{"id": "RAPID7BLOG:44EA89871AFF6881B909B9FD0E07034F", "type": "rapid7blog", "bulletinFamily": "info", "title": "Patch Tuesday - February 2021", "description": "\n\nThe second Patch Tuesday of 2021 is relatively light on the vulnerability count, with 64 CVEs being addressed across the majority of Microsoft\u2019s product families. Despite that, there\u2019s still plenty to discuss this month.\n\n### Vulnerability Breakdown by Software Family\n\nFamily | Vulnerability Count \n---|--- \nWindows | 28 \nESU | 14 \nMicrosoft Office | 11 \nBrowser | 9 \nDeveloper Tools | 8 \nMicrosoft Dynamics | 2 \nExchange Server | 2 \nAzure | 2 \nSystem Center | 2 \n \n### Exploited and Publicly Disclosed Vulnerabilities\n\nOne zero-day was announced: [CVE-2021-1732](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1732>) is a privilege elevation vulnerability affecting the Win32k component of Windows 10 and Windows Server 2019, reported to be exploited in the wild. Four vulnerabilities have been previously disclosed: [CVE-2021-1727](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1727>), a privilege elevation vulnerability in Windows Installer, affecting all supported versions of Windows; [CVE-2021-24098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24098>), which is a denial of service (DoS) affecting Windows 10 and Server 2019; [CVE-2021-24106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24106>), an information disclosure vulnerability affecting DirectX in Windows 10 and Server 2019; and [CVE-2021-26701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26701>), an RCE in .NET Core.\n\n### Vulnerabilities in Windows TCP/IP\n\nMicrosoft also disclosed a set of [three serious vulnerabilities](<https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/>) affecting the TCP/IP networking stack in all supported versions of Windows. Two of these ([CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>) and [CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>)) carry a base CVSSv3 score of 9.8 and could allow Remote Code Execution (RCE). [CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>) is specific to IPv6 link-local addresses, meaning it isn\u2019t exploitable over the public internet. [CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>), however, does not have this limitation. The third, [CVE-2021-24086](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24086>), is a DoS vulnerability that could allow an attacker to trigger a \u201cblue screen of death\u201d on any Windows system that is directly exposed to the internet, using only a small amount of network traffic. The RCE exploits are probably not a threat in the short term, due to the complexity of the vulnerabilities, but DoS attacks are expected to be seen much more quickly. Windows systems should be patched as soon as possible to protect against these.\n\nIn the event a patch cannot be applied immediately, such as on systems that cannot be rebooted, Microsoft has published mitigation guidance that will protect against exploitation of the TCP/IP vulnerabilities. Depending on the exposure of an asset, IPv4 Source Routing should be disabled via a Group Policy or a Netsh command, and IPv6 packet reassembly should be disabled via a separate Netsh command. IPv4 Source Routing requests and IPv6 fragments can also be blocked load balancers, firewalls, or other edge devices to mitigate these issues.\n\n### Zerologon Update\n\nBack in August, 2020, Microsoft addressed a critical remote code vulnerability (CVE-2020-1472) affecting the Netlogon protocol (MS-NRPC), a.k.a. \u201c[Zerologon](<https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-critical-privilege-escalation/>)\u201d. In October, Microsoft [noted](<https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/>) that attacks which exploit this weakness have been seen in the wild. On January 14, 2021, they [reminded](<https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/>) organizations that the February 2021 security update bundle will also be enabling \u201cDomain Controller enforcement mode\" by default to fully address this weakness. Any system that tries to make an insecure Netlogon connection will be denied access. Any business-critical process that relies on these insecure connections will cease to function. Rapid7 encourages all organizations to [heed the detailed guidance](<https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e#bkmk_detectingnon_compliant>) before applying the latest updates to ensure continued business process continuity.\n\n### Adobe\n\nMost important amongst the [six security advisories](<https://helpx.adobe.com/security.html>) published by Adobe today is [APSB21-09](<https://helpx.adobe.com/security/products/acrobat/apsb21-09.html>), detailing 23 CVEs affecting Adobe Acrobat and Reader. Six of these are rated Critical and allow Arbitrary Code Execution, and one of which (CVE-2021-21017), has been seen exploited in the wild in attacks targeting Adobe Reader users on Windows.\n\n### Summary Tables\n\n#### Azure Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24109](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24109>) | Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability | No | No | 6.8 | Yes \n[CVE-2021-24087](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24087>) | Azure IoT CLI extension Elevation of Privilege Vulnerability | No | No | 7 | Yes \n \n#### Browser Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24100](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24100>) | Microsoft Edge for Android Information Disclosure Vulnerability | No | No | 5 | Yes \n[CVE-2021-24113](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24113>) | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | No | No | 4.6 | Yes \n[CVE-2021-21148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21148>) | Chromium CVE-2021-21148: Heap buffer overflow in V8 | N/A | N/A | nan | Yes \n[CVE-2021-21147](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21147>) | Chromium CVE-2021-21147: Inappropriate implementation in Skia | N/A | N/A | nan | Yes \n[CVE-2021-21146](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21146>) | Chromium CVE-2021-21146: Use after free in Navigation | N/A | N/A | nan | Yes \n[CVE-2021-21145](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21145>) | Chromium CVE-2021-21145: Use after free in Fonts | N/A | N/A | nan | Yes \n[CVE-2021-21144](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21144>) | Chromium CVE-2021-21144: Heap buffer overflow in Tab Groups | N/A | N/A | nan | Yes \n[CVE-2021-21143](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21143>) | Chromium CVE-2021-21143: Heap buffer overflow in Extensions | N/A | N/A | nan | Yes \n[CVE-2021-21142](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21142>) | Chromium CVE-2021-21142: Use after free in Payments | N/A | N/A | nan | Yes \n \n#### Developer Tools Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-26700](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26700>) | Visual Studio Code npm-script Extension Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-1639](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1639>) | Visual Studio Code Remote Code Execution Vulnerability | No | No | 7 | No \n[CVE-2021-1733](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1733>) | Sysinternals PsExec Elevation of Privilege Vulnerability | No | Yes | 7.8 | Yes \n[CVE-2021-24105](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24105>) | Package Managers Configurations Remote Code Execution Vulnerability | No | No | 8.4 | Yes \n[CVE-2021-24111](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24111>) | .NET Framework Denial of Service Vulnerability | No | No | 7.5 | No \n[CVE-2021-1721](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1721>) | .NET Core and Visual Studio Denial of Service Vulnerability | No | Yes | 6.5 | No \n[CVE-2021-26701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26701>) | .NET Core Remote Code Execution Vulnerability | No | Yes | 8.1 | Yes \n[CVE-2021-24112](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24112>) | .NET Core Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n \n#### ESU Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24080](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24080>) | Windows Trust Verification API Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>) | Windows TCP/IP Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>) | Windows TCP/IP Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-24086](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24086>) | Windows TCP/IP Denial of Service Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-1734](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1734>) | Windows Remote Procedure Call Information Disclosure Vulnerability | No | No | 7.5 | Yes \n[CVE-2021-25195](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-25195>) | Windows PKU2U Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24088](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24088>) | Windows Local Spooler Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-1727](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1727>) | Windows Installer Elevation of Privilege Vulnerability | No | Yes | 7.8 | No \n[CVE-2021-24077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24077>) | Windows Fax Service Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-1722](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1722>) | Windows Fax Service Remote Code Execution Vulnerability | No | No | 8.1 | Yes \n[CVE-2021-24102](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24102>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-24103](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24103>) | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-24078](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24078>) | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes \n[CVE-2021-24083](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24083>) | Windows Address Book Remote Code Execution Vulnerability | No | No | 7.8 | No \n \n#### Exchange Server Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24085](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24085>) | Microsoft Exchange Server Spoofing Vulnerability | No | No | 6.5 | Yes \n[CVE-2021-1730](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1730>) | Microsoft Exchange Server Spoofing Vulnerability | No | No | 5.4 | Yes \n \n#### Microsoft Dynamics Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1724](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1724>) | Microsoft Dynamics Business Central Cross-site Scripting Vulnerability | No | No | 6.1 | No \n[CVE-2021-24101](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24101>) | Microsoft Dataverse Information Disclosure Vulnerability | No | No | 6.5 | Yes \n \n#### Microsoft Office Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-24073](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24073>) | Skype for Business and Lync Spoofing Vulnerability | No | No | 6.5 | No \n[CVE-2021-24099](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24099>) | Skype for Business and Lync Denial of Service Vulnerability | No | No | 6.5 | No \n[CVE-2021-24114](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24114>) | Microsoft Teams iOS Information Disclosure Vulnerability | No | No | 5.7 | Yes \n[CVE-2021-1726](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1726>) | Microsoft SharePoint Spoofing Vulnerability | No | No | 8 | Yes \n[CVE-2021-24072](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24072>) | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | No \n[CVE-2021-24066](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24066>) | Microsoft SharePoint Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-24071](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24071>) | Microsoft SharePoint Information Disclosure Vulnerability | No | No | 5.3 | Yes \n[CVE-2021-24067](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24067>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24068](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24068>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24069](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24069>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n[CVE-2021-24070](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24070>) | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes \n \n## System Center Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1728](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1728>) | System Center Operations Manager Elevation of Privilege Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-24092](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24092>) | Microsoft Defender Elevation of Privilege Vulnerability | No | No | 7.8 | Yes \n \n#### Windows Vulnerabilities\n\nCVE | Vulnerability Title | Exploited | Publicly Disclosed | CVSSv3 Base Score | FAQ? \n---|---|---|---|---|--- \n[CVE-2021-1732](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1732>) | Windows Win32k Elevation of Privilege Vulnerability | Yes | No | 7.8 | No \n[CVE-2021-1698](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1698>) | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-24075](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24075>) | Windows Network File System Denial of Service Vulnerability | No | No | 6.8 | No \n[CVE-2021-24084](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24084>) | Windows Mobile Device Management Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-24096](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24096>) | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 | No \n[CVE-2021-24093](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24093>) | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 8.8 | Yes \n[CVE-2021-24106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24106>) | Windows DirectX Information Disclosure Vulnerability | No | Yes | 5.5 | Yes \n[CVE-2021-24098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24098>) | Windows Console Driver Denial of Service Vulnerability | No | Yes | 5.5 | Yes \n[CVE-2021-24091](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24091>) | Windows Camera Codec Pack Remote Code Execution Vulnerability | No | No | 7.8 | No \n[CVE-2021-24079](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24079>) | Windows Backup Engine Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-1731](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1731>) | PFX Encryption Security Feature Bypass Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-24082](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24082>) | Microsoft.PowerShell.Utility Module WDAC Security Feature Bypass Vulnerability | No | No | 4.3 | No \n[CVE-2021-24076](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24076>) | Microsoft Windows VMSwitch Information Disclosure Vulnerability | No | No | 5.5 | Yes \n[CVE-2021-24081](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24081>) | Microsoft Windows Codecs Library Remote Code Execution Vulnerability | No | No | 7.8 | No \n \n### Summary Charts\n\n\n\n________Note: _______Chart_______ data is reflective of data presented by Microsoft's CVRF at the time of writing.________", "published": "2021-02-09T23:51:27", "modified": "2021-02-09T23:51:27", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://blog.rapid7.com/2021/02/09/patch-tuesday-february-2021/", "reporter": "Greg Wiseman", "references": [], "cvelist": ["CVE-2020-1472", "CVE-2021-1639", "CVE-2021-1698", "CVE-2021-1721", "CVE-2021-1722", "CVE-2021-1724", "CVE-2021-1726", "CVE-2021-1727", "CVE-2021-1728", "CVE-2021-1730", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1733", "CVE-2021-1734", "CVE-2021-21017", "CVE-2021-21142", "CVE-2021-21143", "CVE-2021-21144", "CVE-2021-21145", "CVE-2021-21146", "CVE-2021-21147", "CVE-2021-21148", "CVE-2021-24066", "CVE-2021-24067", "CVE-2021-24068", "CVE-2021-24069", "CVE-2021-24070", "CVE-2021-24071", "CVE-2021-24072", "CVE-2021-24073", "CVE-2021-24074", "CVE-2021-24075", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24081", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24084", "CVE-2021-24085", "CVE-2021-24086", "CVE-2021-24087", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24092", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24096", "CVE-2021-24098", "CVE-2021-24099", "CVE-2021-24100", "CVE-2021-24101", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24105", "CVE-2021-24106", "CVE-2021-24109", "CVE-2021-24111", "CVE-2021-24112", "CVE-2021-24113", "CVE-2021-24114", "CVE-2021-25195", "CVE-2021-26700", "CVE-2021-26701"], "lastseen": "2021-02-10T00:48:57", "viewCount": 73, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["SMB_NT_MS21_FEB_4601318.NASL", "SMB_NT_MS21_FEB_4601315.NASL", "SMB_NT_MS21_FEB_4601331.NASL", "SMB_NT_MS21_FEB_4601347.NASL", "SMB_NT_MS21_FEB_4601345.NASL", "SMB_NT_MS21_FEB_4601384.NASL", "SMB_NT_MS21_FEB_4601360.NASL", "SMB_NT_MS21_FEB_4601348.NASL", "SMB_NT_MS21_FEB_4601319.NASL", "SMB_NT_MS21_FEB_4601354.NASL"]}, {"type": "msrc", "idList": ["MSRC:E730BB5421ADC3C2D8E7B5B1C5CD88FB", "MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09"]}, {"type": "threatpost", "idList": ["THREATPOST:1502920D4F50B0D128077B515815C023"]}, {"type": "thn", "idList": ["THN:0C87C22B19E7073574F7BA69985A07BF", "THN:2E0F12E8B4294632DF7D326E9360976B"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:3C358DDA439A247A9677866AFE8FA961"]}, {"type": "archlinux", "idList": ["ASA-202102-6"]}, {"type": "fedora", "idList": ["FEDORA:37DD030946F6", "FEDORA:66FF230BA179", "FEDORA:AD6B030BBFB2", "FEDORA:BB03930B3A56", "FEDORA:4E16930B130B", "FEDORA:72CCD30934AA"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:192411B44569225E2F2632594DC4308C", "QUALYSBLOG:AD927BF1D1CDE26A3D54D9452C330BB3"]}, {"type": "freebsd", "idList": ["479FDFDA-6659-11EB-83E2-E09467587C17"]}, {"type": "attackerkb", "idList": ["AKB:4BB453DC-4A7E-4FAF-832B-C5079208A3DA", "AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "AKB:DFA2540D-E431-4CDE-B67A-7EA3F2B87A74", "AKB:B61D2687-96CE-4CE9-939F-9E35DA7814C4", "AKB:5ACC27EC-B7F2-405F-B3D6-009D27A1C386"]}, {"type": "cve", "idList": ["CVE-2021-21148", "CVE-2021-21142", "CVE-2021-21147", "CVE-2021-21143", "CVE-2020-1472", "CVE-2021-21146", "CVE-2021-21017", "CVE-2021-21144", "CVE-2021-21145"]}, {"type": "krebs", "idList": ["KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7"]}, {"type": "mscve", "idList": ["MS:CVE-2021-21143", "MS:CVE-2021-21147", "MS:CVE-2021-24074", "MS:CVE-2021-21146", "MS:CVE-2021-24094", "MS:CVE-2021-21145", "MS:CVE-2021-24086", "MS:CVE-2021-21142", "MS:CVE-2021-21148", "MS:CVE-2021-21144"]}, {"type": "cisa", "idList": ["CISA:61F2653EF56231DB3AEC3A9E938133FE", "CISA:E5A33B5356175BB63C2EFA605346F8C7", "CISA:7FB0A467C0EB89B6198A58418B43D50C", "CISA:2B970469D89016F563E142BE209443D8", "CISA:433F588AAEF2DF2A0B46FE60687F19E0"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:C628D3D68DF3AE5A40A1F0C9DFA38860"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0"]}], "modified": "2021-02-10T00:48:57", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2021-02-10T00:48:57", "rev": 2}, "vulnersScore": 6.1}}

