Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34488](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34488>) | Windows Console Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-33784](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33784>) | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34462](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34462>) | Windows AppX Deployment Extensions Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-34459](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34459>) | Windows AppContainer Elevation Of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-33785](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33785>) | Windows AF_UNIX Socket Provider Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-33779](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33779>) | Windows ADFS Security Feature Bypass Vulnerability | No | Yes | 8.1 | Yes \n[CVE-2021-34491](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34491>) | Win32k Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-34449](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34449>) | Win32k Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-34509](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34509>) | Storage Spaces Controller Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-34460](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34460>) | Storage Spaces Controller Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34510](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34510>) | Storage Spaces Controller Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34512](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34512>) | Storage Spaces Controller Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34513](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34513>) | Storage Spaces Controller Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-33751](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33751>) | Storage Spaces Controller Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-34521](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34521>) | Raw Image Extension Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-34439](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34439>) | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-34503](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34503>) | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-33760](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33760>) | Media Foundation Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-31947](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31947>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-33775](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33775>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-33776](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33776>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-33777](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33777>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-33778](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33778>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-34489](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34489>) | DirectWrite Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-33781](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33781>) | Active Directory Security Feature Bypass Vulnerability | No | Yes | 8.1 | No \n \n## Windows ESU Vulnerabilities\n\nCVE | Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-31183](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31183>) | Windows TCP/IP Driver Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-33757](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33757>) | Windows Security Account Manager Remote Protocol Security Feature Bypass Vulnerability | No | No | 5.3 | Yes \n[CVE-2021-33783](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33783>) | Windows SMB Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-34507](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34507>) | Windows Remote Assistance Information Disclosure Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-34457](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34457>) | Windows Remote Access Connection Manager Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-34456](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34456>) | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34527](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34527>) | Windows Print Spooler Remote Code Execution Vulnerability | Yes | Yes | 8.8 | Yes \n[CVE-2021-34497](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34497>) | Windows MSHTML Platform Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-34447](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34447>) | Windows MSHTML Platform Remote Code Execution Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-33786](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33786>) | Windows LSA Security Feature Bypass Vulnerability | No | No | 8.1 | Yes \n[CVE-2021-33788](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33788>) | Windows LSA Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-33764](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33764>) | Windows Key Distribution Center Information Disclosure Vulnerability | No | No | 5.9 | Yes \n[CVE-2021-34500](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34500>) | Windows Kernel Memory Information Disclosure Vulnerability | No | No | 6.3 | Yes \n[CVE-2021-31979](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31979>) | Windows Kernel Elevation of Privilege Vulnerability | Yes | No | 7.8 | No \n[CVE-2021-34514](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34514>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-33765](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33765>) | Windows Installer Spoofing Vulnerability | No | No | 6.2 | No \n[CVE-2021-34511](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34511>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34446](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34446>) | Windows HTML Platforms Security Feature Bypass Vulnerability | No | No | 8 | No \n[CVE-2021-34496](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34496>) | Windows GDI Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-34498](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34498>) | Windows GDI Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-33749](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33749>) | Windows DNS