{"nessus": [{"lastseen": "2021-02-13T14:19:49", "description": "The remote Windows host is missing security update 4601315.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24081,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24091,\n CVE-2021-24093, CVE-2021-24094)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)", "edition": 4, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "title": "KB4601315: Windows 10 Version 1909 February 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24103", "CVE-2021-1722", "CVE-2021-24086", "CVE-2021-24079", "CVE-2021-24076", "CVE-2021-24084", "CVE-2021-24102", "CVE-2021-24098", "CVE-2021-24106", "CVE-2021-1734", "CVE-2021-24077", "CVE-2021-1727", "CVE-2021-1732", "CVE-2021-1731", "CVE-2021-24080", "CVE-2021-24093", "CVE-2021-24074", "CVE-2021-1698", "CVE-2021-25195", "CVE-2021-24081", "CVE-2021-24094", "CVE-2021-24091", "CVE-2021-24078", "CVE-2021-24088"], "modified": "2021-02-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601315.NASL", "href": "https://www.tenable.com/plugins/nessus/146326", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146326);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/12\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24081\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24084\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24091\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601315\");\n script_xref(name:\"MSFT\", value:\"MS21-4601315\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093\");\n\n script_name(english:\"KB4601315: Windows 10 Version 1909 February 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601315.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24081,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24091,\n CVE-2021-24093, CVE-2021-24094)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n # https://support.microsoft.com/en-us/topic/february-9-2021-kb4601315-os-build-18363-1377-bdd71d2f-6729-e22a-3150-64324e4ab954\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?93fc3ad3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4601315.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24074\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601315');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'18363',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601315])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-13T14:19:49", "description": "The remote Windows host is missing security update 4601345.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24078,\n CVE-2021-24081, CVE-2021-24083, CVE-2021-24088,\n CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24096, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)", "edition": 4, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "title": "KB4601345: Windows 10 Version 1809 and Windows Server 2019 February 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24103", "CVE-2021-1722", "CVE-2021-24086", "CVE-2021-24079", "CVE-2021-24076", "CVE-2021-24084", "CVE-2021-24102", "CVE-2021-24098", "CVE-2021-24106", "CVE-2021-1734", "CVE-2021-24077", "CVE-2021-1727", "CVE-2021-1732", "CVE-2021-1731", "CVE-2021-24080", "CVE-2021-24093", "CVE-2021-24074", "CVE-2021-24096", "CVE-2021-1698", "CVE-2021-25195", "CVE-2021-24081", "CVE-2021-24094", "CVE-2021-24091", "CVE-2021-24078", "CVE-2021-24088"], "modified": "2021-02-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601345.NASL", "href": "https://www.tenable.com/plugins/nessus/146337", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146337);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/12\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24081\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24084\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24091\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24096\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601345\");\n script_xref(name:\"MSFT\", value:\"MS21-4601345\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093\");\n\n script_name(english:\"KB4601345: Windows 10 Version 1809 and Windows Server 2019 February 2021 Security Update\"); #todo: review auto KB4601345: Windows 10 1809 and Windows Server 2019 1809 Feb 2021 Security Update\")\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601345.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24078,\n CVE-2021-24081, CVE-2021-24083, CVE-2021-24088,\n CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24096, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n # https://support.microsoft.com/en-us/office/february-9-2021%e2%80%94kb4601345-os-build-17763-1757-c38b7b85-0d84-d979-1a29-e4ba97b82042?ui=en-US&rs=en-US&ad=US\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a0231130\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4601345.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24074\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601345');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17763',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601345])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-13T06:44:11", "description": "The remote Windows host is missing security update 4601319.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24075,\n CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24081,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24091,\n CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24096, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)", "edition": 3, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "title": "KB4601319: Windows 10 version 2004 Feb 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24103", "CVE-2021-1722", "CVE-2021-24086", "CVE-2021-24079", "CVE-2021-24076", "CVE-2021-24084", "CVE-2021-24102", "CVE-2021-24098", "CVE-2021-24106", "CVE-2021-1734", "CVE-2021-24077", "CVE-2021-1727", "CVE-2021-24075", "CVE-2021-1732", "CVE-2021-1731", "CVE-2021-24080", "CVE-2021-24093", "CVE-2021-24074", "CVE-2021-24096", "CVE-2021-1698", "CVE-2021-25195", "CVE-2021-24081", "CVE-2021-24094", "CVE-2021-24091", "CVE-2021-24078", "CVE-2021-24088"], "modified": "2021-02-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601319.NASL", "href": "https://www.tenable.com/plugins/nessus/146345", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146345);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/12\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24075\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24081\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24084\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24091\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24096\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601319\");\n script_xref(name:\"MSFT\", value:\"MS21-4601319\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093\");\n\n script_name(english:\"KB4601319: Windows 10 version 2004 Feb 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601319.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24075,\n CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24081,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24091,\n CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24096, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4601319\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB4601319 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24074\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list(\n '4601319'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'19041',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601319])\n|| \nsmb_check_rollup(os:'10',\n sp:0,\n os_build:'19042',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601319])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-13T14:19:49", "description": "The remote Windows host is missing security update 4601318.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24111)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-24082)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1727, CVE-2021-24096, CVE-2021-24102,\n CVE-2021-24103, CVE-2021-25195)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24078,\n CVE-2021-24081, CVE-2021-24083, CVE-2021-24088,\n CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)", "edition": 4, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "title": "KB4601318: Windows 10 Version 1607 and Windows Server 2016 February 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24111", "CVE-2021-24103", "CVE-2021-1722", "CVE-2021-24086", "CVE-2021-24079", "CVE-2021-24076", "CVE-2021-24102", "CVE-2021-1734", "CVE-2021-24077", "CVE-2021-1727", "CVE-2021-24080", "CVE-2021-24093", "CVE-2021-24074", "CVE-2021-24096", "CVE-2021-25195", "CVE-2021-24081", "CVE-2021-24094", "CVE-2021-24091", "CVE-2021-24078", "CVE-2021-24088"], "modified": "2021-02-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601318.NASL", "href": "https://www.tenable.com/plugins/nessus/146329", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146329);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/12\");\n\n script_cve_id(\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24081\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24091\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24096\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24111\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601318\");\n script_xref(name:\"MSFT\", value:\"MS21-4601318\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093\");\n\n script_name(english:\"KB4601318: Windows 10 Version 1607 and Windows Server 2016 February 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601318.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24111)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application.\n (CVE-2021-24082)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1727, CVE-2021-24096, CVE-2021-24102,\n CVE-2021-24103, CVE-2021-25195)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24078,\n CVE-2021-24081, CVE-2021-24083, CVE-2021-24088,\n CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\");\n # https://support.microsoft.com/en-us/topic/february-9-2021-kb4601318-os-build-14393-4225-c5e3de6c-e3e6-ffb5-6197-48b9ce16446e\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a87e94d6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4601318.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24074\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601318');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'14393',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601318])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-13T14:19:49", "description": "The remote Windows host is missing security update 4601354.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24083,\n CVE-2021-24088, CVE-2021-24093, CVE-2021-24094)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24106)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)", "edition": 4, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "title": "KB4601354: Windows 10 Version 1803 February 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24103", "CVE-2021-1722", "CVE-2021-24086", "CVE-2021-24079", "CVE-2021-24076", "CVE-2021-24102", "CVE-2021-24098", "CVE-2021-24106", "CVE-2021-1734", "CVE-2021-24077", "CVE-2021-1727", "CVE-2021-1732", "CVE-2021-1731", "CVE-2021-24080", "CVE-2021-24093", "CVE-2021-24074", "CVE-2021-1698", "CVE-2021-25195", "CVE-2021-24094", "CVE-2021-24088"], "modified": "2021-02-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601354.NASL", "href": "https://www.tenable.com/plugins/nessus/146339", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146339);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/12\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601354\");\n script_xref(name:\"MSFT\", value:\"MS21-4601354\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093\");\n\n script_name(english:\"KB4601354: Windows 10 Version 1803 February 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601354.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24083,\n CVE-2021-24088, CVE-2021-24093, CVE-2021-24094)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24106)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n # https://support.microsoft.com/en-us/topic/february-9-2021-kb4601354-os-build-17134-2026-04614869-9ce5-cc3b-655a-bc66eb7cb4b0\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dbcfd44b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4601354.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24074\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601354');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17134',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601354])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-13T06:44:11", "description": "The remote Windows host is missing security update 4601331.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1727, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24081,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24091,\n CVE-2021-24094)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086)", "edition": 3, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "title": "KB4601331: Windows 10 February 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-24083", "CVE-2021-24103", "CVE-2021-1722", "CVE-2021-24086", "CVE-2021-24079", "CVE-2021-24076", "CVE-2021-24102", "CVE-2021-1734", "CVE-2021-24077", "CVE-2021-1727", "CVE-2021-24080", "CVE-2021-24074", "CVE-2021-25195", "CVE-2021-24081", "CVE-2021-24094", "CVE-2021-24091", "CVE-2021-24088"], "modified": "2021-02-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601331.NASL", "href": "https://www.tenable.com/plugins/nessus/146335", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146335);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/12\");\n\n script_cve_id(\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24081\",\n \"CVE-2021-24083\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24091\",\n \"CVE-2021-24094\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601331\");\n script_xref(name:\"MSFT\", value:\"MS21-4601331\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093\");\n\n script_name(english:\"KB4601331: Windows 10 February 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601331.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1727, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24081,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24091,\n CVE-2021-24094)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086)\");\n # https://support.microsoft.com/en-us/office/february-9-2021%e2%80%94kb4601331-os-build-10240-18842-6227d078-fef3-8d67-27e0-1882e6cb79ff?ui=en-US&rs=en-US&ad=US\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8b24a2ba\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4601331.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24074\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601331');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'10240',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601331])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-13T14:19:49", "description": "The remote Windows host is missing security update 4601357\nor cumulative update 4601348. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24078,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1727, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)", "edition": 4, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "title": "KB4601357: Windows Server 2012 February 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-24083", "CVE-2021-24103", "CVE-2021-1722", "CVE-2021-24086", "CVE-2021-24079", "CVE-2021-24076", "CVE-2021-24102", "CVE-2021-1734", "CVE-2021-24077", "CVE-2021-1727", "CVE-2021-24080", "CVE-2021-24074", "CVE-2021-25195", "CVE-2021-24094", "CVE-2021-24078", "CVE-2021-24088"], "modified": "2021-02-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601348.NASL", "href": "https://www.tenable.com/plugins/nessus/146338", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146338);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/12\");\n\n script_cve_id(\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24083\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24094\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601348\");\n script_xref(name:\"MSKB\", value:\"4601357\");\n script_xref(name:\"MSFT\", value:\"MS21-4601348\");\n script_xref(name:\"MSFT\", value:\"MS21-4601357\");\n\n script_name(english:\"KB4601357: Windows Server 2012 February 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601357\nor cumulative update 4601348. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24078,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1727, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\");\n # https://support.microsoft.com/en-us/topic/february-9-2021-kb4601348-monthly-rollup-2c338c0c-73d6-fb80-cc91-f1a86e80db0c\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?31139f03\");\n # https://support.microsoft.com/en-us/topic/february-9-2021-kb4601357-security-only-update-0c7512be-0c6b-55fd-a3dd-4b23889faeb1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?47bca199\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4601357 or Cumulative Update KB4601348.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24074\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601348', '4601357');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit('SMB/ProductName', exit_code:1);\nif (\"Windows 8\" >< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.2',\n sp:0,\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601348, 4601357])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-13T14:19:49", "description": "The remote Windows host is missing security update 4601349\nor cumulative update 4601384. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24078,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1727, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)", "edition": 4, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "title": "KB4601349: Windows 8.1 and Windows Server 2012 R2 February 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-24083", "CVE-2021-24103", "CVE-2021-1722", "CVE-2021-24086", "CVE-2021-24079", "CVE-2021-24076", "CVE-2021-24102", "CVE-2021-1734", "CVE-2021-24077", "CVE-2021-1727", "CVE-2021-24080", "CVE-2021-24074", "CVE-2021-25195", "CVE-2021-24094", "CVE-2021-24078", "CVE-2021-24088"], "modified": "2021-02-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601384.NASL", "href": "https://www.tenable.com/plugins/nessus/146341", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146341);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/12\");\n\n script_cve_id(\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24083\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24094\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601349\");\n script_xref(name:\"MSKB\", value:\"4601384\");\n script_xref(name:\"MSFT\", value:\"MS21-4601349\");\n script_xref(name:\"MSFT\", value:\"MS21-4601384\");\n\n script_name(english:\"KB4601349: Windows 8.1 and Windows Server 2012 R2 February 2021 Security Update\"); \n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601349\nor cumulative update 4601384. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24078,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1727, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\");\n # https://support.microsoft.com/en-us/topic/february-9-2021-kb4601349-security-only-update-6de503d8-2aa2-589f-fd75-c5e308f488f6\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?922030bd\");\n # https://support.microsoft.com/en-us/topic/february-9-2021-kb4601384-monthly-rollup-16bdbb75-dd4b-2910-abc5-7891c9756b96\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?04a48a8a\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4601349 or Cumulative Update KB4601384.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24074\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601349', '4601384');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit('SMB/ProductName', exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.3',\n sp:0,\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601349, 4601384])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-13T14:19:49", "description": "The remote Windows host is missing security update 4601363\nor cumulative update 4601347. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1727, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24078,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24094)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734)", "edition": 4, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "title": "KB4601363: Windows 7 and Windows Server 2008 R2 February 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-24083", "CVE-2021-24103", "CVE-2021-1722", "CVE-2021-24086", "CVE-2021-24102", "CVE-2021-1734", "CVE-2021-24077", "CVE-2021-1727", "CVE-2021-24080", "CVE-2021-24074", "CVE-2021-25195", "CVE-2021-24094", "CVE-2021-24078", "CVE-2021-24088"], "modified": "2021-02-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601347.NASL", "href": "https://www.tenable.com/plugins/nessus/146342", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146342);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/12\");\n\n script_cve_id(\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24080\",\n \"CVE-2021-24083\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24094\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601363\");\n script_xref(name:\"MSKB\", value:\"4601347\");\n script_xref(name:\"MSFT\", value:\"MS21-4601363\");\n script_xref(name:\"MSFT\", value:\"MS21-4601347\");\n\n script_name(english:\"KB4601363: Windows 7 and Windows Server 2008 R2 February 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601363\nor cumulative update 4601347. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1727, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24078,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24094)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734)\");\n # https://support.microsoft.com/en-us/topic/february-9-2021-kb4601363-security-only-update-a37e890f-974f-7bdb-2664-b627e9436b06\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d1f488e9\");\n # https://support.microsoft.com/en-us/topic/february-9-2021-kb4601347-monthly-rollup-c0ae9599-f93d-68ee-7542-0aa3564f3190\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3b47172c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4601363 or Cumulative Update KB4601347.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24074\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601363', '4601347');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.1',\n sp:1,\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601363, 4601347])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-13T14:19:49", "description": "The remote Windows host is missing security update 4601366\nor cumulative update 4601360. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24078,\n CVE-2021-24088, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1727, CVE-2021-24102, CVE-2021-24103)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734)", "edition": 4, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "title": "KB4601366: Windows Server 2008 February 2021 Security Update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-24103", "CVE-2021-1722", "CVE-2021-24086", "CVE-2021-24102", "CVE-2021-1734", "CVE-2021-24077", "CVE-2021-1727", "CVE-2021-24080", "CVE-2021-24074", "CVE-2021-24094", "CVE-2021-24078", "CVE-2021-24088"], "modified": "2021-02-09T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601360.NASL", "href": "https://www.tenable.com/plugins/nessus/146327", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146327);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/12\");\n\n script_cve_id(\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24080\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24094\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\"\n );\n script_xref(name:\"MSKB\", value:\"4601366\");\n script_xref(name:\"MSKB\", value:\"4601360\");\n script_xref(name:\"MSFT\", value:\"MS21-4601366\");\n script_xref(name:\"MSFT\", value:\"MS21-4601360\");\n\n script_name(english:\"KB4601366: Windows Server 2008 February 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601366\nor cumulative update 4601360. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24078,\n CVE-2021-24088, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1727, CVE-2021-24102, CVE-2021-24103)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734)\");\n # https://support.microsoft.com/en-us/topic/february-9-2021-kb4601366-security-only-update-d39d59e0-98a3-2ef6-52e2-d7e6fa1d5399\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c14cbe6f\");\n # https://support.microsoft.com/en-us/topic/february-9-2021-kb4601360-monthly-rollup-007cc495-ad6e-4cc4-520a-23cc4d766205\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8c43eb33\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4601366 or Cumulative Update KB4601360.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24074\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601366', '4601360');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'6.0',\n sp:2,\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601366, 4601360])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "msrc": [{"lastseen": "2021-02-09T18:43:30", "bulletinFamily": "blog", "cvelist": ["CVE-2021-24074", "CVE-2021-24086", "CVE-2021-24094"], "description": "Today Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074, CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely in the short term. We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move \u2026\n\n[ Multiple Security Updates Affecting TCP/IP: CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086 Read More \u00bb](<https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/>)", "modified": "2021-02-09T18:10:59", "published": "2021-02-09T18:10:59", "id": "MSRC:E730BB5421ADC3C2D8E7B5B1C5CD88FB", "href": "https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/", "type": "msrc", "title": "Multiple Security Updates Affecting TCP/IP:\u202f CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-10-29T21:40:29", "bulletinFamily": "blog", "cvelist": ["CVE-2020-1472"], "description": "Microsoft has received a small number of reports from customers and others about continued activity exploiting a vulnerability affecting the Netlogon protocol (CVE-2020-1472) which was previously addressed in security updates starting on August 11, 2020. If the original guidance is not applied, the vulnerability could allow an attacker to spoof a domain controller account that could be \u2026\n\n[ Attacks exploiting Netlogon vulnerability (CVE-2020-1472) Read More \u00bb](<https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/>)", "modified": "2020-10-29T20:02:19", "published": "2020-10-29T20:02:19", "id": "MSRC:96F2FB0D77EED0ABDED8EBD64AEBEA09", "href": "https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/", "type": "msrc", "title": "Attacks exploiting Netlogon vulnerability (CVE-2020-1472)", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-02-09T22:45:30", "bulletinFamily": "info", "cvelist": ["CVE-2020-0986", "CVE-2020-1472", "CVE-2021-1721", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1732", "CVE-2021-1733", "CVE-2021-24074", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24081", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24098", "CVE-2021-24106", "CVE-2021-24112", "CVE-2021-26701"], "description": "Microsoft has addressed nine critical-severity cybersecurity bugs in February\u2019s Patch Tuesday updates, plus an important-rated vulnerability that is being actively exploited in the wild.\n\nSix of the security holes \u2013 including one of the critical bugs \u2013 were already publicly disclosed.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nOverall, the computing giant has released patches for 56 CVEs covering Microsoft Windows components, the .NET Framework, Azure IoT, Azure Kubernetes Service, Microsoft Edge for Android, Exchange Server, Office and Office Services and Web Apps, Skype for Business and Lync, and Windows Defender.\n\n## **Actively Exploited Security Bug in Windows Kernel**\n\nThe security bug tracked as [CVE-2021-1732](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1732>)** **is being actively exploited, according to Microsoft\u2019s advisory. It carries a vulnerability-severity rating of 7.8 on the CVSS scale, making it important in severity \u2013 however, researchers said it deserves attention above some of the critical bugs in terms of patching priority.\n\nIt exists in the Windows Win32k operating system kernel and is an elevation-of-privilege (EoP) vulnerability. It would allow a logged-on user to execute code of their choosing with higher privileges, by running a specially crafted application. If successful, attackers could execute code in the context of the kernel and gain SYSTEM privileges, essentially giving the attacker free rein to do whatever they wanted on the compromised machine.\n\n\u201cThe vulnerability affects Windows 10 and corresponding server editions of the Windows OS,\u201d said Chris Goettl, senior director of product management and security at Ivanti. \u201cThis is a prime example of why risk-based prioritization is so important. If you base your prioritization off of vendor severity and focus on \u2018critical\u2019 you could have missed this vulnerability in your prioritization. This vulnerability should put Windows 10 and Server 2016 and later editions into your priority bucket for remediation this month.\u201d\n\n## **Critical Microsoft Bugs for February Patch Tuesday**\n\nNone of the critical bugs rate more than an 8.8 (out of 10) on the CVSS scale, but all allow for remote code execution (RCE) and many should take top priority, according to security researchers.\n\n * ### Publicly Known .NET Core/Visual Studio Bug\n\nFor instance, the bug tracked as [CVE-2021-26701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26701>) exists in .NET Core and Visual Studio \u2013 it\u2019s the only critical-rated bug to be listed as publicly known.\n\n\u201cWithout more information from Microsoft, that\u2019s about all we know about it,\u201d said Dustin Childs, of Trend Micro\u2019s Zero Day Initiative, in [an analysis](<https://www.zerodayinitiative.com/blog/2021/2/9/the-february-2022-security-update-review>) released Tuesday. \u201cBased on the CVSS severity scale, this could allow remote, unauthenticated attackers to execute arbitrary code on an affected system. Regardless, if you rely on the .NET Framework or .NET Core, make sure you test and deploy this one quickly.\u201d\n\n * ### **Windows Fax Bugs**\n\nOther critical bugs should be on researchers\u2019 radars. The bugs tracked as [CVE-2021-1722](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1722>) and [CVE-2021-24077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24077>) meanwhile are both Windows Fax Service RCE problems.\n\n\u201cWindows Fax Service specifies settings for faxes, including how they are sent, received, viewed and printed,\u201d said Eric Feldman, senior product marketing manager at Automox. \u201cThe Windows Fax Service is used by the Windows Fax and Scan application included in all versions of Microsoft Windows 7, Windows 8 and Windows 10 and some earlier versions.\u201d\n\nAn attacker who successfully exploited either vulnerability could take control of an affected system, and then be able to install programs; view, change or delete data; or create new accounts with full user rights.\n\n\u201cUsers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,\u201d Feldman said. \u201cEven if you do not use Windows Fax and Scan, the Windows Fax Services is enabled by default.\u201d\n\n * ### **Critical TCP/IP Bugs**\n\n[CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>) and [CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>) are both Windows TCP/IP RCE vulnerabilities. The former is found in the way Windows handles iPv4 source routing; the latter is found in the way Windows handles iPv6 packet reassembly.\n\n\u201cIPv4 source routing\u2026should be disabled by default,\u201d said Childs. \u201cYou can also block source routing at firewalls or other perimeter devices. The IPv6 bug involves packet fragmentation where a large number of fragments could lead to code execution.\u201d\n\nResearchers said that both these patches should be prioritized.\n\n\u201cBecause these affect the network stack, require zero interaction from a user and can be exploited by sending malicious network traffic to a device, it\u2019s only a matter of time before we see attackers leveraging these vulnerabilities to carry out cyberattacks,\u201d Chris Hass, director of information security and research at Automox, said.\n\nKevin Breen, director of cyber threat research at Immersive Labs, said that the IPv6 security hole is an obvious target for hackers.\n\n\u201cCVE-2021-24094 would be an obvious target because it affects a network stack, which typically operates with system level permissions and could therefore gain an attacker a system shell,\u201d he said. \u201cAs an IPV6 Link local attack it would require the threat actor to already have a foothold in your network, but could ultimately lead to a high level of access on domain controllers, for example. This vulnerability would be most dangerous to those who operate a flat network. Segmentation will help with mitigation.\u201d\n\nBreen also pointed out that RCE isn\u2019t the only possible outcome of an exploit for this bug.\n\n\u201cThe release notes indicate that the exploit is \u2018complex\u2019 \u2013 which means attempted attacks may serve to cause systems to crash, giving it the potential to be used in a denial-of-service attack,\u201d he said.\n\n * ### **Flaw in Windows Codec Pack**\n\nWindows Camera Codec Pack is home to yet another critical RCE bug ([CVE-2021-24091](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24091>)). If successfully exploited, an attacker could run arbitrary code in the context of the current user.\n\n\u201cIf the current user is logged on with admin privileges, the attacker could gain control of the affected system,\u201d said Justin Knapp, senior product marketing manager at Automox. \u201cThis could enable an attacker to install programs; view, change, or delete data; or create new accounts with full user rights. Exploitation of the vulnerability requires the user to open a specially crafted file with an affected version of the codec pack. While there\u2019s no way to force a user to open the file, bad actors could manipulate a user through an email or web-based attack vector where the user is effectively convinced or enticed into opening the malicious file.\u201d\n\n * ### **Windows DNS Problems**\n\nAnd Windows Domain Name System (DNS) servers, when they fail to properly handle requests, are also open to a critical RCE bug ([CVE-2021-24078](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24078>)) that could allow an attacker to run arbitrary code in the context of the Local System Account.\n\n\u201cOnly Windows servers that are configured as DNS servers are at risk of having this vulnerability exploited,\u201d Knapp said. \u201cTo exploit the vulnerability, an unauthenticated attacker could send malicious requests to the Windows DNS server. Given the low level of attack complexity and \u2018exploitation more likely\u2019 label assigned, this is a vulnerability that should be addressed immediately.\u201d\n\n * ### **Windows Print Spooler**\n\nAlso of note, _[CVE-2021-24088](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24088>)_ affects the Windows Local Spooler, which is an important component within the Windows operating system that stores print jobs in memory until the printer is ready to accept them.\n\nIt\u2019s a bug that \u201ccould be a big concern,\u201d according to Allan Liska, senior security architect at Recorded Future.\n\n\u201cThis vulnerability impacts Windows 7 to 10 and Windows Server 2008 to 2019,\u201d he said. \u201cWindows Print Spooler vulnerabilities have been widely exploited in the wild going back to the days of Stuxnet. Just last year CVE-2020-0986 was seen by Kaspersky being [widely exploited in the wild.](<https://threatpost.com/windows-zero-day-circulating-faulty-fix/162610/>)\u201d\n\n * ### **Other Critical February 2021 Microsoft Bugs**\n\nAnd finally, .NET Core for Linux is also at risk for RCE ([CVE-2021-24112](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24112>)); and [CVE-2021-24093](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24093>) is a critical RCE vulnerability in the Windows graphic component. Details are scant for both, but of the latter, Breen said, \u201cThis is the kind of vulnerability built into exploit kits and triggered by low level phishing campaigns targeting users en masse.\u201d\n\nAnd, a critical bug that would allow RCE exists in the Microsoft Windows Codecs Library ([CVE-2021-24081](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24081>)). Details are sparse, but Microsoft said that the difficulty required for exploitation is considered to be low. However, end-user interaction is required for successful exploitation.\n\n### **Publicly Disclosed Bugs of Note**\n\nOutside of the critical issues, [CVE-2021-1733](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1733>) is a high-severity EoP vulnerability discovered to be impacting Sysinternals PsExec utility that deserves a look. It\u2019s listed as being publicly disclosed.\n\n\u201cPsExec which has been popular in the past for use in remote administration tasks such as patching remote systems, has also had a fair share of scrutiny due the utility\u2019s weaponization by criminals in malware,\u201d Nicholas Colyer, senior product marketing manager at Automox, said via email. \u201cProof-of-concept code has not been independently verified but it is notable that in January 2021, Microsoft released a patch to resolve a remote code-execution vulnerability for the same utility, indicating that it is getting attention. Robust endpoint management is necessary for any organization\u2019s continued success and it is advisable to consider alternatives in the modern era of software-as-a-service.\u201d\n\nThe other publicly reported vulnerabilities this month are [CVE-2021-1727](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1727>), an EoP vulnerability in Windows Installer; [CVE-2021-24098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24098>), a DoS vulnerability in the Windows Console Driver; [CVE-2021-24106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24106>), an information-disclosure vulnerability in Windows DirectX; and [CVE-2021-1721](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1721>), a .NET Core and Visual Studio DoS problem.\n\n## **Zerologon Redux**\n\nMicrosoft also again released the patch for the Netlogon vulnerability (CVE-2020-1472), which originally was resolved in August. The vulnerability has [consistently been exploited](<https://threatpost.com/microsoft-warns-zerologon-bug/160769/>) by threat actors, so the re-release serves to highlight its importance. Microsoft also starting Tuesday [began blocking by default](<https://threatpost.com/microsoft-implements-windows-zerologon-flaw-enforcement-mode/163104/>) any vulnerable connections on devices that could be used to exploit the flaw. It does this by enabling domain controller \u201cenforcement mode.\u201d\n\n\u201cWhen you consider that Zerologon led the U.S. government to issue an Emergency Directive to all federal agencies to promptly apply the patches for this vulnerability, you start to understand the gravity of the situation,\u201d Satnam Narang, staff research engineer at Tenable, told Threatpost. \u201cZerologon provides attackers a reliable way to move laterally once inside a network, giving them the ability to impersonate systems, alter passwords, and gain control over the proverbial keys to the kingdom via the domain controller itself.\u201d\n\nHe added, \u201cFor these reasons, Zerologon has been rolled into attacker playbooks, becoming a feather in the cap for post-compromise activity. We\u2019ve also seen reports of Zerologon being favored by ransomware groups like Ryuk during their campaigns.\u201d\n\n## **What Should IT Patch First?**\n\n\u201cWindows OS updates and [Adobe Acrobat and Reader](<https://threatpost.com/critical-adobe-windows-flaw/163789/>) need immediate attention with the list of exploited and publicly disclosed vulnerabilities,\u201d said Goettl.\n\nAfter that, development tools and IT tools \u201cneed some attention,\u201d he added.\n\n\u201c.Net Core and PsExec disclosures are a concern that should not go unaddressed. Because this development and IT tools do not follow the same update process as OS and application updates, it is important to review your DevOps processes and determine if you are able to detect and respond to updates for common dev components,\u201d he said. \u201cFor tools like PsExec it is important to understand your software inventory and where these tools are installed and ensure you can distribute updated versions as needed.\u201d\n\n**_Is your business an easy mark? _**_Save your spot for \u201c15 Cybersecurity Gaffes SMBs Make,\u201d **a **_**[_FREE Threatpost webinar_](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>) **_**on Feb. 24 at 2 p.m. ET.** Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. __[Register here](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)__ for the Wed., Feb. 24 LIVE webinar. _\n", "modified": "2021-02-09T22:33:08", "published": "2021-02-09T22:33:08", "id": "THREATPOST:1502920D4F50B0D128077B515815C023", "href": "https://threatpost.com/exploited-windows-kernel-bug-takeover/163800/", "type": "threatpost", "title": "Actively Exploited Windows Kernel Bug Allows Takeover", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2021-02-15T13:26:26", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472", "CVE-2021-1722", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-24074", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24081", "CVE-2021-24086", "CVE-2021-24094", "CVE-2021-24100", "CVE-2021-24114", "CVE-2021-26701"], "description": "[](<https://thehackernews.com/images/-pOCXw5Vbz4E/YCNjQpEwYHI/AAAAAAAABuA/DON2kef7nngGbrXuKE_q5XlYxFXBjgnbQCLcBGAsYHQ/s0/microsoft-windows-update.jpg>)\n\nMicrosoft on Tuesday [issued fixes for 56 flaws](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Feb>), including a critical vulnerability that's known to be actively exploited in the wild.\n\nIn all, 11 are listed as Critical, 43 are listed as Important, and two are listed as Moderate in severity \u2014 six of which are previously disclosed vulnerabilities.\n\nThe updates cover .NET Framework, Azure IoT, Microsoft Dynamics, Microsoft Edge for Android, Microsoft Exchange Server, Microsoft Office, Microsoft Windows Codecs Library, Skype for Business, Visual Studio, Windows Defender, and other core components such as Kernel, TCP/IP, Print Spooler, and Remote Procedure Call (RPC).\n\n### A Windows Win32k Privilege Escalation Vulnerability\n\nThe most critical of the flaws is a Windows Win32k privilege escalation vulnerability (CVE-2021-1732, CVSS score 7.8) that allows attackers with access to a target system to run malicious code with elevated permissions. Microsoft credited JinQuan, MaDongZe, TuXiaoYi, and LiHao of DBAPPSecurity for discovering and reporting the vulnerability.\n\n[](<https://go.thn.li/password-auditor> \"password auditor\" )\n\nIn a separate technical write-up, the researchers said a zero-day exploit leveraging the flaw was detected in a \"very limited number of attacks\" against victims located in China by a threat actor named Bitter APT. The attacks were discovered in December 2020.\n\n\"This zero-day is a new vulnerability which caused by win32k callback, it could be used to escape the sandbox of Microsoft [Internet Explorer] browser or Adobe Reader on the latest Windows 10 version,\" DBAPPSecurity researchers [said](<https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>). \"The vulnerability is high quality and the exploit is sophisticated.\"\n\nIt's worth noting that Adobe, as part of its February patch, [addressed](<https://helpx.adobe.com/security/products/acrobat/apsb21-09.html>) a critical buffer overflow flaw in Adobe Acrobat and Reader for Windows and macOS (CVE-2021-21017) that it said could lead to arbitrary code execution in the context of the current user.\n\nThe company also warned of active exploitation attempts against the bug in the wild in limited attacks targeting Adobe Reader users on Windows, mirroring aforementioned findings from DBAPPSecurity.\n\nWhile neither Microsoft nor Adobe has provided additional details, the concurrent patching of the two flaws raises the possibility that the vulnerabilities are being chained to carry out the in-the-wild attacks.\n\n### Netlogon Enforcement Mode Goes Into Effect\n\nMicrosoft's Patch Tuesday update also resolves a number of remote code execution (RCE) flaws in Windows DNS Server (CVE-2021-24078), .NET Core, and Visual Studio (CVE-2021-26701), Microsoft Windows Codecs Library (CVE-2021-24081), and Fax Service (CVE-2021-1722 and CVE-2021-24077).\n\nThe RCE in Windows DNS server component is rated 9.8 for severity, making it a critical vulnerability that, if left unpatched, could permit an unauthorized adversary to execute arbitrary code and potentially redirect legitimate traffic to malicious servers.\n\nMicrosoft is also taking this month to push second round of fixes for the [Zerologon](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>) flaw (CVE-2020-1472) that was originally resolved in August 2020, following which [reports of active exploitation](<https://twitter.com/MsftSecIntel/status/1308941504707063808>) targeting unpatched systems emerged in September 2020.\n\nStarting February 9, the domain controller \"[enforcement mode](<https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/>)\" will be [enabled by default](<https://support.microsoft.com/help/4557222#EnablingEnforcementMode>), thus blocking \"vulnerable [Netlogon] connections from non-compliant devices.\"\n\nIn addition, the Patch Tuesday update rectifies two information disclosure bugs \u2014 one in Edge browser for Android (CVE-2021-24100) that could have revealed personally identifiable information and payment information of a user, and the other in Microsoft Teams for iOS (CVE-2021-24114) that could have exposed the Skype token value in the preview URL for images in the app.\n\n### RCE Flaws in Windows TCP/IP Stack\n\nLastly, the Windows maker released a set of fixes affecting its TCP/IP implementation \u2014 consisting of two RCE flaws (CVE-2021-24074 and CVE-2021-24094) and one denial of service vulnerability (CVE-2021-24086) \u2014 that it said could be exploited with a DoS attack.\n\n\"The DoS exploits for these CVEs would allow a remote attacker to cause a stop error,\" Microsoft [said](<https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/>) in an advisory. \"Customers might receive a blue screen on any Windows system that is directly exposed to the internet with minimal network traffic. Thus, we recommend customers move quickly to apply Windows security updates this month.\"\n\nThe tech giant, however, noted that the complexity of the two TCP/IP RCE flaws would make it hard to develop functional exploits. But it expects attackers to create DoS exploits much more easily, turning the security weakness into an ideal candidate for exploitation in the wild.\n\nTo install the latest security updates, Windows users can head to Start &gt; Settings &gt; Update &amp; Security &gt; Windows Update or by selecting Check for Windows updates.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-02-15T11:58:01", "published": "2021-02-10T04:44:00", "id": "THN:0C87C22B19E7073574F7BA69985A07BF", "href": "https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html", "type": "thn", "title": "Microsoft Issues Patches for In-the-Wild 0-day and 55 Others Windows Bugs", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-06T08:40:21", "bulletinFamily": "info", "cvelist": ["CVE-2021-21142", "CVE-2021-21148"], "description": "[](<https://thehackernews.com/images/-qsKUPh_-GYc/YBz2LhQRcgI/AAAAAAAABsU/xp30FnHWlk4M9WwbgZRSXy28jldlk3R2wCLcBGAsYHQ/s0/chrome-zero-day-vulnerability.jpg>)\n\nGoogle has patched a zero-day vulnerability in Chrome web browser for desktop that it says is being actively exploited in the wild.\n\nThe company released [88.0.4324.150](<https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html>) for Windows, Mac, and Linux, with a fix for a heap buffer overflow flaw (CVE-2021-21148) in its V8 JavaScript rendering engine.\n\n\"Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild,\" the company said in a statement.\n\nThe security flaw was reported to Google by Mattias Buelens on January 24.\n\n[](<https://go.thn.li/password-auditor> \"password auditor\" )\n\nPreviously on February 2, Google [addressed six issues in Chrome](<https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop.html>), including one critical use after free vulnerability in Payments (CVE-2021-21142) and four high severity flaws in Extensions, Tab Groups, Fonts, and Navigation features.\n\nWhile it's typical of Google to limit details of the vulnerability until a majority of users are updated with the fix, the development comes weeks after Google and Microsoft [disclosed](<https://thehackernews.com/2021/01/n-korean-hackers-targeting-security.html>) attacks carried out by North Korean hackers against security researchers with an elaborate social engineering campaign to install a Windows backdoor.\n\nWith some researchers infected simply by visiting a fake research blog on fully patched systems running Windows 10 and Chrome browser, Microsoft, in a report published on January 28, had hinted that the attackers likely leveraged a Chrome zero-day to compromise the systems.\n\nAlthough it's not immediately clear if CVE-2021-21148 was used in these attacks, the timing of the revelations and the fact that Google's advisory came out exactly one day after Buelens reported the issue implies they could be related.\n\nIn a separate technical write-up, South Korean cybersecurity firm ENKI [said](<https://enki.co.kr/blog/2021/02/04/ie_0day.html>) the North Korean state-sponsored hacking group known as Lazarus made an unsuccessful attempt at targeting its security researchers with malicious MHTML files that, when opened, downloaded two payloads from a remote server, one of which contained a zero-day against Internet Explorer.\n\n\"The secondary payload contains the attack code that attacks the vulnerability of the Internet Explorer browser,\" ENKI researchers said.\n\nIt's worth noting that Google last year [fixed five Chrome zero-days](<https://thehackernews.com/2020/11/two-new-chrome-0-days-under-active.html>) that were actively exploited in the wild in a span of one month between October 20 and November 12.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-02-06T07:03:40", "published": "2021-02-05T07:40:00", "id": "THN:2E0F12E8B4294632DF7D326E9360976B", "href": "https://thehackernews.com/2021/02/new-chrome-browser-0-day-under-active.html", "type": "thn", "title": "New Chrome Browser 0-day Under Active Attack\u2014Update Immediately!", "cvss": {"score": 0.0, "vector": "NONE"}}], "malwarebytes": [{"lastseen": "2021-02-13T13:09:08", "bulletinFamily": "blog", "cvelist": ["CVE-2021-1721", "CVE-2021-1722", "CVE-2021-1732", "CVE-2021-1733", "CVE-2021-21017", "CVE-2021-24074", "CVE-2021-24077", "CVE-2021-24094", "CVE-2021-26701"], "description": "Traditionally the second Tuesday of the month is Microsoft\u2019s \u201cpatch Tuesday\u201d. This is the day when they roll out all the available patches for their software, and their operating systems in particular.\n\nSince there were no less than 56 patches in this month\u2019s issue we will focus on the most important ones. Not that 56 is an awful lot. There were [more than 80 in January](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/microsoft-issues-83-patches-one-for-actively-exploited-vulnerability/>).\n\n### Microsoft CVEs by importance\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The most notable CVE\u2019s in this update were:\n\n * [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1732>) Windows Win32k elevation of privilege (EoP) vulnerability. This one we listed first as it\u2019s actively exploited in the wild. With a EoP vulnerability attackers can raise their authorization permissions beyond those initially granted. For example, if an attacker gains access to a system but only has read-only permissions they can use an EoP vulnerability to raise them to \u201cread and write\u201d, giving them an option to make unwanted changes.\n * [CVE-2021-26701](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26701>) a .NET Core Remote Code Execution (RCE) vulnerability. A remote code execution (RCE) attack happens when a threat actor illegally accesses and manipulates a computer or server without authorization from its owner. This is the only critical bug Microsoft listed as publicly known.\n * [CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>) an IPv4 security vulnerability concerning source routing behavior. Microsoft adds to say: IPv4 Source routing is considered insecure and is blocked by default in Windows; however, a system will process the request and return an ICMP message denying the request.\n * [CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>) an IPv6 security vulnerability concerning the reassembly limit and related to the previous one. The reassembly limit controls the IP fragmentation, which is an Internet Protocol (IP) process that breaks packets into smaller fragments, so that the resulting pieces can pass through a link with a smaller maximum transmission unit (MTU) than the original packet size. The fragments are reassembled by the receiving host. Apparently an attacker could construe packets leading to a situation where a large number of fragments could lead to code execution.\n * [CVE-2021-1721](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1721>) a .NET Core and Visual Studio Denial of Service vulnerability. A Denial of Service attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.\n * [CVE-2021-1722](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1722>) and [CVE-2021-24077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24077>) are both Windows Fax Service RCE problems. It&#x27;s important to remember that even if you don\u2019t use \u201cWindows Fax and Scan\u201d, the Windows Fax Services is enabled by default.\n * [CVE-2021-1733](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1733>) is for Sysinternals\u2019 PsExec Elevation of Privilege vulnerability. While this one is listed as not likely to be exploited, the tool itself is worth keeping an eye on, because it&#x27;s so popular with cybercriminals. They like it because, as a legitimate administration tool, it isn&#x27;t normally detected as malicious software by default.\n\nIf you are all about prioritizing your updates, these are the ones that we recommend doing first. Everyone else is advised to install the updates at their earliest convenience.\n\nOne other notable thing is the default enabling of the Domain Controller enforcement mode. This was done to counter the effects of the ZeroLogon vulnerability which is being exploited in the wild. We already covered the full story of [ZeroLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/the-story-of-zerologon/>) where this change was announced.