Snap-in Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-33750](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33750>) | Windows DNS Snap-in Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-33752](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33752>) | Windows DNS Snap-in Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-33756](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33756>) | Windows DNS Snap-in Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-34494](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34494>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-33780](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33780>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-33746](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33746>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 8 | No \n[CVE-2021-33754](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33754>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 8 | No \n[CVE-2021-34442](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34442>) | Windows DNS Server Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-34444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34444>) | Windows DNS Server Denial of Service Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-34499](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34499>) | Windows DNS Server Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2021-33745](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33745>) | Windows DNS Server Denial of Service Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-34492](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34492>) | Windows Certificate Spoofing Vulnerability | No | Yes | 8.1 | No \n[CVE-2021-33782](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33782>) | Windows Authenticode Spoofing Vulnerability | No | No | 5.5 | No \n[CVE-2021-34504](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34504>) | Windows Address Book Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-34516](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34516>) | Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-34448](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34448>) | Scripting Engine Memory Corruption Vulnerability | Yes | No | 6.8 | Yes \n[CVE-2021-34441](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34441>) | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-34440](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34440>) | GDI+ Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-34476](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34476>) | Bowser.sys Denial of Service Vulnerability | No | No | 7.5 | No \n \n## Summary Graphs\n\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T20:56:26", "type": "rapid7blog", "title": "Patch Tuesday - July 2021", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-31183", "CVE-2021-31196", "CVE-2021-31206", "CVE-2021-31947", "CVE-2021-31961", "CVE-2021-31979", "CVE-2021-31984", "CVE-2021-33740", "CVE-2021-33743", "CVE-2021-33744", "CVE-2021-33745", "CVE-2021-33746", "CVE-2021-33749", "CVE-2021-33750", "CVE-2021-33751", "CVE-2021-33752", "CVE-2021-33753", "CVE-2021-33754", "CVE-2021-33755", "CVE-2021-33756", "CVE-2021-33757", "CVE-2021-33758", "CVE-2021-33759", "CVE-2021-33760", "CVE-2021-33761", "CVE-2021-33763", "CVE-2021-33764", "CVE-2021-33765", "CVE-2021-33766", "CVE-2021-33767", "CVE-2021-33768", "CVE-2021-33771", "CVE-2021-33772", "CVE-2021-33773", "CVE-2021-33774", "CVE-2021-33775", "CVE-2021-33776", "CVE-2021-33777", "CVE-2021-33778", "CVE-2021-33779", "CVE-2021-33780", "CVE-2021-33781", "CVE-2021-33782", "CVE-2021-33783", "CVE-2021-33784", "CVE-2021-33785", "CVE-2021-33786", "CVE-2021-33788", "CVE-2021-34438", "CVE-2021-34439", "CVE-2021-34440", "CVE-2021-34441", "CVE-2021-34442", "CVE-2021-34444", "CVE-2021-34445", "CVE-2021-34446", "CVE-2021-34447", "CVE-2021-34448", "CVE-2021-34449", "CVE-2021-34450", "CVE-2021-34451", "CVE-2021-34452", "CVE-2021-34454", "CVE-2021-34455", "CVE-2021-34456", "CVE-2021-34457", "CVE-2021-34458", "CVE-2021-34459", "CVE-2021-34460", "CVE-2021-34461", "CVE-2021-34462", "CVE-2021-34464", "CVE-2021-34466", "CVE-2021-34467", "CVE-2021-34468", "CVE-2021-34469", "CVE-2021-34470", "CVE-2021-34473", "CVE-2021-34474", "CVE-2021-34476", "CVE-2021-34477", "CVE-2021-34479", "CVE-2021-34488", "CVE-2021-34489", "CVE-2021-34490", "CVE-2021-34491", "CVE-2021-34492", "CVE-2021-34493", "CVE-2021-34494", "CVE-2021-34496", "CVE-2021-34497", "CVE-2021-34498", "CVE-2021-34499", "CVE-2021-34500", "CVE-2021-34501", "CVE-2021-34503", "CVE-2021-34504", "CVE-2021-34507", "CVE-2021-34508", "CVE-2021-34509", "CVE-2021-34510", "CVE-2021-34511", "CVE-2021-34512", "CVE-2021-34513", "CVE-2021-34514", "CVE-2021-34516", "CVE-2021-34517", "CVE-2021-34518", "CVE-2021-34519", "CVE-2021-34520", "CVE-2021-34521", "CVE-2021-34522", "CVE-2021-34523", "CVE-2021-34525", "CVE-2021-34527", "CVE-2021-34528", "CVE-2021-34529"], "modified": "2021-07-13T20:56:26", "id": "RAPID7BLOG:4B35B23167A9D5E016537F6A81E4E9D4", "href": "https://blog.rapid7.com/2021/07/13/patch-tuesday-july-2021/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2021-07-10T01:12:45", "description": "A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates. Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as \u201cPrintNightmare\u201d, documented in CVE-2021-34527.\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Microsoft CVE-2021-34527: Windows Print Spooler Remote Code Execution Vulnerability (PrintNightmare)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "1976-01-01T00:00:00", "id": "MSF:ILITIES/MSFT-CVE-2021-34527/", "href": "", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2021-07-19T10:34:07", "bulletinFamily": "info", "cvelist": ["CVE-2021-34523"], "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Powershell service. The issue results from the lack of proper validation of a access token prior to executing the Exchange PowerShell command. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of SYSTEM.", "edition": 1, "modified": "2021-07-19T00:00:00", "published": "2021-07-19T00:00:00", "id": "ZDI-21-822", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-822/", "title": "(Pwn2Own) Microsoft Exchange Server PowerShell Improper Authentication Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-07-19T10:34:07", "bulletinFamily": "info", "cvelist": ["CVE-2021-34473"], "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Autodiscover service. The issue results from the lack of proper validation of URI prior to accessing resources. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of SYSTEM.", "edition": 1, "modified": "2021-07-19T00:00:00", "published": "2021-07-19T00:00:00", "id": "ZDI-21-821", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-821/", "title": "(Pwn2Own) Microsoft Exchange Server Autodiscover Server Side Request Forgery Authentication Bypass Vulnerability", "type": "zdi", "cvss": {"score": 0.0, "vector": "NONE"}}], "mscve": [{"lastseen": "2021-08-01T04:40:19", "description": "Microsoft Exchange Server Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33768, CVE-2021-34470. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T07:00:00", "type": "mscve", "title": "Microsoft Exchange Server Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34523"], "modified": "2021-07-13T07:00:00", "id": "MS:CVE-2021-34523", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34523", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-01T04:40:13", "description": "Windows Kernel Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34508. \n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-13T07:00:00", "type": "mscve", "title": "Windows Kernel Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34458"], "modified": "2021-07-13T07:00:00", "id": "MS:CVE-2021-34458", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34458", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-31T22:40:30", "description": "Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206. \n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T07:00:00", "type": "mscve", "title": "Microsoft Exchange Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473"], "modified": "2021-07-13T07:00:00", "id": "MS:CVE-2021-34473", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-01T04:40:20", "description": "Windows MSHTML Platform Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-34447. \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T07:00:00", "type": "mscve", "title": "Windows MSHTML Platform Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34497"], "modified": "2021-07-13T07:00:00", "id": "MS:CVE-2021-34497", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34497", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-01T04:40:20", "description": "Windows DNS Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-33746, CVE-2021-33754, CVE-2021-33780, CVE-2021-34525. \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T07:00:00", "type": "mscve", "title": "Windows DNS Server Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34494"], "modified": "2021-07-13T07:00:00", "id": "MS:CVE-2021-34494", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34494", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2021-07-31T07:59:55", "description": "Scripting Engine Memory Corruption Vulnerability \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T07:00:00", "type": "mscve", "title": "Scripting Engine Memory Corruption Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34448"], "modified": "2021-07-13T07:00:00", "id": "MS:CVE-2021-34448", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34448", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-01T04:40:21", "description": "Windows Kernel Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31979, CVE-2021-34514. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T07:00:00", "type": "mscve", "title": "Windows Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-33771"], "modified": "2021-07-13T07:00:00", "id": "MS:CVE-2021-33771", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33771", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-01T04:40:19", "description": "Windows Kernel Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33771, CVE-2021-34514. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T07:00:00", "type": "mscve", "title": "Windows Kernel Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-31979"], "modified": "2021-07-13T07:00:00", "id": "MS:CVE-2021-31979", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31979", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T20:06:03", "description": "A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nUPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.\n\nIn addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (**Note**: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):\n\n * HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\n * NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)\n * UpdatePromptSettings = 0 (DWORD) or not defined (default setting)\n\n**Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.**\n\nUPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also [KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates](<https://support.microsoft.com/topic/31b91c02-05bc-4ada-a7ea-183b129578a7>).\n\nNote that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as \u201cPrintNightmare\u201d, documented in CVE-2021-34527.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mscve", "title": "Windows Print Spooler Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-16T07:00:00", "id": "MS:CVE-2021-34527", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34527", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-01T04:40:24", "description": "Windows Print Spooler Elevation of Privilege Vulnerability \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-08T07:00:00", "type": "mscve", "title": "Windows Print Spooler Remote Code Execution Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-02T07:00:00", "id": "MS:CVE-2021-1675", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1675", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-07-27T10:16:20", "description": "", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T07:00:00", "type": "mskb", "title": "Security update 2021-07-13", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34473"], "modified": "2021-07-13T07:00:00", "id": "KB5001779", "href": "https://support.microsoft.com/en-us/help/5001779", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-27T10:16:40", "description": "", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T07:00:00", "type": "mskb", "title": "Security update 2021-07-13", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34448"], "modified": "2021-07-13T07:00:00", "id": "KB5004233", "href": "https://support.microsoft.com/en-us/help/5004233", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-27T10:16:46", "description": "", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "Security update 2021-07-01", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004945", "href": "https://support.microsoft.com/en-us/help/5004945", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-27T10:16:49", "description": "", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "Security update 2021-07-01", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004960", "href": "https://support.microsoft.com/en-us/help/5004960", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-27T10:16:46", "description": "", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "Security update 2021-07-01", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004946", "href": "https://support.microsoft.com/en-us/help/5004946", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-27T10:16:46", "description": "", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "Security update 2021-07-01", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004947", "href": "https://support.microsoft.com/en-us/help/5004947", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-27T10:16:47", "description": "", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "Security update 2021-07-01", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004951", "href": "https://support.microsoft.com/en-us/help/5004951", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-27T10:16:48", "description": "", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "Security update 2021-07-01", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004954", "href": "https://support.microsoft.com/en-us/help/5004954", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-27T10:16:48", "description": "", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "Security update 2021-07-01", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004956", "href": "https://support.microsoft.com/en-us/help/5004956", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-27T10:16:47", "description": "", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T07:00:00", "type": "mskb", "title": "Security update 2021-07-01", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-01T07:00:00", "id": "KB5004950", "href": "https://support.microsoft.com/en-us/help/5004950", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-07-14T18:08:44", "description": "CISA has issued [Emergency Directive (ED) 21-04: Mitigate Windows Print Spooler Service Vulnerability](<https://cyber.dhs.gov/ed/21-04>) addressing [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). Attackers can exploit this vulnerability to remotely execute code with system level privileges enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization. \n\nSpecifically, ED 21-04 directs federal departments and agencies to immediately apply the [Microsoft July 2021 updates](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) and disable the print spooler service on servers on Microsoft Active Directory (AD) Domain Controllers (DCs).\n\nAlthough ED 21-04 applies to Executive Branch departments and agencies, CISA strongly recommends that state and local governments, private sector organizations, and others review [ED 21-04: Mitigate Windows Print Spooler Service Vulnerability](<https://cyber.dhs.gov/ed/21-04>) for additional mitigation recommendations.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/07/13/cisa-issues-emergency-directive-microsoft-windows-print-spooler>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-13T00:00:00", "type": "cisa", "title": "CISA Issues Emergency Directive on Microsoft Windows Print Spooler", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-34527"], "modified": "2021-07-13T00:00:00", "id": "CISA:4F4185688CEB9B9416A98FE75E7AFE02", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/07/13/cisa-issues-emergency-directive-microsoft-windows-print-spooler", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2021-07-08T18:09:13", "description": "_(Updated July 2, 2021) _For new information and mitigations, see [Microsoft's updated guidance for the Print spooler vulnerability (CVE-2021-34527)](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\n_(Updated July 1, 2021) _See [Microsoft's new guidance for the Print spooler vulnerability (CVE-2021-34527)](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) and apply the necessary workarounds. \n\n_(Original post June 30, 2021)_ The CERT Coordination Center (CERT/CC) has released a [VulNote](<https://www.kb.cert.org/vuls/id/383432>) for a critical remote code execution vulnerability in the Windows Print spooler service, noting: \u201cwhile Microsoft has released an [update for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>), it is important to realize that this update does not address the public exploits that also identify as CVE-2021-1675.\u201d An attacker can exploit this vulnerability\u2014nicknamed PrintNightmare\u2014to take control of an affected system.\n\nCISA encourages administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print. Additionally, administrators should employ the following best practice from Microsoft\u2019s [how-to guides](<https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-print-spooler>), published January 11, 2021: \u201cDue to the possibility for exposure, domain controllers and Active Directory admin systems need to have the Print spooler service disabled. The recommended way to do this is using a Group Policy Object.\u201d \n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-30T00:00:00", "type": "cisa", "title": "PrintNightmare, Critical Windows Print Spooler Vulnerability ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-02T00:00:00", "id": "CISA:367C27124C09604830E0725F5F3123F7", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-08T18:12:56", "description": "Microsoft has released [out-of-band security updates](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) to address a remote code execution (RCE) vulnerability\u2014known as PrintNightmare (CVE-2021-34527)\u2014in the Windows Print spooler service. According to the CERT Coordination Center (CERT/CC), \u201cThe Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.\u201d\n\nThe updates are cumulative and contain all previous fixes as well as protections for CVE-2021-1675. The updates do not include Windows 10 version 1607, Windows Server 2012, or Windows Server 2016\u2014Microsoft states updates for these versions are forthcoming. Note: According to CERT/CC, \u201cthe Microsoft update for CVE-2021-34527 only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant.\u201d See [CERT/CC Vulnerability Note VU #383432](<https://www.kb.cert.org/vuls/id/383432>) for workarounds for the LPE variant.\n\nCISA encourages users and administrators to review the [Microsoft Security Updates](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) as well as [CERT/CC Vulnerability Note VU #383432](<https://www.kb.cert.org/vuls/id/383432>) and apply the necessary updates or workarounds. For additional background, see [CISA\u2019s initial Current Activity on PrintNightmare](<https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability>).