\n\n### Adobe Reader for a change\n\nAnd while you are about to start your update cycles, you may want to have a look at this one from Adobe. Because this one is already actively being exploited as well. Where Adobe was notoriously famous for the bugs in their Flash Player, which has now reached [end-of-life](<https://blog.malwarebytes.com/awareness/2021/01/adobe-flash-player-reaches-end-of-life/>), occasionally a vulnerability in their Reader attracts some attention.\n\n[CVE-2021-21017](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21017>) is a critical heap-based buffer overflow flaw. Heap is the name for a region of a process\u2019 memory which is used to store dynamic variables. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.\n\nSo, by creating a specially crafted input, attackers could use this vulnerability to write code into a memory location where they normally wouldn\u2019t have access. In their advisory Adobe states that it has received a report that CVE-2021-21017 has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows.\n\nBoth Adobe Acrobat and Adobe Reader will automatically detect if a new version of the software is available. The program will check for a new version when you launch either Acrobat or Reader as an application and will prompt you to install a new version when it&#x27;s available. IT administrators can control the update settings by using the [Adobe Customization Wizard](<https://www.adobe.com/nl/devnet-docs/acrobatetk/tools/Wizard/WizardDC/index.html>).\n\nStay safe, everyone!\n\nThe post [Big Patch Tuesday: Microsoft and Adobe fix in-the-wild exploits](<https://blog.malwarebytes.com/malwarebytes-news/2021/02/big-patch-tuesday-microsoft-and-adobe-fix-in-the-wild-exploits/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2021-02-10T17:26:33", "published": "2021-02-10T17:26:33", "id": "MALWAREBYTES:3C358DDA439A247A9677866AFE8FA961", "href": "https://blog.malwarebytes.com/malwarebytes-news/2021/02/big-patch-tuesday-microsoft-and-adobe-fix-in-the-wild-exploits/", "type": "malwarebytes", "title": "Big Patch Tuesday: Microsoft and Adobe fix in-the-wild exploits", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2021-02-12T13:10:45", "bulletinFamily": "unix", "cvelist": ["CVE-2021-21142", "CVE-2021-21143", "CVE-2021-21144", "CVE-2021-21145", "CVE-2021-21146", "CVE-2021-21147", "CVE-2021-21148"], "description": "Arch Linux Security Advisory ASA-202102-6\n=========================================\n\nSeverity: Critical\nDate : 2021-02-06\nCVE-ID : CVE-2021-21142 CVE-2021-21143 CVE-2021-21144 CVE-2021-21145\nCVE-2021-21146 CVE-2021-21147 CVE-2021-21148\nPackage : chromium\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1525\n\nSummary\n=======\n\nThe package chromium before version 88.0.4324.150-1 is vulnerable to\nmultiple issues including arbitrary code execution and incorrect\ncalculation.\n\nResolution\n==========\n\nUpgrade to 88.0.4324.150-1.\n\n# pacman -Syu \"chromium>=88.0.4324.150-1\"\n\nThe problems have been fixed upstream in version 88.0.4324.150.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2021-21142 (arbitrary code execution)\n\nA use after free security issue was found in the Payments component of\nthe Chromium browser before version 88.0.4324.146.\n\n- CVE-2021-21143 (arbitrary code execution)\n\nA heap buffer overflow security issue was found in the Extensions\ncomponent of the Chromium browser before version 88.0.4324.146.\n\n- CVE-2021-21144 (arbitrary code execution)\n\nA heap buffer overflow security issue was found in the Tab Groups\ncomponent of the Chromium browser before version 88.0.4324.146.\n\n- CVE-2021-21145 (arbitrary code execution)\n\nA use after free security issue was found in the Fonts component of the\nChromium browser before version 88.0.4324.146.\n\n- CVE-2021-21146 (arbitrary code execution)\n\nA use after free security issue was found in the Navigation component\nof the Chromium browser before version 88.0.4324.146.\n\n- CVE-2021-21147 (incorrect calculation)\n\nAn inappropriate implementation security issue was found in the Skia\ncomponent of the Chromium browser before version 88.0.4324.146.\n\n- CVE-2021-21148 (arbitrary code execution)\n\nA heap buffer overflow security issue was found in the V8 component of\nthe Chromium browser before version 88.0.4324.150.\n\nImpact\n======\n\nA remote attacker might be able to bypass security measures or execute\narbitrary code.\n\nReferences\n==========\n\nhttps://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop.html\nhttps://crbug.com/1169317\nhttps://crbug.com/1163504\nhttps://crbug.com/1163845\nhttps://crbug.com/1154965\nhttps://crbug.com/1161705\nhttps://crbug.com/1162942\nhttps://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html\nhttps://crbug.com/1170176\nhttps://security.archlinux.org/CVE-2021-21142\nhttps://security.archlinux.org/CVE-2021-21143\nhttps://security.archlinux.org/CVE-2021-21144\nhttps://security.archlinux.org/CVE-2021-21145\nhttps://security.archlinux.org/CVE-2021-21146\nhttps://security.archlinux.org/CVE-2021-21147\nhttps://security.archlinux.org/CVE-2021-21148", "modified": "2021-02-06T00:00:00", "published": "2021-02-06T00:00:00", "id": "ASA-202102-6", "href": "https://security.archlinux.org/ASA-202102-6", "type": "archlinux", "title": "[ASA-202102-6] chromium: multiple issues", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2021-02-12T14:36:06", "bulletinFamily": "unix", "cvelist": ["CVE-2021-21142", "CVE-2021-21143", "CVE-2021-21144", "CVE-2021-21145", "CVE-2021-21146", "CVE-2021-21147", "CVE-2021-21148"], "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "modified": "2021-02-10T01:20:58", "published": "2021-02-10T01:20:58", "id": "FEDORA:BB03930B3A56", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: chromium-88.0.4324.150-1.fc33", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-17T09:09:49", "bulletinFamily": "unix", "cvelist": ["CVE-2021-21142", "CVE-2021-21143", "CVE-2021-21144", "CVE-2021-21145", "CVE-2021-21146", "CVE-2021-21147", "CVE-2021-21148"], "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "modified": "2021-02-17T05:09:44", "published": "2021-02-17T05:09:44", "id": "FEDORA:4E16930B130B", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: chromium-88.0.4324.150-1.fc32", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-21T02:33:38", "bulletinFamily": "unix", "cvelist": ["CVE-2021-1721", "CVE-2021-24112"], "description": ".NET is a fast, lightweight and modular platform for creating cross platform applications that work on Linux, macOS and Windows. It particularly focuses on creating console applications, web applications and micro-services. .NET contains a runtime conforming to .NET Standards a set of framework libraries, an SDK containing compilers and a 'dotnet' application to drive everything. ", "modified": "2021-02-21T01:20:39", "published": "2021-02-21T01:20:39", "id": "FEDORA:72CCD30934AA", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: dotnet5.0-5.0.103-1.fc33", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-24T22:32:24", "bulletinFamily": "unix", "cvelist": ["CVE-2021-1721", "CVE-2021-24112"], "description": ".NET Core is a fast, lightweight and modular platform for creating cross platform applications that work on Linux, macOS and Windows. It particularly focuses on creating console applications, web applications and micro-services. .NET Core contains a runtime conforming to .NET Standards a set of framework libraries, an SDK containing compilers and a 'dotnet' application to drive everything. ", "modified": "2021-02-24T20:47:20", "published": "2021-02-24T20:47:20", "id": "FEDORA:AD6B030BBFB2", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: dotnet3.1-3.1.112-1.fc32", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-24T22:32:24", "bulletinFamily": "unix", "cvelist": ["CVE-2021-1721", "CVE-2021-24112"], "description": ".NET Core is a fast, lightweight and modular platform for creating cross platform applications that work on Linux, macOS and Windows. It particularly focuses on creating console applications, web applications and micro-services. .NET Core contains a runtime conforming to .NET Standards a set of framework libraries, an SDK containing compilers and a 'dotnet' application to drive everything. ", "modified": "2021-02-24T20:43:16", "published": "2021-02-24T20:43:16", "id": "FEDORA:66FF230BA179", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: dotnet3.1-3.1.112-1.fc33", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-24T22:32:24", "bulletinFamily": "unix", "cvelist": ["CVE-2021-1721", "CVE-2021-24112"], "description": ".NET is a fast, lightweight and modular platform for creating cross platform applications that work on Linux, macOS and Windows. It particularly focuses on creating console applications, web applications and micro-services. .NET contains a runtime conforming to .NET Standards a set of framework libraries, an SDK containing compilers and a 'dotnet' application to drive everything. ", "modified": "2021-02-24T20:47:25", "published": "2021-02-24T20:47:25", "id": "FEDORA:37DD030946F6", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: dotnet5.0-5.0.103-1.fc32", "cvss": {"score": 0.0, "vector": "NONE"}}], "qualysblog": [{"lastseen": "2021-02-13T12:29:48", "bulletinFamily": "blog", "cvelist": ["CVE-2021-1732", "CVE-2021-21017", "CVE-2021-24074", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24086", "CVE-2021-24094"], "description": "This month\u2019s Microsoft Patch Tuesday addresses 56 vulnerabilities, of which 11 are rated as Critical. Adobe released patches today for Reader, Acrobat, Magento, Photoshop, Animate, Illustrator, and Dreamweaver.\n\n### TCP/IP Trio\n\nMicrosoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074 and CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). While there is no evidence that these vulnerabilities are exploited in wild, these vulnerabilities should be prioritized given their impact.\n\n### Windows Fax Service\n\nMicrosoft released patches to fix a remote code execution vulnerability in Windows Fax Service (CVE-2021-24077). This vulnerability has a CVSSv3 base score of 9.8 and should be prioritized for patching.\n\n### Windows DNS Server\n\nMicrosoft released patches to fix a remote code execution vulnerability in Windows DNS Server (CVE-2021-24078). This vulnerability has a CVSSv3 base score of 9.8 and should be prioritized for patching.\n\n### Windows Win32k Elevation of Privilege\n\nMicrosoft released updates to fix a local privilege escalation vulnerability in Win32K (CVE-2021-1732). This vulnerability is reportedly exploited in the wild and should be prioritized for patching.\n\n### Workstation Patches\n\nMicrosoft Office vulnerabilities should be prioritized for workstation-type devices.\n\n### Adobe\n\nAdobe issued patches today covering multiple vulnerabilities in Adobe Reader, Acrobat, Magento, Photoshop, Animate, Illustrator, and Dreamweaver. Patching Adobe Acrobat and Reader should be prioritized as Adobe has received reports of CVE-2021-21017 exploited in wild targeting Adobe Reader users on Windows.\n\n### About Patch Tuesday\n\nPatch Tuesday QIDs are published at [Security Alerts](<https://www.qualys.com/research/security-alerts/>), typically late in the evening of [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), followed shortly after by [PT dashboards](<https://qualys-secure.force.com/discussions/s/article/000006505>).", "modified": "2021-02-09T20:22:38", "published": "2021-02-09T20:22:38", "id": "QUALYSBLOG:AD927BF1D1CDE26A3D54D9452C330BB3", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "February 2021 Patch Tuesday \u2013 56 Vulnerabilities, 11 Critical, Adobe", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-02T12:43:58", "bulletinFamily": "blog", "cvelist": ["CVE-2020-1472"], "description": "**Update October 1, 2020**: Microsoft has [added step-by-step Zerologon patching instructions ](<https://www.databreachtoday.com/microsoft-issues-updated-patching-directions-for-zerologon-a-15090>)because the original instructions &quot;proved confusing to users and may have caused issues with other business operations.&quot;\n\n**Update October 1, 2020**: Qualys released new QID 91680 to add a remote (unauthenticated) check for the Zerologon vulnerability. The update is included in VULNSIGS-2.4.998-3 and later. \n\n_`QID 91680 : Microsoft Windows Netlogon Elevation of Privilege Vulnerability (unauthenticated check)`_\n\n**Update Sept 24, 2020**: Microsoft is detecting [active attacks leveraging the Zerologon vulnerability](<https://www.zdnet.com/article/microsoft-says-it-detected-active-attacks-leveraging-zerologon-vulnerability/>). Security teams are advised to patch vulnerable systems immediately.\n\nOn Sept 11, 2020, A Dutch team, collectively known as Secura, published an [exploit](<https://github.com/SecuraBV/CVE-2020-1472>) on how an unauthenticated remote user can take control over the domain controller and leverage admin privileges. The vulnerability ([CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)) received the maximum severity rating score of 10.0 based on CVSS v3 Scoring system.\n\nThe prime elements of this vulnerability are the weak encryption standards and the authentication process used in the Netlogon protocol. As new Windows Domain Controllers use standard AES-256 as encryption standards, incorrect use of the AES mode results in spoofing the identity of any computer (DC) account and replace it with all zeroes or empty passwords. As the final output replaces all characters of the password with zeroes, this bug is also well-known as \u201cZerologon\u201d.\n\n**Affected Products**\n\n * Windows Servers 2008\n * Windows Servers 2012 R2\n * Windows Servers 2016\n * Windows Servers 2019\n\nA complete list of affected devices is available on Microsoft\u2019s August 2020 security [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>).\n\n### Identification of Assets using Qualys VMDR\n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) makes it easy to identify Windows systems.\n\n_`(operatingSystem.category1:``Windows`` and operatingSystem.category2:``Server``)`_\n\n\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, let\u2019s say \u2013 &quot;Zerologon&quot;. This helps in automatically grouping existing hosts with Zerologon as well as any new Windows server that spins up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>). \n\n### Discover Zerologon &quot;CVE-2020-1472&quot; Vulnerability\n\nNow that hosts with Zerologon are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like Zerologon based on the always updated Knowledgebase.\n\nYou can see all your impacted hosts for this vulnerability tagged with the \u2018Zerologon\u2019 asset tag in the vulnerabilities view by using this QQL query:\n\n_`vulnerabilities.vulnerability.qid:91668`_\n\nOR you could modify your search to :\n\n_`Vulnerability - vulnerabilities.vulnerability.qid:91668`_\n\n_`Asset - (operatingSystem.category1:``Windows`` and operatingSystem.category2:``Server``)`_\n\nThis will return a list of all impacted hosts.\n\n\n\nQID 91668 is available in signature version VULNSIGS-2.4.958-3 and above and can be detected using authenticated scanning or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) manifest version 2.4.958.3-2 and above.\n\nAlong with the QID 91668, Qualys released the following IG QID 45461 to help customers track domain controller assets on which netlogon secure channel mode is enabled. This QID can be detected using authenticated scanning using VULNSIGS-2.4.986-3 and above or the [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) manifest version 2.4.986.3-2 and above. \n\n_`QID 45461 : Microsoft Windows Domain Controller Netlogon Secure Channel Enforcement Mode Enabled`_\n\n**Update October 1, 2020**: Qualys released new QID 91680 to add a remote (unauthenticated) check for the Zerologon vulnerability. The update is included in VULNSIGS-2.4.998-3 and later.\n\n_`QID 91680 : Microsoft Windows Netlogon Elevation of Privilege Vulnerability (unauthenticated check)`_\n\nPlease Note: We have tested the QID across Qualys lab environment on a variety of Windows versions, and we have not observed any issues. In case you experience issues with the remote detection, please reach out to Qualys Support for immediate attention.\n\nUsing VMDR, the Zerologon vulnerability can be prioritized for the following real-time threat indicators (RTIs):\n\n * Remote Code Execution\n * Privilege Escalation\n * Exploit Public\n * Active Attack\n * Denial of Service\n * High Data Loss\n * High Lateral Movement\n * Predicted High Risk\n\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats. \n\n\n\nSimply click on the impacted assets for the Zerologon threat feed to see the vulnerability and impacted host details. \n\nWith VMDR Dashboard, you can track Zerologon, impacted hosts, their status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of Zerologon vulnerability trends in your environment using [Zerologon Dashboard Link](<https://qualys-secure.force.com/customer/s/article/000006405>).\n\n\n\n### Response by Patching and Remediation \n\nVMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select \u201cqid: 91668\u201d in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag \u2013 Zerologon. \n\n\n\nFor proactive, continuous patching, you can create a job without a Patch Window to ensure all hosts will continue to receive the required patches as new patches become available for emerging vulnerabilities.\n\nUsers are encouraged to apply patches as soon as possible.\n\n### Solution\n\nUsers are advised to review their Microsoft Windows installations with Microsoft\u2019s August 2020 security [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) mentioned above. For Windows devices, a patch to be published in Feb 2021 would place Domain controllers in enforcement mode; to explicitly allow the account by adding an exception for any non-compliant device.\n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching the high-priority Zerologon vulnerability CVE-2020-1472.\n\n### **References**\n\n<https://www.secura.com/pathtoimg.php?id=2055>\n\n<https://github.com/SecuraBV/CVE-2020-1472>\n\n<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>\n\n<https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472>", "modified": "2020-09-15T19:55:08", "published": "2020-09-15T19:55:08", "id": "QUALYSBLOG:192411B44569225E2F2632594DC4308C", "href": "https://blog.qualys.com/category/vulnerabilities-research", "type": "qualysblog", "title": "Microsoft Netlogon Vulnerability (CVE-2020-1472 \u2013 Zerologon) \u2013 Automatically Discover, Prioritize and Remediate Using Qualys VMDR\u00ae", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2021-02-12T15:26:38", "bulletinFamily": "unix", "cvelist": ["CVE-2021-21145", "CVE-2021-21146", "CVE-2021-21147", "CVE-2021-21143", "CVE-2021-21144", "CVE-2021-21142"], "description": "\nChrome Releases reports:\n\nThis update include 6 security fixes:\n\n1169317] Critical CVE-2021-21142: Use after free in Payments.\n\t Reported by Khalil Zhani on 2021-01-21\n[1163504] High CVE-2021-21143: Heap buffer overflow in\n\t Extensions. Reported by Allen Parker and Alex Morgan of MU on\n\t 2021-01-06\n[1163845] High CVE-2021-21144: Heap buffer overflow in Tab\n\t Groups. Reported by Leecraso and Guang Gong of 360 Alpha Lab on\n\t 2021-01-07\n[1154965] High CVE-2021-21145: Use after free in Fonts. Reported\n\t by Anonymous on 2020-12-03\n[1161705] High CVE-2021-21146: Use after free in Navigation.\n\t Reported by Alison Huffman and Choongwoo Han of Microsoft Browser\n\t Vulnerability Research on 2020-12-24\n[1162942] Medium CVE-2021-21147: Inappropriate implementation in\n\t Skia. Reported by Roman Starkov on 2021-01-04\n\n\n", "edition": 2, "modified": "2021-02-02T00:00:00", "published": "2021-02-02T00:00:00", "id": "479FDFDA-6659-11EB-83E2-E09467587C17", "href": "https://vuxml.freebsd.org/freebsd/479fdfda-6659-11eb-83e2-e09467587c17.html", "title": "www/chromium -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2021-02-10T00:15:14", "bulletinFamily": "info", "cvelist": ["CVE-2021-24086", "CVE-2021-24094"], "description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.\n\n \n**Recent assessments:** \n \n**bwatters-r7** at February 09, 2021 9:42pm UTC reported:\n\nThis remains a spectacularly new vulnerability with little documentation associated with it beyond Microsoft\u2019s blog here: <https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/> \nIn the blog, this is a remote code execution vulnerability reported as associated with IPv6 packet reassembly. According to the vulnerability report here: <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24094>, there is a patch, and you can create a firewall rule on Windows host-based firewalls to block an attack with the command `Netsh int ipv6 set global reassemblylimit=0` to block packet reassembly. THIS MAY AFFECT SOME NETWORK TRAFFIC. \nA second denial of service vulnerability (CVE-2021-24086) also associated with IPv6 fragment reassembly is mitigated with the same command. \nAs pure speculation, this vulnerability might be associated with memory corruption through improper length reporting, such that when packets are reassembled in memory, they are placed in a buffer of insufficient size to store them. Should that be the case, this would most likely be a heap vulnerability, and like other heap vulnerabilities before it like eternalblue, bluekeep, and dejablue, it will be a real pain to get to work on a regular basis or as a worm-able exploit.\n\nAssessed Attacker Value: 1 \nAssessed Attacker Value: 1\n", "modified": "2021-01-14T00:00:00", "published": "2021-01-14T00:00:00", "id": "AKB:5ACC27EC-B7F2-405F-B3D6-009D27A1C386", "href": "https://attackerkb.com/topics/MKqjeN2Z1F/cve-2021-24094", "type": "attackerkb", "title": "CVE-2021-24094", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-09T21:19:03", "bulletinFamily": "info", "cvelist": ["CVE-2021-24074"], "description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.\n\n \n**Recent assessments:** \n \n**bwatters-r7** at February 09, 2021 9:16pm UTC reported:\n\nThis remains a spectacularly new vulnerability with little documentation associated with it beyond Microsoft\u2019s blog here: <https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/> \nIn the blog, they report that this vulnerability is associated with IPv4 source routing, but the default blocks against source routing on Windows are not suffcient, as the default configuration allows a Windows system to process ICMP requests with source routing. \nReported as a remote code execution vulnerability, Microsoft claims that it will likely not be weaponized for that purpose quickly, though it might see a DoS exploit in the near-term. \nThere is a patch, but also, the mitigations provided in the guidance (<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24074>) involve the creation of a rule blocking source forwarding from the built-in firewall: \n`netsh int ipv4 set global sourceroutingbehavior=drop` \nSuch a change in the firewall configuration can be deployed by group policy and would not require a reboot. The rule could also be deployed to infrastructure firewalls, but would then only protect against attacks that took place across the firewall; the rules would need to be set on all Windows system host-based firewalls to protect against lateral movement within a network.\n\nAssessed Attacker Value: 2 \nAssessed Attacker Value: 1\n", "modified": "2021-01-14T00:00:00", "published": "2021-01-14T00:00:00", "id": "AKB:4BB453DC-4A7E-4FAF-832B-C5079208A3DA", "href": "https://attackerkb.com/topics/Vcp83dpFgQ/cve-2021-24074", "type": "attackerkb", "title": "CVE-2021-24074", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-20T15:18:39", "bulletinFamily": "info", "cvelist": ["CVE-2021-21148"], "description": "Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at February 05, 2021 4:25pm UTC reported:\n\nReported as exploited in the wild at <https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html>. Several news articles such as <https://www.theverge.com/2021/2/5/22267872/chrome-88-zero-day-vulnerability-government-backed-hackers-security-researchers> have suggested that given the timing of this bug, and that it was reported one day before Google\u2019s report on the North Korea hackers targeting security researchers (see <https://www.theverge.com/2021/1/26/22250060/google-threat-analysis-group-north-korean-hackers-cybersecurity-researchers-social-engineering>), it may be related to the 0day Chrome bug that was used by North Korean state actors in that engagement.\n\nGiven this is a remote heap overflow in the browser there may be some concerns regarding reliability though and whilst I\u2019m sure there will be public exploits for this bug, I do question how reliable they will be given the nature of trying to exploit heap exploits. I would imagine the exploit would take advantage of JavaScript to craft the heap appropriately. Therefore a temporary, but not recommended, precaution may be to disable JavaScript in Chrome until one can apply this update.\n\nPlease note that Chrome will automatically apply the update if you open and close your browser. However people do tend to keep Chrome open with many tabs and then suspend their PC at the end of the day, so its possible that these patches will likely see an uptick in application when the next Patch Tuesday or company wide patch cycle is enforced and people are forced to reboot their PCs to apply patches, and therefore restart Chrome.\n", "modified": "2021-02-13T00:00:00", "published": "2021-02-09T00:00:00", "id": "AKB:B61D2687-96CE-4CE9-939F-9E35DA7814C4", "href": "https://attackerkb.com/topics/9stbF9rFqe/cve-2021-21148", "type": "attackerkb", "title": "CVE-2021-21148", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-11T00:16:59", "bulletinFamily": "info", "cvelist": ["CVE-2021-1732"], "description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at February 10, 2021 10:03pm UTC reported:\n\nA very interesting vulnerability in win32kfull.sys on Windows 10 devices up to and including 20H2. Although the exploit in the wild specifically targeted Windows 10 v1709 to Windows 10 v1909, as noted at <https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>, the researchers noted that the vulnerability could be modified to work on Windows 20H2 with minor modifications.\n\nFrom my perspective this is rather significant, particularly given this is a win32kfull.sys bug we are talking about here. Most of the primitives that made win32k exploitation easier were entirely wiped out by Microsoft which prompted a lot of researchers who previously spoke publicly about such primitives in conference talks and similar to go quiet. Whilst rumor has been that there were other primitives one could use for exploitation, they were considered closely guarded secrets due to the difficulty in finding them and the fact that Microsoft would be likely to patch them very quickly.\n\nThe new primitive that is used here appears to be setting tagMenuBarInfo.rcBar.left and tagMenuBarInfo.rcBar.top and then calling GetMenuBarInfo(), which allows one to perform an arbitrary read in kernel memory. This has not been discussed before but is similar to another concepted discussed in the paper \u201cLPE vulnerabilities exploitation on Windows 10 Anniversary Update\u201d at ZeroNights which mentioned using two adjacent Windows and then setting the cbwndExtra field of the first window to a large value to allow the first window to set all of the properties of the second window. By chaining this together the attacker could achieve an arbitrary read and write in kernel memory.\n\nThe bug itself stems from a xxxClientAllocWindowClassExtraBytes() callback within win32kfull!xxxCreateWindowEx. Specifically when xxxCreateWindowEx() creates a window object with a cbwndExtra field set, aka it has extra Window bytes, it will perform a xxxClientAllocWindowClassExtraBytes() callback to usermode to allocate the extra bytes for the Window.\n\nYou may be wondering why such callbacks are needed. Well a long time ago Windows used to handle all its graphics stuff in kernel mode, but then people realized that was too slow given increasing demands for speed, so they made most of the code operate in usermode with key stuff handled by kernel mode. This lead to a big rift and is the reason we have callbacks. Thats the nutshell version anyway but go read up on <http://mista.nu/research/mandt-win32k-slides.pdf> and <https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf> if you want to learn more. Its a fascinating read :)\n\nAnyway back on topic. Since xxxClientAllocWindowClassExtraBytes() is a callback that is under the attackers controller, the attacker can set a hook that will trigger when a xxxClientAllocWindowClassExtraBytes() callback is made and call NtUserConsoleControl() with the handle of the window that is currently being operated on. This will end up calling xxxConsoleControl() in kernel mode which will set *((tagWND+0x28)+0x128) to an offset, and will AND the flag at *((tagWND+0x28) + 0xE8) with 0x800 to indicate that the value of the WndExtra member is an offset from the base address of RtlHeapBase. Unfortunately, whatever value is returned by the hooked xxxClientAllocWindowClassExtraBytes() callback (aka whatever value the attacker chooses) will be used as the value of WndExtra, since remember we are meant to be allocating the address of this field at the time due to the earlier xxxCreateWindowEx() call needing to allocate memory for WndExtra.\n\nOnce this is done, the callback will be completed, execution will return to usermode, and a call to DestroyWindow() will be made from usermode. This will cause xxxDestroyWindow() to be called in kernel mode which will call xxxFreeWindow(), which will check if *((tagWND+0x28) + 0xE8) has the flag designated by 0x800 set, which it will due to the alterations made by xxxConsoleControl(). This will then result in a call to RtlFreeHeap() which will attempt to free an address designated by RtlHeapBase + offset, where offset is the value of WndExtra (which is taken from the xxxClientAllocWindowClassExtraBytes() callback and therefore completely controlled by the attacker).\n\nThis subsequently results in the attacker being able to free memory at an arbitrary address in memory.\n\nI\u2019ll not dive into a full detailed analysis of the rest of the exploitation steps as the article at <https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/> is very comprehensive but I will say from what I\u2019ve read there, there is enough detail that people of a decent skill level could probably recreate this exploit. It certainly isn\u2019t an easy exploit to recreate but the exploit goes into a lot of detail about the various mitigation bypasses that were used to make this exploit possible, which could help an attacker more readily recreate this bug.\n\nAgain, this exploit was exploited in the wild so it is possible for this bug to be recreated, it just might take some time for people to work out a few of the specifics needed to get a working exploit. If you are running Windows 10, it is highly advised to upgrade as soon as possible: everything I am reading here points to signs that this will be weaponized within the coming few weeks or months.\n\nAdditionally it should be noted that this exploit was noted to be capable of escaping Microsoft IE\u2019s sandbox (but not Google Chrome\u2019s) so if you are running Microsoft IE within your environment, its even more imperative that you patch this issue to prevent an attacker from combining this with an IE 0day and conducting a drive by attack against your organization, whereby simply browsing a website could lead to attackers gaining SYSTEM level privileges against affected systems.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 3\n", "modified": "2020-12-02T00:00:00", "published": "2020-12-02T00:00:00", "id": "AKB:DFA2540D-E431-4CDE-B67A-7EA3F2B87A74", "href": "https://attackerkb.com/topics/7eGGM4Xknz/cve-2021-1732", "type": "attackerkb", "title": "CVE-2021-1732", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-12-24T21:14:10", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472", "CVE-2020-2021"], "description": "An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka \u2018Netlogon Elevation of Privilege Vulnerability\u2019.\n\n \n**Recent assessments:** \n \n**VoidSec** at September 15, 2020 8:31am UTC reported:\n\nUnauthenticated attacker, able to directly connect to a Domain Controller over [NRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>) will be able to reset the Domain Controller\u2019s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.\n\nThe exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password. \nTarget computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action. \nIn test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.\n\n[Checker and Exploit code](<https://github.com/VoidSec/CVE-2020-1472>) \nOriginal research and white-paper: [Secura \u2013 Tom Tervoort](<https://www.secura.com/blog/zero-logon\\]\\(https://www.secura.com/blog/zero-logon>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**jpcastr0** at September 16, 2020 3:29pm UTC reported:\n\nUnauthenticated attacker, able to directly connect to a Domain Controller over [NRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>) will be able to reset the Domain Controller\u2019s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.\n\nThe exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password. \nTarget computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action. \nIn test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.\n\n[Checker and Exploit code](<https://github.com/VoidSec/CVE-2020-1472>) \nOriginal research and white-paper: [Secura \u2013 Tom Tervoort](<https://www.secura.com/blog/zero-logon\\]\\(https://www.secura.com/blog/zero-logon>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**wvu-r7** at August 11, 2020 10:15pm UTC reported:\n\nUnauthenticated attacker, able to directly connect to a Domain Controller over [NRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>) will be able to reset the Domain Controller\u2019s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.\n\nThe exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password. \nTarget computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action. \nIn test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.\n\n[Checker and Exploit code](<https://github.com/VoidSec/CVE-2020-1472>) \nOriginal research and white-paper: [Secura \u2013 Tom Tervoort](<https://www.secura.com/blog/zero-logon\\]\\(https://www.secura.com/blog/zero-logon>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4**zeroSteiner** at October 09, 2020 5:00pm UTC reported:\n\nUnauthenticated attacker, able to directly connect to a Domain Controller over [NRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>) will be able to reset the Domain Controller\u2019s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.\n\nThe exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password. \nTarget computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action. \nIn test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.\n\n[Checker and Exploit code](<https://github.com/VoidSec/CVE-2020-1472>) \nOriginal research and white-paper: [Secura \u2013 Tom Tervoort](<https://www.secura.com/blog/zero-logon\\]\\(https://www.secura.com/blog/zero-logon>)\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**gwillcox-r7** at October 20, 2020 6:00pm UTC reported:\n\nUnauthenticated attacker, able to directly connect to a Domain Controller over [NRPC](<https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f>) will be able to reset the Domain Controller\u2019s account password to an empty string, thus enabling the attackers to further escalate their privileges to Domain Admin.\n\nThe exploit will be successful only if the Domain Controller uses the password stored in Active Directory to validate the login attempt, rather than the one stored locally as, when changing a password in this way, it is only changed in the AD. The targeted system itself will still locally store its original password. \nTarget computer will then not be able to authenticate to the domain anymore, and it can only be re-synchronized through manual action. \nIn test lab a successful attack broke the following functionalities when targeting a Domain Controller: DNS functionality and/or communication with replication Domain Controllers.\n\n[Checker and Exploit code](<https://github.com/VoidSec/CVE-2020-1472>) \nOriginal research and white-paper: [Secura \u2013 Tom Tervoort](<https://www.secura.com/blog/zero-logon\\]\\(https://www.secura.com/blog/zero-logon>)\n", "modified": "2020-11-18T00:00:00", "published": "2020-08-17T00:00:00", "id": "AKB:7C5703D3-9E18-4F5C-A4D2-25E1F09B43CB", "href": "https://attackerkb.com/topics/7FbcgDOidQ/cve-2020-1472-aka-zerologon", "type": "attackerkb", "title": "CVE-2020-1472 aka Zerologon", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2021-02-13T14:38:31", "description": "Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by a heap-based buffer overflow vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-11T20:15:00", "title": "CVE-2021-21017", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21017"], "modified": "2021-02-12T22:52:00", "cpe": ["cpe:/a:adobe:acrobat_reader_dc:20.013.20074", "cpe:/a:adobe:acrobat_reader:20.001.300183", "cpe:/a:adobe:acrobat:20.001.30018", "cpe:/a:adobe:acrobat_reader:17.011.30188", "cpe:/a:adobe:acrobat:17.011.30188", "cpe:/a:adobe:acrobat_dc:20.013.20074"], "id": "CVE-2021-21017", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21017", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:adobe:acrobat_dc:20.013.20074:*:*:*:continuous:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:17.011.30188:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat:17.011.30188:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:20.001.300183:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat:20.001.30018:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_reader_dc:20.013.20074:*:*:*:continuous:*:*:*"]}, {"lastseen": "2021-02-18T14:40:58", "description": "Heap buffer overflow in Extensions in Google Chrome prior to 88.0.4324.146 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-09T15:15:00", "title": "CVE-2021-21143", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21143"], "modified": "2021-02-18T02:13:00", "cpe": ["cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33"], "id": "CVE-2021-21143", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21143", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-18T14:40:58", "description": "Use after free in Fonts in Google Chrome prior to 88.0.4324.