\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/07/06/microsoft-releases-out-band-security-updates-printnightmare>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-06T00:00:00", "type": "cisa", "title": "Microsoft Releases Out-of-Band Security Updates for PrintNightmare", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-06T00:00:00", "id": "CISA:6C836D217FB0329B2D68AD71789D1BB0", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/07/06/microsoft-releases-out-band-security-updates-printnightmare", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "malwarebytes": [{"lastseen": "2021-07-14T12:38:34", "description": "Last week we wrote about [PrintNightmare](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/printnightmare-0-day-can-be-used-to-take-over-windows-domain-controllers/>), a vulnerability that was supposed to be patched but wasn&#x27;t. After June&#x27;s Patch Tuesday, researchers found that the patch did not work in every case, most notably on modern domain controllers. Yesterday, Microsoft issued a set of out-of-band patches that sets that aims to set that right by fixing the Windows Print Spooler Remote Code Execution vulnerability listed as [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>).\n\n### Serious problem\n\nFor Microsoft to publish an out-of-band patch a week before July&#x27;s Patch Tuesday shows just how serious the problem is.\n\nPrintNightmare allows a standard user on a Windows network to execute arbitrary code on an affected machine, and to elevate their privileges as far as domain admin, by feeding a vulnerable machine a malicious printer driver. The problem was exacerbated by confusion around whether PrintNightmare was a known, patched problem or an entirely new problem. In the event it turned out to be a bit of both.\n\nLast week the Cybersecurity and Infrastructure Security Agency (CISA) urged administrators to [disable the Windows Print Spooler service](<https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability>) in domain controllers and systems that don&#x27;t print.\n\nHowever, the installation of the Domain Controller (DC) role adds a thread to the spooler service that is responsible for removing stale print queue objects. If the spooler service is not running on at least one domain controller in each site, then Active Directory has no means to remove old queues that no longer exist.\n\nSo, many organizations were forced to keep the Print Spooler service enabled on some domain controllers, leaving them at risk to attacks using this vulnerability.\n\n### Set of patches\n\nDepending on the Windows version the patch will be offered as:\n\n * [KB5004945](<https://support.microsoft.com/en-us/topic/july-6-2021-kb5004947-os-build-17763-2029-out-of-band-71994811-ff08-4abe-8986-8bd3a4201c5d>) for Windows 10 version 2004, version 20H1, and version 21H1\n * [KB5004946](<https://support.microsoft.com/en-us/topic/july-6-2021-kb5004946-os-build-18363-1646-out-of-band-18c5ffac-6015-4b3a-ba53-a73c3d3ed505>) for Windows 10 version 1909\n * [KB5004947](<https://support.microsoft.com/en-us/topic/july-6-2021-kb5004947-os-build-17763-2029-out-of-band-71994811-ff08-4abe-8986-8bd3a4201c5d>) for Windows 10 version 1809 and Windows Server 2019\n * KB5004949 for Windows 10 version 1803 which is not available yet\n * [KB5004950](<https://support.microsoft.com/en-us/topic/july-6-2021-kb5004950-os-build-10240-18969-out-of-band-7f900b36-b3cb-4f5e-8eca-107cc0d91c50>) for Windows 10 version 1507\n * Older Windows versions (Windows 7 SP1, Windows 8.1 Server 2008 SP2, Windows Server 2008 R2 SP1, and Windows Server 2012 R2) will receive a security update that disallows users who are not administrators to install only signed print drivers to a print server.\n\nSecurity updates have not yet been released for Windows 10 version 1607, Windows Server 2016, or Windows Server 2012, but they will also be released soon, according to Microsoft.\n\nThe updates are cumulative and contain all previous fixes as well as protections for [CVE-2021-1675](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1675>).\n\n### Not a complete fix\n\nIt is important to note that these patches and updates **only tackle the remote code execution (RCE) part** of the vulnerability. Several researchers have confirmed that the local privilege escalation (LPE) vector still works. This means that threat actors and already active malware can still locally exploit the vulnerability to gain SYSTEM privileges.\n\n### Advice\n\nMicrosoft recommends that you install this update immediately on all supported Windows client and server operating systems, starting with devices that currently host the print server role. You also have the option to configure the `RestrictDriverInstallationToAdministrators` registry setting to prevent non-administrators from installing signed printer drivers on a print server. See [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) for more details.\n\n> \u201cThe attack vector and protections in CVE-2021-34527 reside in the code path that installs a printer driver to a Server. The workflow used to install a printer driver from a trusted print server on a client computer uses a different path. In summary, protections in CVE-2021-34527 including the RestrictDriverInstallationToAdministrators registry key do not impact this scenario.\u201d\n\nCISA encourages users and administrators to review the Microsoft Security Updates as well as CERT/CC Vulnerability Note [VU #383432](<https://www.kb.cert.org/vuls/id/383432>) and apply the necessary updates or workarounds.\n\n### Impact of the updates\n\nSo, the vulnerability lies in the normal procedure that allows users to install a printer driver on a server. A printer driver is in essence an executable like any other. And allowing users to install an executable of their choice is asking for problems. Especially combined with a privilege escalation vulnerability that anyone can use to act with SYSTEM privileges. The updates, patches, and some of the workarounds are all designed to limit the possible executables since they need to be signed printer drivers.\n\nFor a detailed and insightful diagram that shows GPO settings and registry keys administrators can check whether their systems are vulnerable, have a look at this flow chart diagram, courtesy of [Will Dormann](<https://twitter.com/wdormann>).