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-09T15:15:00", "title": "CVE-2021-21145", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21145"], "modified": "2021-02-18T02:12:00", "cpe": ["cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33"], "id": "CVE-2021-21145", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21145", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-18T14:40:58", "description": "Heap buffer overflow in Tab Groups in Google Chrome prior to 88.0.4324.146 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-09T15:15:00", "title": "CVE-2021-21144", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21144"], "modified": "2021-02-18T02:12:00", "cpe": ["cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33"], "id": "CVE-2021-21144", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21144", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-18T14:40:58", "description": "Use after free in Payments in Google Chrome on Mac prior to 88.0.4324.146 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-02-09T15:15:00", "title": "CVE-2021-21142", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21142"], "modified": "2021-02-18T02:13:00", "cpe": ["cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33"], "id": "CVE-2021-21142", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21142", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-18T14:40:58", "description": "Use after free in Navigation in Google Chrome prior to 88.0.4324.146 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-02-09T15:15:00", "title": "CVE-2021-21146", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21146"], "modified": "2021-02-18T02:12:00", "cpe": ["cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33"], "id": "CVE-2021-21146", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21146", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-18T14:40:58", "description": "Inappropriate implementation in Skia in Google Chrome prior to 88.0.4324.146 allowed a local attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 4.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 1.4}, "published": "2021-02-09T15:15:00", "title": "CVE-2021-21147", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21147"], "modified": "2021-02-18T02:11:00", "cpe": ["cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33"], "id": "CVE-2021-21147", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21147", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-25T14:59:41", "description": "Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-09T16:15:00", "title": "CVE-2021-21148", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21148"], "modified": "2021-02-24T18:59:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "cpe:/o:fedoraproject:fedora:32", "cpe:/o:fedoraproject:fedora:33"], "id": "CVE-2021-21148", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21148", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:36:59", "description": "An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'.", "edition": 19, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-08-17T19:15:00", "title": "CVE-2020-1472", "type": "cve", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472"], "modified": "2020-12-24T16:15:00", "cpe": ["cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:opensuse:leap:15.1", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:fedoraproject:fedora:32", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:opensuse:leap:15.2", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:fedoraproject:fedora:33", "cpe:/o:microsoft:windows_server_2016:-", "cpe:/o:microsoft:windows_server_2016:1903", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2020-1472", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*"]}], "krebs": [{"lastseen": "2021-02-10T00:29:38", "bulletinFamily": "blog", "cvelist": ["CVE-2020-1472", "CVE-2021-1732", "CVE-2021-21148", "CVE-2021-24078"], "description": "**Microsoft** today rolled out updates to plug at least 56 security holes in its **Windows** operating systems and other software. One of the bugs is already being actively exploited, and six of them were publicized prior to today, potentially giving attackers a head start in figuring out how to exploit the flaws.\n\n\n\nNine of the 56 vulnerabilities earned Microsoft&#x27;s most urgent &quot;critical&quot; rating, meaning malware or miscreants could use them to seize remote control over unpatched systems with little or no help from users.\n\nThe flaw being exploited in the wild already -- [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1732>) -- affects Windows 10, Server 2016 and later editions. It received a slightly less dire &quot;important&quot; rating and mainly because it is a vulnerability that lets an attacker increase their authority and control on a device, which means the attacker needs to already have access to the target system.\n\nTwo of the other bugs that were disclosed prior to this week are critical and reside in **Microsoft&#x27;s .NET Framework**, a component required by many third-party applications (most Windows users will have some version of .NET installed).\n\nWindows 10 users should note that while the operating system installs all monthly patch roll-ups in one go, that rollup does not typically include .NET updates, which are installed on their own. So when you&#x27;ve backed up your system and installed this month&#x27;s patches, you may want to check Windows Update again to see if there are any .NET updates pending.\n\nA key concern for enterprises is another critical bug in the DNS server on Windows Server 2008 through 2019 versions that could be used to remotely install software of the attacker&#x27;s choice. [CVE-2021-24078](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24078>) earned [a CVSS Score](<https://nvd.nist.gov/vuln-metrics/cvss>) of 9.8, which is about as dangerous as they come.\n\n**Recorded Future** says this vulnerability can be exploited remotely by getting a vulnerable DNS server to query for a domain it has not seen before (e.g. by sending a phishing email with a link to a new domain or even with images embedded that call out to a new domain). **Kevin Breen** of **Immersive Labs** notes that CVE-2021-24078 could let an attacker steal loads of data by altering the destination for an organization&#x27;s web traffic -- such as pointing internal appliances or Outlook email access at a malicious server.\n\nWindows Server users also should be aware that Microsoft this month is enforcing the second round of security improvements as part of a two-phase update to address [CVE-2020-1472](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472>), a severe vulnerability that [first saw active exploitation back in September 2020](<https://krebsonsecurity.com/2020/09/microsoft-attackers-exploiting-zerologon-windows-flaw/>).\n\nThe vulnerability, dubbed &quot;**Zerologon**,&quot; is a bug in the core &quot;**Netlogon**&quot; component of Windows Server devices. The flaw lets an unauthenticated attacker gain administrative access to a Windows domain controller and run any application at will. A domain controller is a server that responds to security authentication requests in a Windows environment, and a compromised domain controller can give attackers the keys to the kingdom inside a corporate network.\n\nMicrosoft&#x27;s [initial patch for CVE-2020-1472](<https://krebsonsecurity.com/2020/08/microsoft-patch-tuesday-august-2020-edition/>) fixed the flaw on Windows Server systems, but did nothing to stop unsupported or third-party devices from talking to domain controllers using the insecure Netlogon communications method. Microsoft said it chose this two-step approach &quot;to ensure vendors of non-compliant implementations can provide customers with updates.&quot; With this month&#x27;s patches, Microsoft will begin rejecting insecure Netlogon attempts from non-Windows devices.\n\nA couple of other, non-Windows security updates are worth mentioning. Adobe today [released updates to fix at least 50 security holes in a range of products](<https://blogs.adobe.com/psirt/?p=1965>), including Photoshop and Reader. The Acrobat/Reader update tackles a critical zero-day flaw that [Adobe says](<https://helpx.adobe.com/security/products/acrobat/apsb21-09.html>) is actively being exploited in the wild against Windows users, so if you have Adobe Acrobat or Reader installed, please make sure these programs are kept up to date.\n\nThere is also a zero-day flaw in **Google&#x27;s Chrome Web browser** (CVE-2021-21148) that is seeing active attacks. Chrome downloads security updates automatically, but users still need to restart the browser for the updates to fully take effect. If you&#x27;re a Chrome user and notice a red &quot;update&quot; prompt to the right of the address bar, it&#x27;s time to save your work and restart the browser.\n\nStandard reminder: While staying up-to-date on Windows patches is a must, it\u2019s important to make sure you\u2019re updating only after you\u2019ve backed up your important data and files. A reliable backup means you\u2019re less likely to pull your hair out when the odd buggy patch causes problems booting the system.\n\nSo do yourself a favor and backup your files before installing any patches. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nKeep in mind that Windows 10 by default will automatically download and install updates on its own schedule. If you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches, [see this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nAnd as always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.", "modified": "2021-02-09T22:37:19", "published": "2021-02-09T22:37:19", "id": "KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7", "href": "https://krebsonsecurity.com/2021/02/microsoft-patch-tuesday-february-2021-edition/", "type": "krebs", "title": "Microsoft Patch Tuesday, February 2021 Edition", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "mscve": [{"lastseen": "2021-02-09T21:36:56", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-24086", "CVE-2021-24074", "CVE-2021-24094"], "description": "**1\\. Set sourceroutingbehavior to &quot;drop&quot;**\n\nUse the following command:\n\n`netsh int ipv4 set global sourceroutingbehavior=drop`\n\nFor more information about ipv4 registry settings see [Additional Registry Settings](<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd349797\\(v=ws.10\\)#disableipsourcerouting%22>)\n\n**Impact of workaround**\n\nIPv4 Source routing is considered insecure and is blocked by default in Windows; however, a system will process the request and return an ICMP message denying the request. The workaround will cause the system to drop these requests altogether without any processing.\n\n**How to undo the workaround**\n\nTo restore to default setting &quot;Dontforward&quot;:\n\n`netsh int ipv4 set global sourceroutingbehavior=dontforward`\n\n**2\\. Configure firewall or load balancers to disallow source routing requests**\n", "edition": 1, "modified": "2021-02-09T08:00:00", "published": "2021-02-09T08:00:00", "id": "MS:CVE-2021-24074", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074", "title": "Windows TCP/IP Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-13T03:38:23", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-24086", "CVE-2021-24074", "CVE-2021-24094"], "description": "**1\\. Set global reassemblylimit to 0**\n\nThe following command disables packet reassembly. Any out-of-order packets are dropped. Valid scenarios should not exceed more than 50 out-of-order fragments. We recommend testing prior to updating production systems.\n\n`Netsh int ipv6 set global reassemblylimit=0`\n\nFurther netsh guidance can be found at [netsh](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netsh>).\n\n**Impact of workaround**\n\nThere is a potential for packet loss when discarding out-of-order packets.\n\n**How to undo the workaround**\n\nTo restore to default setting &quot;267748640&quot;:\n\n`Netsh int ipv6 set global reassemblylimit=267748640`\n\n**2\\. Configure an Edge device, such as a firewall or load balancer, to disallow IPv6 fragmentation. Host based firewalls do not provide sufficient protection.**\n\nThis vulnerability affects all Windows IPv6 deployments, but Windows systems that are ONLY configured with IPv6 link-local addresses are not reachable by remote attackers. IPv6 link-local addresses are not routable on the internet, and an attack would need to originate from the same logical or adjacent network segment.\n", "edition": 3, "modified": "2021-02-12T08:00:00", "id": "MS:CVE-2021-24086", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24086", "published": "2021-02-12T08:00:00", "title": "Windows TCP/IP Denial of Service Vulnerability", "type": "mscve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-13T03:38:30", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-24086", "CVE-2021-24074", "CVE-2021-24094"], "description": "**1\\. Set global reassemblylimit to 0**\n\nThe following command disables packet reassembly. Any out-of-order packets are dropped. Valid scenarios should not exceed more than 50 out-of-order fragments. We recommend testing prior to updating production systems.\n\n`Netsh int ipv6 set global reassemblylimit=0`\n\nFurther netsh guidance can be found at [netsh](<https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netsh>).\n\n**Impact of workaround**\n\nThere is a potential for packet loss when discarding out-of-order packets.\n\n**How to undo the workaround**\n\nTo restore to default setting &quot;267748640&quot;:\n\n`Netsh int ipv6 set global reassemblylimit=267748640`\n\n**2\\. Configure an Edge device, such as a firewall or load balancer, to disallow IPv6 fragmentation. Host based firewalls do not provide sufficient protection.**\n\nThis vulnerability affects all Windows IPv6 deployments, but Windows systems that are ONLY configured with IPv6 link-local addresses are not reachable by remote attackers. IPv6 link-local addresses are not routable on the internet, and an attack would need to originate from the same logical or adjacent network segment.\n", "edition": 3, "modified": "2021-02-12T08:00:00", "id": "MS:CVE-2021-24094", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094", "published": "2021-02-12T08:00:00", "title": "Windows TCP/IP Remote Code Execution Vulnerability", "type": "mscve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-12T15:31:22", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-21147"], "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n", "edition": 2, "modified": "2021-02-04T08:00:00", "id": "MS:CVE-2021-21147", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21147", "published": "2021-02-04T08:00:00", "title": "Chromium CVE-2021-21147: Inappropriate implementation in Skia", "type": "mscve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-02-12T15:33:20", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-21145"], "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n", "edition": 2, "modified": "2021-02-04T08:00:00", "id": "MS:CVE-2021-21145", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21145", "published": "2021-02-04T08:00:00", "title": "Chromium CVE-2021-21145: Use after free in Fonts", "type": "mscve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-12T15:33:00", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-21143"], "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n", "edition": 2, "modified": "2021-02-04T08:00:00", "id": "MS:CVE-2021-21143", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21143", "published": "2021-02-04T08:00:00", "title": "Chromium CVE-2021-21143: Heap buffer overflow in Extensions", "type": "mscve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-12T15:33:08", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-21142"], "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n", "edition": 2, "modified": "2021-02-04T08:00:00", "id": "MS:CVE-2021-21142", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21142", "published": "2021-02-04T08:00:00", "title": "Chromium CVE-2021-21142: Use after free in Payments", "type": "mscve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-12T15:33:22", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-21146"], "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n", "edition": 2, "modified": "2021-02-04T08:00:00", "id": "MS:CVE-2021-21146", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21146", "published": "2021-02-04T08:00:00", "title": "Chromium CVE-2021-21146: Use after free in Navigation", "type": "mscve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-12T15:33:37", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-21144"], "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n", "edition": 2, "modified": "2021-02-04T08:00:00", "id": "MS:CVE-2021-21144", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21144", "published": "2021-02-04T08:00:00", "title": "Chromium CVE-2021-21144: Heap buffer overflow in Tab Groups", "type": "mscve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-12T15:33:22", "bulletinFamily": "microsoft", "cvelist": ["CVE-2021-21148"], "description": "This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see [Google Chrome Releases](<https://chromereleases.googleblog.com/2021>) for more information.\n\n**This CVE has been reported to be exploited in the wild.**\n", "edition": 2, "modified": "2021-02-05T08:00:00", "id": "MS:CVE-2021-21148", "href": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-21148", "published": "2021-02-05T08:00:00", "title": "Chromium CVE-2021-21148: Heap buffer overflow in V8", "type": "mscve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2021-02-24T18:06:41", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "The Samba Team has released a security update to address a critical vulnerability\u2014CVE-2020-1472\u2014in multiple versions of Samba. This vulnerability could allow a remote attacker to take control of an affected system.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Samba Security Announcement for [CVE-2020-1472](<https://www.samba.org/samba/security/CVE-2020-1472.html>) and apply the necessary updates or workaround.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/09/21/samba-releases-security-update-cve-2020-1472>); we'd welcome your feedback.\n", "modified": "2020-09-21T00:00:00", "published": "2020-09-21T00:00:00", "id": "CISA:7FB0A467C0EB89B6198A58418B43D50C", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/09/21/samba-releases-security-update-cve-2020-1472", "type": "cisa", "title": "Samba Releases Security Update for CVE-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:34", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "Microsoft has released a [blog post](<https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/>) on cyber threat actors exploiting CVE-2020-1472, an elevation of privilege vulnerability in Microsoft\u2019s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. The Cybersecurity and Infrastructure Security Agency (CISA) has observed nation state activity exploiting this vulnerability. This malicious activity has often, but not exclusively, been directed at federal and state, local, tribal, and territorial (SLTT) government networks.\n\nCISA urges administrators to patch all domain controllers immediately\u2014until every domain controller is updated, the entire infrastructure remains vulnerable, as threat actors can identify and exploit a vulnerable system in minutes. If there is an observation of CVE-2020-1472 Netlogon activity or other indications of valid credential abuse detected, it should be assumed that malicious cyber actors have compromised all identity services.\n\nIn the coming weeks and months, administrators should take follow-on actions that are described in [guidance](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>) released by Microsoft to prepare for the second half of Microsoft\u2019s Netlogon migration process, which is scheduled to conclude in February 2021.\n\nCISA encourages users and administrators to review the following resources and apply the necessary updates and mitigations.\n\n * Microsoft blog post: [Attacks exploiting Netlogon vulnerability (CVE-2020-1472)](<https://msrc-blog.microsoft.com/2020/10/29/attacks-exploiting-netlogon-vulnerability-cve-2020-1472/>)\n * Microsoft: August Security Advisory for [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>)\n * Microsoft: [How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>)\n * CISA Joint Cybersecurity Advisory: [AA20-283A APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations](<https://us-cert.cisa.gov/ncas/alerts/aa20-283a>)\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/10/29/microsoft-warns-continued-exploitation-cve-2020-1472>); we'd welcome your feedback.\n", "modified": "2020-12-10T00:00:00", "published": "2020-10-29T00:00:00", "id": "CISA:61F2653EF56231DB3AEC3A9E938133FE", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/10/29/microsoft-warns-continued-exploitation-cve-2020-1472", "type": "cisa", "title": "Microsoft Warns of Continued Exploitation of CVE-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:40", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "The Cybersecurity and Infrastructure Security Agency (CISA) is aware of publicly available exploit code for CVE-2020-1472, an elevation of privilege vulnerability in Microsoft\u2019s Netlogon. Although Microsoft provided patches for CVE-2020-1472 in August 2020, unpatched systems will be an attractive target for malicious actors. Attackers could exploit this vulnerability to obtain domain administrator access.\n\nCISA encourages users and administrators to review Microsoft\u2019s August Security Advisory for [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 >) and [Article](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>) for more information and apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472>); we'd welcome your feedback.\n", "modified": "2020-09-14T00:00:00", "published": "2020-09-14T00:00:00", "id": "CISA:433F588AAEF2DF2A0B46FE60687F19E0", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472", "type": "cisa", "title": "Exploit for Netlogon Remote Protocol Vulnerability, CVE-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:39", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "The Cybersecurity and Infrastructure Security Agency (CISA) is aware of active exploitation of CVE-2020-1472, an [elevation of privilege vulnerability in Microsoft\u2019s Netlogon](<https://us-cert.cisa.gov/ncas/current-activity/2020/09/14/exploit-netlogon-remote-protocol-vulnerability-cve-2020-1472 >). A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access. Applying patches from Microsoft\u2019s August 2020 Security Advisory for [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 >) can prevent exploitation of this vulnerability.\n\nCISA has released a [patch validation script](<https://github.com/cisagov/cyber.dhs.gov/tree/master/assets/report/ed-20-04_script >) to detect unpatched Microsoft domain controllers. CISA urges administrators to patch all domain controllers immediately\u2014until every domain controller is updated, the entire infrastructure remains vulnerable. Review the following resources for more information:\n\n * [CISA Patch Validation Script](<https://github.com/cisagov/cyber.dhs.gov/tree/master/assets/report/ed-20-04_script>)\n * [CISA Emergency Directive 20-04: Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday](<https://cyber.dhs.gov/ed/20-04/>)\n * CERT/CC Vulnerability Note [VU#490028](<https://www.kb.cert.org/vuls/id/490028>)\n * Microsoft Security Vulnerability Information for [CVE-2020-1472](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 >)\n * Microsoft\u2019s guidance on [How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc >)\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/09/24/unpatched-domain-controllers-remain-vulnerable-netlogon>); we'd welcome your feedback.\n", "modified": "2020-09-24T00:00:00", "published": "2020-09-24T00:00:00", "id": "CISA:2B970469D89016F563E142BE209443D8", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/09/24/unpatched-domain-controllers-remain-vulnerable-netlogon", "type": "cisa", "title": "Unpatched Domain Controllers Remain Vulnerable to Netlogon Vulnerability, CVE-2020-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-24T18:06:34", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "Microsoft addressed a critical remote code execution vulnerability affecting the Netlogon protocol (CVE-2020-1472) on August 11, 2020. Beginning with the February 9, 2021 Security Update release, Domain Controllers will be placed in enforcement mode. This will require all Windows and non-Windows devices to use secure Remote Procedure Call (RPC) with Netlogon secure channel or to explicitly allow the account by adding an exception for any non-compliant device.\n\nCISA encourages users and administrators to review the Microsoft [security update](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472>) and apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/02/10/microsoft-launches-phase-2-mitigation-netlogon-remote-code>); we'd welcome your feedback.\n", "modified": "2021-02-10T00:00:00", "published": "2021-02-10T00:00:00", "id": "CISA:E5A33B5356175BB63C2EFA605346F8C7", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/02/10/microsoft-launches-phase-2-mitigation-netlogon-remote-code", "type": "cisa", "title": "Microsoft Launches Phase 2 Mitigation for Netlogon Remote Code Execution Vulnerability (CVE-2020-1472) ", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2020-09-29T08:39:08", "bulletinFamily": "info", "cvelist": ["CVE-2020-1472"], "description": "### Updates September 16, 2020\n\n\n\nSamba domain controllers before 4.8 [have been confirmed](<https://twitter.com/certcc/status/1306279825519382528>) to be vulnerable to CVE-2020-1472. There are now multiple public [PoC exploits](<https://github.com/bb00/zer0dump>) available, most if not all of which are [modifications](<https://github.com/risksense/zerologon>) to Secura\u2019s original PoC built on Impacket. There are reports of the vulnerability's being actively exploited in the wild, including to spread ransomware. The maintainer of popular post-exploitation tool Mimikatz has also [announced a new release](<https://twitter.com/gentilkiwi/status/1306178689630076929>) of the tool that integrates Zerologon detection and exploitation support. Several threads on [exploitation traces](<https://twitter.com/SBousseaden/status/1304867515844243458>) and [community detection rules](<https://twitter.com/andriinb/status/1304676530350628864>) have also garnered attention from researchers and security engineers.\n\n### (Original text)\n\nEarlier today (September 14, 2020), security firm Secura published a [technical paper](<https://www.secura.com/pathtoimg.php?id=2055>) on CVE-2020-1472, a [CVSS-10 privilege escalation vulnerability](<https://attackerkb.com/topics/7FbcgDOidQ/cve-2020-1472?referrer=blog#rapid7-analysis>) in Microsoft\u2019s Netlogon authentication process that the paper's authors christened \u201cZerologon.\u201d The vulnerability, which was [partially patched](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>) in Microsoft\u2019s August 2020 Patch Tuesday release, arises from a flaw in the cryptographic implementation of the Netlogon protocol, specifically in its usage of AES-CFB8 encryption. The impact of successful exploitation is enormous: The flaw allows for full takeover of Active Directory domains by compromising Windows Servers running as domain controllers\u2014in Secura\u2019s words, enabling \u201can attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker\u2019s viewpoint.\u201d This RPC connection can be made either directly or over SMB via namedpipes.\n\nSecura\u2019s blog includes [proof-of-concept (PoC) code](<https://github.com/SecuraBV/CVE-2020-1472>) that performs the authentication bypass and is easily able to be weaponized for use in attacker operations, including ransomware and other malware propagation. It\u2019s unlikely that it will take long for a fully weaponized exploit (or several) to hit the internet.\n\n[InsightVM](<https://www.rapid7.com/products/insightvm/>) customers can assess their exposure to CVE-2020-1472 with an [authenticated check](<https://www.rapid7.com/db/vulnerabilities/msft-cve-2020-1472>). Organizations that have not already applied Microsoft\u2019s August 11, 2020 security updates are urged to consider patching CVE-2020-1472 on an emergency basis. Microsoft customers who have successfully applied the August 2020 security updates can deploy Domain Controller (DC) enforcement mode either now or after the Q1 2021 update that includes the second part of the patch for this vulnerability. Microsoft [has guidance here](<https://support.microsoft.com/kb/4557222>) on how to manage changes in Netlogon secure channel connections associated with this vulnerability.\n\nFor more Rapid7 analysis, further evaluation of Secura\u2019s technical paper, and guidance, see Zerologon\u2019s [AttackerKB entry here](<https://attackerkb.com/topics/7FbcgDOidQ/cve-2020-1472?referrer=blog#rapid7-analysis>).\n\n### Affected products\n\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1\n * Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n * Windows Server 2012\n * Windows Server 2012 (Server Core installation)\n * Windows Server 2012 R2\n * Windows Server 2012 R2 (Server Core installation)\n * Windows Server 2016\n * Windows Server 2016 (Server Core installation)\n * Windows Server 2019\n * Windows Server 2019 (Server Core installation)\n * Windows Server, version 1903 (Server Core installation)\n * Windows Server, version 1909 (Server Core installation)\n * Windows Server, version 2004 (Server Core installation)\n\n### References\n\n * <https://attackerkb.com/topics/7FbcgDOidQ/cve-2020-1472?referrer=blog#rapid7-analysis>\n * <https://www.secura.com/pathtoimg.php?id=2055>\n * <https://www.zdnet.com/article/zerologon-attack-lets-hackers-take-over-enterprise-networks/>\n * <https://github.com/SecuraBV/CVE-2020-1472>\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>", "modified": "2020-09-14T23:29:59", "published": "2020-09-14T23:29:59", "id": "RAPID7BLOG:C628D3D68DF3AE5A40A1F0C9DFA38860", "href": "https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-critical-privilege-escalation/", "type": "rapid7blog", "title": "CVE-2020-1472 \"Zerologon\" Critical Privilege Escalation: What You Need To Know", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "pentestpartners": [{"lastseen": "2020-09-23T14:54:17", "bulletinFamily": "blog", "cvelist": ["CVE-2020-1350", "CVE-2020-1472"], "description": "### \n\n### TL;DR\n\nYes, apply the update from Microsoft.\n\n### The new MS08-067?\n\nCVE-2020-1472 is an elevation of privilege vulnerability in a cryptographic authentication scheme used by the Netlogon service and was discovered (and named Zerologon) by Tom Tervoort at [Secura](<https://www.secura.com/blog/zero-logon>). It does not require authentication. It can be used by an attacker to remotely compromise a domain controller, the result being domain admin access. That pretty much as bad as it gets, naturally it is rated critical by [Microsoft](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472>).\n\nThe vulnerability was patched in August 2020 in the first of a 2 part update, the first mitigates, the second (coming in 2021) fully closes it.\n\n### What\u2019s affected?\n\nAll flavours of Microsoft Windows Server, including server core. Though the impact is predominantly going to affect your domain controllers.\n\nSome versions of Linux are also vulnerable, [SUSE](<https://www.suse.com/support/kb/doc/?id=000019713>), [Red Hat](<https://access.redhat.com/security/cve/CVE-2020-1472>)\n\n### Is it a risk for me?\n\nCommonly when Microsoft release a critical update the Infosec community make a big deal out of the vulnerability, rightly so in some cases, but in others often there is not actual public exploit code available. Now that doesn\u2019t mean there isn\u2019t code available in private groups and that those risks shouldn\u2019t be taken seriously, but the absence of exploit code does make the bar of exploit that little bit higher. Unlike [some cases](<https://blog.zsec.uk/cve-2020-1350-research/>), in Zerologon\u2019s case there are currently 31 repositories on Github which purport to reference the vulnerability:\n\n\n\nThese range from a basic detection type script through to full takeover of a domain. Whilst we cannot confirm the authenticity of all of these, some are known to function as expected, they should be taken seriously.\n\nAs exploits develop they are getting more advanced, the early attacks would render the domain controller the exploit was run on unusable, this is now getting refined to allow the attacker to recover the domain controller. The code is even being added to the popular [Mimikatz](<https://github.com/gentilkiwi/mimikatz>) exploitation tool.\n\nThere is a risk that disgruntled internal staff will exploit this, right now there are no known PowerShell versions of this exploit and so short of an internal staff member using their own laptop it\u2019s unlikely that they will have the toolset to exploit it\u2026however, this will change.\n\nThe threat is real. This is becoming a \u2018point and click\u2019 type exploit.\n\n### What mitigating factors are there?\n\nIn order to exploit the vulnerability the attacker does need to be on the local area network, however, does not need credentials. This does mean an attacker needs to be inside your network boundary, but this could be achieved in many ways, most obviously through a phishing attach, but that may not be necessary\u2026 Have you got wired network points in public meeting rooms? How secure is your wireless?\n\nA read only domain controller is also likely affected, but it is unclear in what way. Read only domain controllers may increase the risk to your organisation as commonly these are placed outside the trust boundaries.\n\nThe exploit currently breaks the domain controller it is exploited on and so it is unlikely that responsible security consultants will execute the exploit, however, unknown threat actors are likely to. This is also likely to be improved as time goes on.\n\nThen\u2026well\u2026 there is the patch obviously.\n\nOnce you have applied the patch you can enable some [registry keys](<https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc>) that will enable DC enforcement, this will deny vulnerable Netlogon connections unless the account is allowed. Note, this will become the default in early 2021 as Microsoft will release a second update to implement this.\n\n### Detecting the exploit\n\nThere are a handful of rules you can add to your security monitoring server (thank you [Corelight](<https://corelight.blog/2020/09/16/detecting-zerologon-cve-2020-1472-with-zeek/>) for these links).\n\n * [Splunk](<https://www.linkedin.com/feed/update/urn:li:activity:6711471711751168000/>)\n * [Sigma](<https://twitter.com/andriinb/status/1304676530350628864?s=1>)\n * [Zeek](<https://github.com/corelight/zerologon>)\n\nEvent ID 4742 is worth monitoring, that will show changes to a computer account which is what Zerologon is doing. Though sadly this will likely only show you have already been compromised\n\nThere are a number of other detection options in [this blog from Lares](<https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/>). Though sadly, like the above, this will likely only show you have already been compromised\n\n### Conclusion\n\nSo in short, yes you should worry, this will be exploited for many years to come, we are still seeing MS08-067 in use, the exploits will get more reliable. The risk is very much real and the impact is as severe as it gets for an enterprise domain.\n\nThis is currently a changing threat, more and more researchers are looking at this and finding novel ways to exploit it.\n\nGet patching!\n\nThe post [CVE-2020-1472/Zerologon. As an IT manager should I worry?](<https://www.pentestpartners.com/security-blog/cve-2020-1472-zerologon-as-an-it-manager-should-i-worry/>) first appeared on [Pen Test Partners](<https://www.pentestpartners.com/>).", "modified": "2020-09-23T05:05:06", "published": "2020-09-23T05:05:06", "id": "PENTESTPARTNERS:8FD1C9A0D76A3084445136A0275847C0", "href": "https://www.pentestpartners.com/security-blog/cve-2020-1472-zerologon-as-an-it-manager-should-i-worry/", "type": "pentestpartners", "title": "CVE-2020-1472/Zerologon. As an IT manager should I worry?", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}