\n\n> This is my current understanding of the [#PrintNightmare](<https://twitter.com/hashtag/PrintNightmare?src=hash&ref_src=twsrc%5Etfw>) exploitability flowchart. \nThere&#x27;s a small disagreement between me and MSRC at the moment about UpdatePromptSettings vs. NoWarningNoElevationOnUpdate, but I think it doesn&#x27;t matter much as I just have both for now. [pic.twitter.com/huIghjwTFq](<https://t.co/huIghjwTFq>)\n> \n> -- Will Dormann (@wdormann) [July 7, 2021](<https://twitter.com/wdormann/status/1412906574998392840?ref_src=twsrc%5Etfw>)\n\n### Information for users that applied 0patch\n\nIt is worth mentioning for the users that applied the PrintNightmare [micropatches by 0patch](<https://blog.0patch.com/2021/07/free-micropatches-for-printnightmare.html>) that according to 0patch it is better not to install the Microsoft patches. They posted on Twitter that the Microsoft patches that only fix the RCE part of the vulnerability disable the 0patch micropatch which fixes both the LPE and RCE parts of the vulnerability.\n\n> If you&#x27;re using 0patch against PrintNightmare, DO NOT apply the July 6 Windows Update! Not only does it not fix the local attack vector but it also doesn&#x27;t fix the remote vector. However, it changes localspl.dll, which makes our patches that DO fix the problem stop applying. <https://t.co/osoaxDVCoB>\n> \n> -- 0patch (@0patch) [July 7, 2021](<https://twitter.com/0patch/status/1412826130051174402?ref_src=twsrc%5Etfw>)\n\n### Update July 9, 2021\n\nOnly a little more than 12 hours after the release a researcher has found an exploit that works on a patched system under special circumstances. [Benjamin Delpy](<https://twitter.com/gentilkiwi?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1412771368534528001%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Farstechnica.com%2Fgadgets%2F2021%2F07%2Fmicrosofts-emergency-patch-fails-to-fix-critical-printnightmare-vulnerability%2F>) showed an exploit working against a Windows Server 2019 that had installed the out-of-band patch. In a demo Delpy shows that the update fails to fix vulnerable systems that use certain settings for a feature called [point and print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>), which makes it easier for network users to obtain the printer drivers they need.\n\nIn Microsoft&#x27;s defense the advisory for [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>) contains a note in the FAQ stating that:\n\n> Point and Print is not directly related to this vulnerability, but certain configurations make systems vulnerable to exploitation.\n\n### Update July 14, 2021\n\nThe Cybersecurity and Infrastructure Security Agency\u2019s (CISA) has issued [Emergency Directive 21-04](<https://cyber.dhs.gov/ed/21-04/>), \u201cMitigate Windows Print Spooler Service Vulnerability\u201d because it is aware of active exploitation, by multiple threat actors, of the PrintNightmare vulnerability. \n\nCISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. The actions CISA lists are required actions for the agencies. The determination that these actions are necessary is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems. Exploitation of the vulnerability allows an attacker to remotely execute code with system level privileges enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization. \n\nThe post [UPDATED: Patch now! Emergency fix for PrintNightmare released by Microsoft](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-07T14:17:31", "type": "malwarebytes", "title": "UPDATED: Patch now! Emergency fix for PrintNightmare released by Microsoft", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-07T14:17:31", "id": "MALWAREBYTES:DB34937B6474073D9444648D34438225", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/patch-now-emergency-fix-for-printnightmare-released-by-microsoft/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-08T08:32:20", "description": "In a rush to be the first to publish a proof-of-concept (PoC), researchers have published a write-up and a demo exploit to demonstrate a vulnerability that has been dubbed PrintNightmare. Only to find out they had alerted the world to a new 0-day vulnerability by accident.\n\n### What happened?\n\nIn June, Microsoft patched a vulnerability in the Windows Print Spooler that was listed as [CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>). At first it was classified as an elevation of privilege (EoP) vulnerability. Which means that someone with limited access to a system could raise their privilege level, giving them more power over the affected system. This type of vulnerability is serious, especially when it is found in a widely used service like the Windows Print Spooler. A few weeks after the patch Microsoft raised the level of seriousness to a remote code execution (RCE) vulnerability. RCE vulnerabilities allow a malicious actor to execute their code on a different machine on the same network.\n\nAs per [usual](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/06/microsoft-fixes-seven-zero-days-including-two-puzzlemaker-targets-google-fixes-serious-android-flaw/>), the general advice was to install the patches from Microsoft and you\u2019re done. Fast forward another week and a researcher announced he&#x27;d found a way to exploit the vulnerability to achieve both local privilege escalation and remote code execution. This actually happens a lot when researchers reverse engineer a patch.\n\nOnly in this case it had an unexpected consequence. A different team of researchers had also found an RCE vulnerability in the Print Spooler service. They called theirs PrintNightmare and believed it was the same as CVE-2021-1675. They were working on a presentation to be held at the Black Hat security conference. But now they feared that the other team had stumbled over the same vulnerability, so they published their work, believing it was covered by the patch already released by Microsoft.\n\nBut the patch for CVE-2021-1675 didn&#x27;t seem to work against the PrintNightmare vulnerability. It appeared that PrintNightmare and CVE-2021-1675 were in fact two very similar but different vulnerabilities in the Print Spooler.\n\nAnd with that, it looked as if the PrintNightmare team had, unwittingly, disclosed a new 0-day vulnerability irresponsibly. (Disclosure of vulnerabilities is considered responsible if a vendor is given enough time to issue a patch.)\n\nSince then, some security researchers have argued that CVE-2021-1675 and PrintNightmare are the same, and others have reported that the CVE-2021-1675 patch works on _some_ systems.\n\n> [#PrintNightmare](<https://twitter.com/hashtag/PrintNightmare?src=hash&ref_src=twsrc%5Etfw>) / CVE-2021-1675 - It appears patches might be effective on systems that are not domain controllers. RpcAddPrinterDriverEx call as non-admin fails with access denied against fully patched Server 2016 and 2019 non-DC, but after dcpromo the exploit works again. \n [pic.twitter.com/USetUXUzXN](<https://t.co/USetUXUzXN>)\n> \n> -- Stan Hegt (@StanHacked) [July 1, 2021](<https://twitter.com/StanHacked/status/1410405688766042115?ref_src=twsrc%5Etfw>)\n\nWhether they are the same or not, what is not in doubt is that there are live Windows systems where PrintNightmare cannot be patched. And unfortunately, it seems that the systems where the patch doesn&#x27;t work are Windows Domain Controllers, which is very much the worst case scenario. \n\n### PrintNightmare\n\nThe Print Spooler service is embedded in the Windows operating system and manages the printing process. It is running by default on most Windows machines, including Active Directory servers.\n\nIt handles preliminary functions of finding and loading the print driver, creating print jobs, and then ultimately printing. This service has been around \u201cforever\u201d and it has been a fruitful hunting ground for vulnerabilities, with many flaws being found and fixed over the years. Remember [Stuxnet](<https://blog.malwarebytes.com/threat-analysis/2013/11/stuxnet-new-light-through-old-windows/>)? Stuxnet also exploited a vulnerability in the Print Spooler service as part of the set of vulnerabilities the worm used to spread.\n\nPrintNightmare can be triggered by an unprivileged user attempting to load a malicious driver remotely. Using the vulnerability, researchers have been able to gain SYSTEM privileges, and achieved remote code execution with the highest privileges on a fully patched system.\n\nTo exploit the flaw, attackers would first have to gain access to a network with a vulnerable machine. Although this provides some measure of protection, it is worth noting that there are underground markets where criminals can purchase this kind of access for a few dollars.\n\nIf they can secure any kind of access, they can potentially use PrintNightmare to turn a normal user into an all-powerful Domain Admin. As a Domain Admin they could then act almost with impunity, spreading ransomware, deleting backups and even disabling security software.\n\n### Mitigation\n\nConsidering the large number of machines that may be vulnerable to PrintNightmare, and that several methods to exploit the vulnerability have been published, it seems likely there will soon be malicious use-cases for this vulnerability.\n\nThere are a few things you can do until the vulnerability is patched. Microsoft will probably try to patch the vulnerability before next patch Tuesday (July 12), but until then you can:\n\n * Disable the Print Spooler service on machines that do not need it. Please note that stopping the service without disabling may not be enough.\n * For the systems that do need the Print Spooler service to be running make sure they are not exposed to the internet.\n\nI realize the above will not be easy or even feasible in every case. For those machines that need the Print Spooler service and also need to be accessible from outside the LAN, very carefully limit and [monitor](<https://support.malwarebytes.com/hc/en-us/articles/360056829274-Configure-Brute-Force-Protection-in-Malwarebytes-Nebula>) access events and permissions. Also at all costs avoid running the Print Spooler service on any domain controllers.\n\nFor further measures it is good to know that the exploit works by dropping a DLL in a subdirectory under C:\\Windows\\System32\\spool\\drivers, so system administrators can create a \u201cDeny to modify\u201d rule for that directory and its subdirectories so that even the SYSTEM account can not place a new DLL in them.\n\nThis remains a developing situation and we will update this article if more information becomes available.\n\n### Update July 2, 2021\n\nMicrosoft acknowledged this vulnerability and it has been assigned [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). In their description Microsoft also provides an extra workaround besides disabling the Print Spooler service.\n\n**Disable inbound remote printing through Group Policy**\n\nYou can also configure the settings via Group Policy as follows:\n\n * Computer Configuration / Administrative Templates / Printers\n * Disable the \u201cAllow Print Spooler to accept client connections:\u201d policy to block remote attacks.\n\n**Impact of workaround** This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.\n\nThe post [PrintNightmare 0-day can be used to take over Windows domain controllers](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/printnightmare-0-day-can-be-used-to-take-over-windows-domain-controllers/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-01T14:08:26", "type": "malwarebytes", "title": "PrintNightmare 0-day can be used to take over Windows domain controllers", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-01T14:08:26", "id": "MALWAREBYTES:DA59FECA8327C8353EA012EA1B957C7E", "href": "https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/printnightmare-0-day-can-be-used-to-take-over-windows-domain-controllers/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2021-07-08T22:35:10", "description": "Over the past several weeks, there's been a lot of discussion about a particular privilege escalation vulnerability in Windows affecting the print spooler, dubbed PrintNightmare. The vulnerability (CVE-2021-1675/CVE-2021-34527) has now been patched multiple times but is believed to still be... \n \n[[ This is only the beginning! Please visit the blog for the complete entry ]]", "cvss3": {}, "published": "2021-07-08T13:25:03", "type": "talosblog", "title": "PrintNightmare: Here\u2019s what you need to know and Talos\u2019 coverage", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-08T13:25:03", "id": "TALOSBLOG:44F665C3D577FC52EF671E9C0CB1750F", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/xyAn8M5kWIs/printnightmare-coverage.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2021-07-28T14:48:26", "description": "### Overview\n\nThe Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.\n\n### Description\n\nThe [RpcAddPrinterDriverEx()](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b96cc497-59e5-4510-ab04-5484993b259b>) function is used to install a printer driver on a system. One of the parameters to this function is the [DRIVER_CONTAINER](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/353ff796-6fb3-41cf-8b35-0022dd53d886>) object, which contains information about which driver is to be used by the added printer. The other argument, `dwFileCopyFlags`, specifies how replacement printer driver files are to be copied. An attacker can take advantage of the fact that any authenticated user can call `RpcAddPrinterDriverEx()` and specify a driver file that lives on a remote server. This results in the Print Spooler service `spoolsv.exe` executing code in an arbitrary DLL file with SYSTEM privileges.\n\nNote that while original exploit code relied on the `RpcAddPrinterDriverEx` to achieve code execution, [an updated version of the exploit](<https://github.com/cube0x0/CVE-2021-1675>) uses [RpcAsyncAddPrinterDriver](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/5d864e3e-5d8b-4337-89ce-cb0258ab97cd>) to achieve the same goal. Both of these functions achieve their functionality using [AddPrinterDriverEx](<https://docs.microsoft.com/en-us/windows/win32/printdocs/addprinterdriverex>).\n\nWhile Microsoft has released an [update for CVE-2021-1675](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>), it is important to realize that this update does **NOT** protect against public exploits that may refer to `PrintNightmare` or CVE-2021-1675.\n\nOn July 1, Microsoft released [CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). This bulletin states that CVE-2021-34527 is similar but distinct from the vulnerability that is assigned CVE-2021-1675, which addresses a different vulnerability in RpcAddPrinterDriverEx(). The attack vector is different as well. CVE-2021-1675 was addressed by the June 2021 security update. \n\n### Impact\n\nBy sending a request to add a printer, e.g. by using `RpcAddPrinterDriverEx()` over SMB or `RpcAsyncAddPrinterDriver()` over RPC, a remote, authenticated attacker may be able to execute arbitrary code with SYSTEM privileges on a vulnerable system. A local unprivileged user may be able to execute arbitrary code with SYSTEM privileges as well. We have created a flowchart to indicate exploitability of PrintNightmare across various platform configurations:\n\n\n\n### Solution\n\n#### Apply an update\n\nMicrosoft has addressed this issue in the [updates for CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). Note that the Microsoft update for CVE-2021-34527 does not effectively prevent exploitation of systems where the [Point and Print](<https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>) `NoWarningNoElevationOnInstall` is set to a non-`0` value. Microsoft indicates that systems that have `NoWarningNoElevationOnInstall` is set to a non-`0` value are **vulnerable by design.** For systems that do not have the CVE-2021-34527 installed, or have Point and Print configured insecurely, please consider the following workarounds:\n\n#### Apply a workaround\n\nMicrosoft has listed several workarounds in their [advisory for CVE-2021-34527](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>). Specifically:\n\n#### Microsoft Option 1 - Stop and disable the Print Spooler service\n\nThis vulnerability can be mitigated by stopping and disabling the Print Spooler service in Windows.\n\nIf disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands:\n\n`Stop-Service -Name Spooler -Force`\n\n`Set-Service -Name Spooler -StartupType Disabled`\n\n**Impact of workaround** Disabling the Print Spooler service disables the ability to print both locally and remotely.\n\n#### Microsoft Option 2 - Disable inbound remote printing through Group Policy\n\nDisable the \u201cAllow Print Spooler to accept client connections:\u201d policy to block remote attacks.\n\n**Impact of workaround** This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device will still be possible.\n\n**Note:** The Print Spooler service **must** be restarted for this workaround to be activated.\n\n#### Block RPC and SMB ports at the firewall\n\nLimited testing has shown that blocking both the RPC Endpoint Mapper (`135/tcp`) and SMB (`139/tcp` and `445/tcp`) at the firewall level can prevent remote exploitation of this vulnerability. Note that blocking these ports on a Windows system may prevent expected capabilities from functioning properly, especially on a system that functions as a server.\n\n#### Enable security prompts for Point and Print\n\nEnsure that the Windows Point and Print Restrictions are set to `Show warning and elevation prompt` for both installing and updating drivers in the Windows Group Policy. Specifically the `HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\` key should have `NoWarningNoElevationOnInstall` and `UpdatePromptSettings` entries that are both set to `0`.\n\n#### Restrict printer driver installation ability to administrators\n\nAfter the Microsoft update for CVE-2021-34527 is installed, a registry value called `RestrictDriverInstallationToAdministrators` in the `HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint\\` key is checked, which is intended to restrict printer driver installation to only administrator users. Please see [KB5005010](<https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>) for more details.\n\n### Acknowledgements\n\nThis issue was publicly disclosed by Zhiniang Peng and Xuefeng Li.\n\nThis document was written by Will Dormann.\n\n### Vendor Information \n\n383432\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n### Microsoft __ Affected\n\nNotified: 2021-06-30 Updated: 2021-07-08 **CVE-2021-1675**| Affected \n---|--- \n**CVE-2021-34527**| Affected \n \n#### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n#### References\n\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>\n\n \n\n\n### References \n\n * <https://msrc-blog.microsoft.com/2021/07/08/clarified-guidance-for-cve-2021-34527-windows-print-spooler-vulnerability/>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675>\n * <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527>\n * <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/b96cc497-59e5-4510-ab04-5484993b259b>\n * <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/353ff796-6fb3-41cf-8b35-0022dd53d886>\n * <https://docs.microsoft.com/en-us/windows-hardware/drivers/print/introduction-to-point-and-print>\n * <https://docs.microsoft.com/en-us/windows/win32/printdocs/addprinterdriverex>\n * <https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7>\n * <https://github.com/afwu/PrintNightmare>\n * <https://github.com/cube0x0/CVE-2021-1675>\n * <https://github.com/calebstewart/CVE-2021-1675>\n\n### Other Information\n\n**CVE IDs:** | [CVE-2021-1675 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2021-1675>) [CVE-2021-34527 ](<http://web.nvd.nist.gov/vuln/detail/CVE-2021-34527>) \n---|--- \n**Date Public:** | 2021-06-30 \n**Date First Published:** | 2021-06-30 \n**Date Last Updated: ** | 2021-07-12 22:17 UTC \n**Document Revision: ** | 31 \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-30T00:00:00", "type": "cert", "title": "Microsoft Windows Print Spooler allows for RCE via AddPrinterDriverEx()", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1675", "CVE-2021-34527"], "modified": "2021-07-12T22:17:00", "id": "VU:383432", "href": "https://www.kb.cert.org/vuls/id/383432", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}